请求证书

本页面介绍了如何在 Certificate Authority Service 中创建证书请求。

您可以使用以下方法请求证书:

  1. 生成您自己的私钥或公钥并提交证书签名请求 (CSR)。
  2. 使用 CA Service 自动生成的私钥或公钥。
  3. 使用现有的 Cloud Key Management Service (Cloud KMS) 密钥。

准备工作

  1. 为 CA Service 准备好环境

  2. 如需获取颁发证书所需的权限,请让管理员为您授予 CA Service Certificate Requester (roles/privateca.certificateRequester) 或 CA Service Certificate Manager (roles/privateca.certificateManager) IAM 角色。

    如需详细了解 CA Service 的预定义 IAM 角色,请参阅使用 IAM 进行访问权限控制

    如需了解如何向主帐号授予 IAM 角色,请参阅授予单个角色

使用 CSR 请求证书

要获取证书,您需要生成 CSR,然后使用该 CSR 请求证书。

生成 CSR

如需详细了解如何使用 OpenSSL 生成 CSR,请参阅如何使用 OpenSSL 生成 CSR。生成 CSR 时,您还可以将以下示例配置文件用作参考。

如需使用示例配置文件,请按以下步骤操作:

  1. 使用以下配置创建名为 csr.cnf 的配置文件。

    cat << EOF > csr.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = example.com

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
EOF

    此示例会生成 2048 位 RSA 密钥(密码已加密)和对应的 CSR,其中包含以下内容:

    • 主题 DN 中的 commonName 属性
    • subjectAlternativeName扩展程序
    • keyUsage 扩展程序(标记为严重)
    • extendedKeyUsage扩展程序

    根据需要修改参数。如需使用 x509v3_config 配置文件格式定义 X.509 证书和 CSR 的扩展,请参阅 OpenSSL 文档

  2. 运行以下 openssl 命令以生成 CSR 和相应的私钥:

    openssl req -newkey rsa:2048 -out csr.pem -keyout key.pem -config csr.cnf

    此命令会生成以下文件:

    • csr.pem:您的 CSR,已准备好提交给 CA
    • key.pem:您的私钥,您应妥善保管

    在证书请求中使用 csr.pem 文件。

使用 CSR 提交证书请求

要使用 CSR 请求证书,请按以下步骤操作:

控制台

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    转到 Certificate Authority Service

  2. 点击请求证书

  3. 选择区域。该区域必须与您要使用的 CA 池的区域相同。

  4. 选择 CA 池。

  5. 可选:从 CA 池中选择特定 CA。请注意,当您选择用于证书颁发的特定 CA 时,将会创建对该 CA 的依赖项,因而更难以轮替 CA。

  6. 可选:选择证书模板。如果使用证书模板,请确保证书模板的政策与所选 CA 池的政策不冲突。

  7. 点击提供证书签名请求 (CSR),然后点击下一步。 系统会显示证书详细信息。

  8. 可选:如需覆盖自动生成的证书名称,请在证书名称字段中输入自定义名称。证书创建后,您便无法删除或重复使用证书名称。

  9. 可选:如需为证书选择自定义有效期,请在有效期字段中输入该值。

  10. 将 CSR 复制并粘贴到 Certificate CSR 框中。如果要上传包含 CSR 的文件,请点击浏览,然后选择您的文件。

  11. 点击生成证书

下载已签名的证书

  1. 要查看已生成的证书,请点击查看证书,然后点击查看
  2. 如需复制证书,请点击 。 如需以 .crt 文件的形式下载证书,请点击 下载证书
  3. 可选:如需下载证书链,请点击 下载证书链

gcloud

gcloud privateca certificates create CERT_ID \
     --issuer-pool POOL_ID \
     --csr CSR_FILENAME \
     --cert-output-file CERT_FILENAME \
     --validity "P30D"

请替换以下内容:

  • CERT_ID:证书的唯一标识符。
  • POOL_ID:CA 池的名称。
  • CSR_FILENAME:用于存储 PEM 编码的 CSR 的文件。

--validity 标志定义证书的有效期。这是一个可选标志,默认值为 30 天。

如需详细了解 gcloud privateca certificates create 命令,请参阅 gcloud privatecacertificate create

