在 CA 池下创建根证书授权机构。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
Go
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
"google.golang.org/protobuf/types/known/durationpb"
)
// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
// responsible for signing certificates within this pool.
func createCa(
w io.Writer,
projectId string,
location string,
caPoolId string,
caId string,
caCommonName string,
org string,
caDuration int64) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The CA Pool id under which the CA should be created.
// caId := "ca-id" // A unique id/name for the ca.
// caCommonName := "ca-name" // A common name for your certificate authority.
// org := "ca-org" // The name of your company for your certificate authority.
// ca_duration := int64(31536000) // The validity of the certificate authority in seconds.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
// Set the types of Algorithm used to create a cloud KMS key.
keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{
KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{
Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
},
}
// Set CA subject config.
subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
Subject: &privatecapb.Subject{
CommonName: caCommonName,
Organization: org,
},
}
// Set the key usage options for X.509 fields.
isCa := true
x509Parameters := &privatecapb.X509Parameters{
KeyUsage: &privatecapb.KeyUsage{
BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
CrlSign: true,
CertSign: true,
},
},
CaOptions: &privatecapb.X509Parameters_CaOptions{
IsCa: &isCa,
},
}
// Set certificate authority settings.
// Type: SELF_SIGNED denotes that this CA is a root CA.
ca := &privatecapb.CertificateAuthority{
Type: privatecapb.CertificateAuthority_SELF_SIGNED,
KeySpec: keySpec,
Config: &privatecapb.CertificateConfig{
SubjectConfig: subjectConfig,
X509Config: x509Parameters,
},
Lifetime: &durationpb.Duration{
Seconds: caDuration,
},
}
fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)
// Create the CreateCertificateAuthorityRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.
req := &privatecapb.CreateCertificateAuthorityRequest{
Parent: fullCaPoolName,
CertificateAuthorityId: caId,
CertificateAuthority: ca,
}
op, err := caClient.CreateCertificateAuthority(ctx, req)
if err != nil {
return fmt.Errorf("CreateCertificateAuthority failed: %w", err)
}
if _, err = op.Wait(ctx); err != nil {
return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)
}
fmt.Fprintf(w, "CA %s created", caId)
return nil
}
Java
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set it to the CA Pool under which the CA should be created.
// certificateAuthorityName: Unique name for the CA.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
createCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Create Certificate Authority which is the root CA in the given CA Pool.
public static void createCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
String commonName = "common-name";
String orgName = "org-name";
int caDuration = 100000; // Validity of this CA in seconds.
// Set the type of Algorithm.
KeyVersionSpec keyVersionSpec =
KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();
// Set CA subject config.
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
.build();
// Set the key usage options for X.509 fields.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
.build();
// Set certificate authority settings.
CertificateAuthority certificateAuthority =
CertificateAuthority.newBuilder()
// CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
.setType(CertificateAuthority.Type.SELF_SIGNED)
.setKeySpec(keyVersionSpec)
.setConfig(
CertificateConfig.newBuilder()
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
// Set the CA validity duration.
.setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
.build();
// Create the CertificateAuthorityRequest.
CreateCertificateAuthorityRequest certificateAuthorityRequest =
CreateCertificateAuthorityRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateAuthorityId(certificateAuthorityName)
.setCertificateAuthority(certificateAuthority)
.build();
// Create Certificate Authority.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.createCertificateAuthorityCallable()
.futureCall(certificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while creating CA !" + response.getError());
return;
}
System.out.println(
"Certificate Authority created successfully : " + certificateAuthorityName);
}
}
}Python
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate_authority(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
common_name: str,
organization: str,
ca_duration: int,
) -> None:
"""
Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
responsible for signing certificates within this pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
ca_name: unique name for the CA.
common_name: a title for your certificate authority.
organization: the name of your company for your certificate authority.
ca_duration: the validity of the certificate authority in seconds.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# Set the types of Algorithm used to create a cloud KMS key.
key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
)
# Set CA subject config.
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name, organization=organization)
)
# Set the key usage options for X.509 fields.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
crl_sign=True,
cert_sign=True,
)
),
ca_options=privateca_v1.X509Parameters.CaOptions(
is_ca=True,
),
)
# Set certificate authority settings.
certificate_authority = privateca_v1.CertificateAuthority(
# CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
key_spec=key_version_spec,
config=privateca_v1.CertificateConfig(
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=ca_duration),
)
ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)
# Create the CertificateAuthorityRequest.
request = privateca_v1.CreateCertificateAuthorityRequest(
parent=ca_pool_path,
certificate_authority_id=ca_name,
certificate_authority=certificate_authority,
)
operation = caServiceClient.create_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
Terraform
如需了解如何应用或移除 Terraform 配置,请参阅基本 Terraform 命令。 如需了解详情,请参阅 Terraform 提供程序参考文档。
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "ACME"
common_name = "my-certificate-authority"
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。