Create a root Certificate Authority under a CA pool.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Java
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set it to the CA Pool under which the CA should be created.
// certificateAuthorityName: Unique name for the CA.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
createCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Create Certificate Authority which is the root CA in the given CA Pool.
public static void createCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
String commonName = "common-name";
String orgName = "org-name";
int caDuration = 100000; // Validity of this CA in seconds.
// Set the type of Algorithm.
KeyVersionSpec keyVersionSpec =
KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();
// Set CA subject config.
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
.build();
// Set the key usage options for X.509 fields.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
.build();
// Set certificate authority settings.
CertificateAuthority certificateAuthority =
CertificateAuthority.newBuilder()
// CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
.setType(CertificateAuthority.Type.SELF_SIGNED)
.setKeySpec(keyVersionSpec)
.setConfig(
CertificateConfig.newBuilder()
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
// Set the CA validity duration.
.setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
.build();
// Create the CertificateAuthorityRequest.
CreateCertificateAuthorityRequest certificateAuthorityRequest =
CreateCertificateAuthorityRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateAuthorityId(certificateAuthorityName)
.setCertificateAuthority(certificateAuthority)
.build();
// Create Certificate Authority.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.createCertificateAuthorityCallable()
.futureCall(certificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while creating CA !" + response.getError());
return;
}
System.out.println(
"Certificate Authority created successfully : " + certificateAuthorityName);
}
}
}Python
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate_authority(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
common_name: str,
organization: str,
ca_duration: int,
) -> None:
"""
Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
responsible for signing certificates within this pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
ca_name: unique name for the CA.
common_name: a title for your certificate authority.
organization: the name of your company for your certificate authority.
ca_duration: the validity of the certificate authority in seconds.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Set the types of Algorithm used to create a cloud KMS key.
key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
)
# Set CA subject config.
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name, organization=organization)
)
# Set the key usage options for X.509 fields.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
crl_sign=True,
cert_sign=True,
)
),
ca_options=privateca_v1.X509Parameters.CaOptions(
is_ca=True,
),
)
# Set certificate authority settings.
certificate_authority = privateca_v1.CertificateAuthority(
# CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
key_spec=key_version_spec,
config=privateca_v1.CertificateConfig(
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=ca_duration),
)
ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)
# Create the CertificateAuthorityRequest.
request = privateca_v1.CreateCertificateAuthorityRequest(
parent=ca_pool_path,
certificate_authority_id=ca_name,
certificate_authority=certificate_authority,
)
operation = caServiceClient.create_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.