Terraform

resource "google_privateca_certificate_authority" "test_ca" {
  pool                     = "my-pool"
  certificate_authority_id = "my-certificate-authority"
  location                 = "us-central1"
  deletion_protection      = false # set to true to prevent destruction of the resource
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name  = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}


resource "google_privateca_certificate" "default" {
  pool                  = "my-pool"
  location              = "us-central1"
  certificate_authority = google_privateca_certificate_authority.test_ca.certificate_authority_id
  lifetime              = "860s"
  name                  = "my-certificate"
  pem_csr               = tls_cert_request.example.cert_request_pem
}

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_cert_request" "example" {
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }
}

REST API

  1. 使用您的首选方法(例如 openssl)生成证书签名请求 (CSR)。

    以下是为 JSON 编码的 CSR 示例。

    -----BEGIN CERTIFICATE REQUEST-----\nMIIChTCCAW0CAQAwQDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK\nDAZKb29uaXgxEzARBgNVBAMMCmpvb25peC5uZXQwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCnyy+5vcRQUBPqAse3ojmWjyUvhcJK6eLRXpp0teEUF5kg\nHb2ov8gYXb9sSim5fnvs09dGYDKibSrL4Siy7lA/NzMzWtKwyQQeLIQq/cLUJVcd\ndItJ0VRcqr+UPkTCii2vrdcocNDChHM1J8chDdl6DkpYieSTqZwlPcWlQBGAINmT\nT3Q0ZarIVM5l74j13WPuToGrhbVOIZXWxWqJjlHbBA8B/VKtSRCzM1qG60y8Pu2f\n6c78Dfg8+CGRzGwnz8aFS0Yf9czT9luNHSadS/RHjvE9FPZCsinz+6mJlXRcphi1\nKaHsDbstUAhse1h5E9Biyr9SFYRHxY7qRv9aSJ/dAgMBAAGgADANBgkqhkiG9w0B\nAQsFAAOCAQEAZz+I9ff1Rf3lTewXRUpA7nr5HVO1ojCR93Pf27tI/hvNH7z7GwnS\noScoJlClxeRqABOCnfmVoRChullb/KmER4BZ/lF0GQpEtbqbjgjkEDpVlBKCb0+L\nHE9psplIz6H9nfFS3Ouoiodk902vrMEh0LyDYNQuqFoyCZuuepUlK3NmtmkexlgT\n0pJg/5FV0iaQ+GiFXSZhTC3drfiM/wDnXGiqpbW9WmebSij5O+3BNYXKBUgqmT3r\nbryFydNq4qSOIbnN/MNb4UoKno3ve7mnGk9lIDf9UMPvhl+bT7C3OLQLGadJroME\npYnKLoZUvRwEdtZpbNL9QhCAm2QiJ6w+6g==\n-----END CERTIFICATE REQUEST-----

  2. 请求证书。

    HTTP 方法和网址: 

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates?certificate_id=CERTIFICATE_ID

    请求 JSON 正文:

    {
 "lifetime": {
   "seconds": 3600,
   "nanos": 0
 },
 "pem_csr": "PEM_CSR"
}

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/project-id/locations/location/certificateAuthorities/ca-id/certificates/certificate-id",
 "pemCertificate": "-----BEGIN CERTIFICATE-----...",
 "certificateDescription": {...}
}

使用自动生成的密钥请求证书

控制台

您可以使用 Google Cloud 控制台生成客户端或服务器 TLS 证书。

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    转到 Certificate Authority Service

  2. 点击请求证书

  3. 选择区域。该区域必须与您要使用的 CA 池的区域相同。

  4. 选择 CA 池。

  5. 点击手动输入详细信息。系统会显示证书详细信息。

  6. 可选:将自动生成的证书名称替换为唯一的自定义名称。

  7. 可选:如需为证书选择自定义有效期,请在有效期字段中输入该值。

添加域名

  1. 添加域名下的域名 1 字段中输入一个域名。
  2. 可选:如果要添加多个域名,请点击添加一项,然后在域名 2 字段中输入其他域名。

扩展的密钥用途

  1. 可选:在扩展的密钥用途下,根据您的用例在以下选项中进行选择:

    • 客户端 TLS:这些证书用于验证请求者的身份。
    • 服务器 TLS:这些证书用于验证服务器的身份。

  2. 点击下一步

配置密钥大小和算法

  1. 可选:在配置密钥大小和算法下,从列表中选择签名密钥大小和算法。如果您跳过此步骤,则系统将使用具有 SHA 256 摘要的 RSASSA-PSS 2048 位密钥。如需了解如何选择签名密钥和算法,请参阅选择密钥算法
  2. 点击生成证书

