CA 풀 아래에 루트 인증 기관을 만듭니다.
더 살펴보기
이 코드 샘플이 포함된 자세한 문서는 다음을 참조하세요.
코드 샘플
Go
CA Service에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
"google.golang.org/protobuf/types/known/durationpb"
)
// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
// responsible for signing certificates within this pool.
func createCa(
w io.Writer,
projectId string,
location string,
caPoolId string,
caId string,
caCommonName string,
org string,
caDuration int64) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The CA Pool id under which the CA should be created.
// caId := "ca-id" // A unique id/name for the ca.
// caCommonName := "ca-name" // A common name for your certificate authority.
// org := "ca-org" // The name of your company for your certificate authority.
// ca_duration := int64(31536000) // The validity of the certificate authority in seconds.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
// Set the types of Algorithm used to create a cloud KMS key.
keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{
KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{
Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
},
}
// Set CA subject config.
subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
Subject: &privatecapb.Subject{
CommonName: caCommonName,
Organization: org,
},
}
// Set the key usage options for X.509 fields.
isCa := true
x509Parameters := &privatecapb.X509Parameters{
KeyUsage: &privatecapb.KeyUsage{
BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
CrlSign: true,
CertSign: true,
},
},
CaOptions: &privatecapb.X509Parameters_CaOptions{
IsCa: &isCa,
},
}
// Set certificate authority settings.
// Type: SELF_SIGNED denotes that this CA is a root CA.
ca := &privatecapb.CertificateAuthority{
Type: privatecapb.CertificateAuthority_SELF_SIGNED,
KeySpec: keySpec,
Config: &privatecapb.CertificateConfig{
SubjectConfig: subjectConfig,
X509Config: x509Parameters,
},
Lifetime: &durationpb.Duration{
Seconds: caDuration,
},
}
fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)
// Create the CreateCertificateAuthorityRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.
req := &privatecapb.CreateCertificateAuthorityRequest{
Parent: fullCaPoolName,
CertificateAuthorityId: caId,
CertificateAuthority: ca,
}
op, err := caClient.CreateCertificateAuthority(ctx, req)
if err != nil {
return fmt.Errorf("CreateCertificateAuthority failed: %w", err)
}
if _, err = op.Wait(ctx); err != nil {
return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)
}
fmt.Fprintf(w, "CA %s created", caId)
return nil
}
Java
CA Service에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set it to the CA Pool under which the CA should be created.
// certificateAuthorityName: Unique name for the CA.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
createCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Create Certificate Authority which is the root CA in the given CA Pool.
public static void createCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
String commonName = "common-name";
String orgName = "org-name";
int caDuration = 100000; // Validity of this CA in seconds.
// Set the type of Algorithm.
KeyVersionSpec keyVersionSpec =
KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();
// Set CA subject config.
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
.build();
// Set the key usage options for X.509 fields.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
.build();
// Set certificate authority settings.
CertificateAuthority certificateAuthority =
CertificateAuthority.newBuilder()
// CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
.setType(CertificateAuthority.Type.SELF_SIGNED)
.setKeySpec(keyVersionSpec)
.setConfig(
CertificateConfig.newBuilder()
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
// Set the CA validity duration.
.setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
.build();
// Create the CertificateAuthorityRequest.
CreateCertificateAuthorityRequest certificateAuthorityRequest =
CreateCertificateAuthorityRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateAuthorityId(certificateAuthorityName)
.setCertificateAuthority(certificateAuthority)
.build();
// Create Certificate Authority.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.createCertificateAuthorityCallable()
.futureCall(certificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while creating CA !" + response.getError());
return;
}
System.out.println(
"Certificate Authority created successfully : " + certificateAuthorityName);
}
}
}Python
CA Service에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate_authority(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
common_name: str,
organization: str,
ca_duration: int,
) -> None:
"""
Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
responsible for signing certificates within this pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
ca_name: unique name for the CA.
common_name: a title for your certificate authority.
organization: the name of your company for your certificate authority.
ca_duration: the validity of the certificate authority in seconds.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Set the types of Algorithm used to create a cloud KMS key.
key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
)
# Set CA subject config.
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name, organization=organization)
)
# Set the key usage options for X.509 fields.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
crl_sign=True,
cert_sign=True,
)
),
ca_options=privateca_v1.X509Parameters.CaOptions(
is_ca=True,
),
)
# Set certificate authority settings.
certificate_authority = privateca_v1.CertificateAuthority(
# CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
key_spec=key_version_spec,
config=privateca_v1.CertificateConfig(
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=ca_duration),
)
ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)
# Create the CertificateAuthorityRequest.
request = privateca_v1.CreateCertificateAuthorityRequest(
parent=ca_pool_path,
certificate_authority_id=ca_name,
certificate_authority=certificate_authority,
)
operation = caServiceClient.create_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
Terraform
Terraform 구성을 적용하거나 삭제하는 방법은 기본 Terraform 명령어를 참조하세요. 자세한 내용은 Terraform 제공업체 참고 문서를 확인하세요.
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-hashicorp"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}다음 단계
다른 Google Cloud 제품의 코드 샘플을 검색하고 필터링하려면 Google Cloud 샘플 브라우저를 참조하세요.