下载已签名的证书

  1. 要查看已生成的证书,请点击查看证书,然后点击查看
  2. 可选:如需下载 PEM 编码的证书链,请点击下载证书链

  3. 可选:如需下载关联的 PEM 编码的私钥,请点击下载私钥

gcloud

如需使用自动生成的密钥功能,您需要安装 Python 加密密钥机构 (PyCA) 库。如需了解如何安装 Pyca 加密库,请参阅添加 Pyca 加密库

如需创建证书,请使用以下 gcloud 命令:

gcloud privateca certificates create \
  --issuer-pool POOL_ID \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --use-preset-profile "CERTIFICATE_PROFILE"

请替换以下内容:

  • POOL_ID:CA 池的名称。
  • KEY_FILENAME:生成的私钥文件必须写入的路径。
  • CERT_FILENAME:PEM 编码的证书链文件必须写入的路径。证书链按照从最终实体到根的顺序排列。
  • DNS_NAME:一个或多个以英文逗号分隔的 DNS 主题备用名称 (SAN)。
  • CERTIFICATE_PROFILE证书配置文件的唯一标识符。例如,对最终实体服务器 TLS 使用 leaf_server_tls

gcloud 命令提及以下标志:

您还可以使用以下标志的任意组合:

  • --dns-san:可让您传递一个或多个以英文逗号分隔的 DNS SAN。
  • --ip-san:可让您传递一个或多个以英文逗号分隔的 IP SAN。
  • --uri-san:可让您传递一个或多个以英文逗号分隔的 URI SAN。
  • --subject:可让您传递证书主题的 X.501 名称。

如需详细了解 gcloud privateca certificates create 命令,请参阅 gcloud privatecacertificate create

Go

如需向 CA 服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
	"google.golang.org/protobuf/types/known/durationpb"
)

// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The key used to sign the certificate is created by the Cloud KMS.
func createCertificate(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	caId string,
	certId string,
	commonName string,
	domainName string,
	certDuration int64,
	publicKeyBytes []byte) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate authority exists.
	// caId := "ca-id"					// The name of the certificate authority which issues the certificate.
	// certId := "certificate"			// A unique name for the certificate.
	// commonName := "cert-name"		// A common name for the certificate.
	// domainName := "cert.example.com"	// Fully qualified domain name for the certificate.
	// certDuration := int64(31536000)	// The validity of the certificate in seconds.
	// publicKeyBytes 					// The public key used in signing the certificates.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	// Set the Public Key and its format.
	publicKey := &privatecapb.PublicKey{
		Key:    publicKeyBytes,
		Format: privatecapb.PublicKey_PEM,
	}

	// Set Certificate subject config.
	subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
		Subject: &privatecapb.Subject{
			CommonName: commonName,
		},
		SubjectAltName: &privatecapb.SubjectAltNames{
			DnsNames: []string{domainName},
		},
	}

	// Set the X.509 fields required for the certificate.
	x509Parameters := &privatecapb.X509Parameters{
		KeyUsage: &privatecapb.KeyUsage{
			BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
				DigitalSignature: true,
				KeyEncipherment:  true,
			},
			ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
				ServerAuth: true,
				ClientAuth: true,
			},
		},
	}

	// Set certificate settings.
	cert := &privatecapb.Certificate{
		CertificateConfig: &privatecapb.Certificate_Config{
			Config: &privatecapb.CertificateConfig{
				PublicKey:     publicKey,
				SubjectConfig: subjectConfig,
				X509Config:    x509Parameters,
			},
		},
		Lifetime: &durationpb.Duration{
			Seconds: certDuration,
		},
	}

	fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)

	// Create the CreateCertificateRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateRequest.
	req := &privatecapb.CreateCertificateRequest{
		Parent:                        fullCaPoolName,
		CertificateId:                 certId,
		Certificate:                   cert,
		IssuingCertificateAuthorityId: caId,
	}

	_, err = caClient.CreateCertificate(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateCertificate failed: %w", err)
	}

	fmt.Fprintf(w, "Certificate %s created", certId)

	return nil
}

Java

如需向 CA 服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.PublicKey;
import com.google.cloud.security.privateca.v1.PublicKey.KeyFormat;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.protobuf.ByteString;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCertificate {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.

    // publicKeyBytes: Public key used in signing the certificates.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Set a unique id for the CA pool.
    // certificateAuthorityName: The name of the certificate authority which issues the certificate.
    // certificateName: Set a unique name for the certificate.
    String project = "your-project-id";
    ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{});
    String location = "ca-location";
    String poolId = "ca-poolId";
    String certificateAuthorityName = "certificate-authority-name";
    String certificateName = "certificate-name";

    createCertificate(
        project, location, poolId, certificateAuthorityName, certificateName, publicKeyBytes);
  }

  // Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
  // The public key used to sign the certificate can be generated using any crypto
  // library/framework.
  public static void createCertificate(
      String project,
      String location,
      String poolId,
      String certificateAuthorityName,
      String certificateName,
      ByteString publicKeyBytes)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // commonName: Enter a title for your certificate.
      // orgName: Provide the name of your company.
      // domainName: List the fully qualified domain name.
      // certificateLifetime: The validity of the certificate in seconds.
      String commonName = "commonname";
      String orgName = "orgname";
      String domainName = "dns.example.com";
      long certificateLifetime = 1000L;

      // Set the Public Key and its format.
      PublicKey publicKey =
          PublicKey.newBuilder().setKey(publicKeyBytes).setFormat(KeyFormat.PEM).build();

      SubjectConfig subjectConfig =
          SubjectConfig.newBuilder()
              // Set the common name and org name.
              .setSubject(
                  Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
              // Set the fully qualified domain name.
              .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
              .build();

      // Set the X.509 fields required for the certificate.
      X509Parameters x509Parameters =
          X509Parameters.newBuilder()
              .setKeyUsage(
                  KeyUsage.newBuilder()
                      .setBaseKeyUsage(
                          KeyUsageOptions.newBuilder()
                              .setDigitalSignature(true)
                              .setKeyEncipherment(true)
                              .setCertSign(true)
                              .build())
                      .setExtendedKeyUsage(
                          ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
                      .build())
              .setCaOptions(CaOptions.newBuilder().setIsCa(true).buildPartial())
              .build();

      // Create certificate.
      Certificate certificate =
          Certificate.newBuilder()
              .setConfig(
                  CertificateConfig.newBuilder()
                      .setPublicKey(publicKey)
                      .setSubjectConfig(subjectConfig)
                      .setX509Config(x509Parameters)
                      .build())
              .setLifetime(Duration.newBuilder().setSeconds(certificateLifetime).build())
              .build();

      // Create the Certificate Request.
      CreateCertificateRequest certificateRequest =
          CreateCertificateRequest.newBuilder()
              .setParent(CaPoolName.of(project, location, poolId).toString())
              .setCertificateId(certificateName)
              .setCertificate(certificate)
              .setIssuingCertificateAuthorityId(certificateAuthorityName)
              .build();

      // Get the Certificate response.
      ApiFuture<Certificate> future =
          certificateAuthorityServiceClient
              .createCertificateCallable()
              .futureCall(certificateRequest);

      Certificate response = future.get();
      // Get the PEM encoded, signed X.509 certificate.
      System.out.println(response.getPemCertificate());
      // To verify the obtained certificate, use this intermediate chain list.
      System.out.println(response.getPemCertificateChainList());
    }
  }
}

Python

如需向 CA 服务进行身份验证,请设置应用默认凭据。如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2


def create_certificate(
    project_id: str,
    location: str,
    ca_pool_name: str,
    ca_name: str,
    certificate_name: str,
    common_name: str,
    domain_name: str,
    certificate_lifetime: int,
    public_key_bytes: bytes,
) -> None:
    """
    Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
    The key used to sign the certificate is created by the Cloud KMS.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: set a unique name for the CA pool.
        ca_name: the name of the certificate authority which issues the certificate.
        certificate_name: set a unique name for the certificate.
        common_name: a title for your certificate.
        domain_name: fully qualified domain name for your certificate.
        certificate_lifetime: the validity of the certificate in seconds.
        public_key_bytes: public key used in signing the certificates.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # The public key used to sign the certificate can be generated using any crypto library/framework.
    # Also you can use Cloud KMS to retrieve an already created public key.
    # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.

    # Set the Public Key and its format.
    public_key = privateca_v1.PublicKey(
        key=public_key_bytes,
        format_=privateca_v1.PublicKey.KeyFormat.PEM,
    )

    subject_config = privateca_v1.CertificateConfig.SubjectConfig(
        subject=privateca_v1.Subject(common_name=common_name),
        subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]),
    )

    # Set the X.509 fields required for the certificate.
    x509_parameters = privateca_v1.X509Parameters(
        key_usage=privateca_v1.KeyUsage(
            base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
                digital_signature=True,
                key_encipherment=True,
            ),
            extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
                server_auth=True,
                client_auth=True,
            ),
        ),
    )

    # Create certificate.
    certificate = privateca_v1.Certificate(
        config=privateca_v1.CertificateConfig(
            public_key=public_key,
            subject_config=subject_config,
            x509_config=x509_parameters,
        ),
        lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
    )

    # Create the Certificate Request.
    request = privateca_v1.CreateCertificateRequest(
        parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name),
        certificate_id=certificate_name,
        certificate=certificate,
        issuing_certificate_authority_id=ca_name,
    )
    result = caServiceClient.create_certificate(request=request)

    print("Certificate creation result:", result)

使用现有的 Cloud KMS 密钥请求证书

您只能使用 Google Cloud CLI 通过 Cloud KMS 密钥请求证书。

gcloud

如需使用 Cloud KMS 密钥创建终端实体服务器 TLS 证书,请运行以下命令:

gcloud privateca certificates create \
  --issuer-pool POOL_ID \
  --kms-key-version projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING/cryptoKeys/KEY/cryptoKeyVersions/KEY_VERSION \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --use-preset-profile "leaf_server_tls"

请替换以下内容:

  • POOL_ID:CA 池的名称。
  • PROJECT_ID:项目 ID。
  • LOCATION_ID:密钥环的位置。
  • KEY_RING:密钥所在的密钥环的名称。
  • KEY:键的名称。
  • KEY_VERSION:密钥的版本。
  • CERT_FILENAME:PEM 编码的证书链文件的路径。证书链文件按照从终端实体到根的顺序排列。
  • DNS_NAME:以英文逗号分隔的 DNS SAN。

从 CA 池中的特定 CA 颁发证书

本部分介绍如何从 CA 池中的特定 CA 颁发证书。

控制台

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    转到 Certificate Authority Service

  2. 点击请求证书

  3. 选择区域。该区域必须与您要使用的 CA 池的区域相同。

  4. 选择 CA 池。

  5. 如需选择 CA,请点击使用此 CA 池中的特定 CA,然后从列表中选择一个 CA。

  6. 按照使用自动生成的密钥请求证书部分或使用 CSR 请求证书部分的方法选择其他参数。

gcloud

如需以 CA 池中的特定 CA 为目标进行证书颁发,请添加 --ca 标志,并指定必须颁发证书的 CA 的 CA_ID

gcloud privateca certificates create \
  --issuer-pool POOL_ID \
  --ca CA_ID \
  --generate-key \
  --key-output-file KEY_FILENAME \
  --cert-output-file CERT_FILENAME \
  --dns-san "DNS_NAME" \
  --use-preset-profile "leaf_server_tls"

Terraform

resource "google_privateca_certificate_authority" "authority" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool                     = "my-pool"
  certificate_authority_id = "my-sample-certificate-authority"
  location                 = "us-central1"
  deletion_protection      = false # set to true to prevent destruction of the resource
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name  = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          cert_sign         = true
          crl_sign          = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}


resource "google_privateca_certificate" "default" {
  pool     = "my-pool"
  location = "us-central1"
  lifetime = "860s"
  name     = "my-sample-certificate"
  config {
    subject_config {
      subject {
        common_name         = "san1.example.com"
        country_code        = "us"
        organization        = "google"
        organizational_unit = "enterprise"
        locality            = "mountain view"
        province            = "california"
        street_address      = "1600 amphitheatre parkway"
        postal_code         = "94109"
      }
    }
    x509_config {
      ca_options {
        is_ca = false
      }
      key_usage {
        base_key_usage {
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
    public_key {
      format = "PEM"
      key    = base64encode(data.tls_public_key.example.public_key_pem)
    }
  }
  // Certificates require an authority to exist in the pool, though they don't
  // need to be explicitly connected to it
  depends_on = [google_privateca_certificate_authority.authority]
}

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

data "tls_public_key" "example" {
  private_key_pem = tls_private_key.example.private_key_pem
}

在验证模式下请求证书

在验证模式下请求证书会创建一个未签名的测试证书。此测试证书未经过 PEM 编码,不会产生费用。 虽然您无法下载证书,但通过假设的证书说明可以确认您可以使用所选参数成功颁发签名证书。

如需在验证模式下请求证书,请按以下步骤操作:

控制台

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    转到 Certificate Authority Service

  2. 点击请求证书

  3. 选择使用验证模式查看假设的证书说明,而不是签名证书

  4. 请按照请求签名证书的步骤操作。

后续步骤