Issue/ create a new certificate using a certificate authority.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
"google.golang.org/protobuf/types/known/durationpb"
)
// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The key used to sign the certificate is created by the Cloud KMS.
func createCertificate(
w io.Writer,
projectId string,
location string,
caPoolId string,
caId string,
certId string,
commonName string,
domainName string,
certDuration int64,
publicKeyBytes []byte) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The CA Pool id in which the certificate authority exists.
// caId := "ca-id" // The name of the certificate authority which issues the certificate.
// certId := "certificate" // A unique name for the certificate.
// commonName := "cert-name" // A common name for the certificate.
// domainName := "cert.example.com" // Fully qualified domain name for the certificate.
// certDuration := int64(31536000) // The validity of the certificate in seconds.
// publicKeyBytes // The public key used in signing the certificates.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
// Set the Public Key and its format.
publicKey := &privatecapb.PublicKey{
Key: publicKeyBytes,
Format: privatecapb.PublicKey_PEM,
}
// Set Certificate subject config.
subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
Subject: &privatecapb.Subject{
CommonName: commonName,
},
SubjectAltName: &privatecapb.SubjectAltNames{
DnsNames: []string{domainName},
},
}
// Set the X.509 fields required for the certificate.
x509Parameters := &privatecapb.X509Parameters{
KeyUsage: &privatecapb.KeyUsage{
BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
DigitalSignature: true,
KeyEncipherment: true,
},
ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
ServerAuth: true,
ClientAuth: true,
},
},
}
// Set certificate settings.
cert := &privatecapb.Certificate{
CertificateConfig: &privatecapb.Certificate_Config{
Config: &privatecapb.CertificateConfig{
PublicKey: publicKey,
SubjectConfig: subjectConfig,
X509Config: x509Parameters,
},
},
Lifetime: &durationpb.Duration{
Seconds: certDuration,
},
}
fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)
// Create the CreateCertificateRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateRequest.
req := &privatecapb.CreateCertificateRequest{
Parent: fullCaPoolName,
CertificateId: certId,
Certificate: cert,
IssuingCertificateAuthorityId: caId,
}
_, err = caClient.CreateCertificate(ctx, req)
if err != nil {
return fmt.Errorf("CreateCertificate failed: %w", err)
}
fmt.Fprintf(w, "Certificate %s created", certId)
return nil
}
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.PublicKey;
import com.google.cloud.security.privateca.v1.PublicKey.KeyFormat;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.protobuf.ByteString;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificate {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// publicKeyBytes: Public key used in signing the certificates.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set a unique id for the CA pool.
// certificateAuthorityName: The name of the certificate authority which issues the certificate.
// certificateName: Set a unique name for the certificate.
String project = "your-project-id";
ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{});
String location = "ca-location";
String poolId = "ca-poolId";
String certificateAuthorityName = "certificate-authority-name";
String certificateName = "certificate-name";
createCertificate(
project, location, poolId, certificateAuthorityName, certificateName, publicKeyBytes);
}
// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The public key used to sign the certificate can be generated using any crypto
// library/framework.
public static void createCertificate(
String project,
String location,
String poolId,
String certificateAuthorityName,
String certificateName,
ByteString publicKeyBytes)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// commonName: Enter a title for your certificate.
// orgName: Provide the name of your company.
// domainName: List the fully qualified domain name.
// certificateLifetime: The validity of the certificate in seconds.
String commonName = "commonname";
String orgName = "orgname";
String domainName = "dns.example.com";
long certificateLifetime = 1000L;
// Set the Public Key and its format.
PublicKey publicKey =
PublicKey.newBuilder().setKey(publicKeyBytes).setFormat(KeyFormat.PEM).build();
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
// Set the common name and org name.
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
// Set the fully qualified domain name.
.setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
.build();
// Set the X.509 fields required for the certificate.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder()
.setDigitalSignature(true)
.setKeyEncipherment(true)
.setCertSign(true)
.build())
.setExtendedKeyUsage(
ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).buildPartial())
.build();
// Create certificate.
Certificate certificate =
Certificate.newBuilder()
.setConfig(
CertificateConfig.newBuilder()
.setPublicKey(publicKey)
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
.setLifetime(Duration.newBuilder().setSeconds(certificateLifetime).build())
.build();
// Create the Certificate Request.
CreateCertificateRequest certificateRequest =
CreateCertificateRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateId(certificateName)
.setCertificate(certificate)
.setIssuingCertificateAuthorityId(certificateAuthorityName)
.build();
// Get the Certificate response.
ApiFuture<Certificate> future =
certificateAuthorityServiceClient
.createCertificateCallable()
.futureCall(certificateRequest);
Certificate response = future.get();
// Get the PEM encoded, signed X.509 certificate.
System.out.println(response.getPemCertificate());
// To verify the obtained certificate, use this intermediate chain list.
System.out.println(response.getPemCertificateChainList());
}
}
}Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
certificate_name: str,
common_name: str,
domain_name: str,
certificate_lifetime: int,
public_key_bytes: bytes,
) -> None:
"""
Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
The key used to sign the certificate is created by the Cloud KMS.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set a unique name for the CA pool.
ca_name: the name of the certificate authority which issues the certificate.
certificate_name: set a unique name for the certificate.
common_name: a title for your certificate.
domain_name: fully qualified domain name for your certificate.
certificate_lifetime: the validity of the certificate in seconds.
public_key_bytes: public key used in signing the certificates.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# The public key used to sign the certificate can be generated using any crypto library/framework.
# Also you can use Cloud KMS to retrieve an already created public key.
# For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Set the Public Key and its format.
public_key = privateca_v1.PublicKey(
key=public_key_bytes,
format_=privateca_v1.PublicKey.KeyFormat.PEM,
)
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name),
subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]),
)
# Set the X.509 fields required for the certificate.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
digital_signature=True,
key_encipherment=True,
),
extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
server_auth=True,
client_auth=True,
),
),
)
# Create certificate.
certificate = privateca_v1.Certificate(
config=privateca_v1.CertificateConfig(
public_key=public_key,
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
)
# Create the Certificate Request.
request = privateca_v1.CreateCertificateRequest(
parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name),
certificate_id=certificate_name,
certificate=certificate,
issuing_certificate_authority_id=ca_name,
)
result = caServiceClient.create_certificate(request=request)
print("Certificate creation result:", result)
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands. For more information, see the Terraform provider reference documentation.
resource "google_privateca_certificate_authority" "authority" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-sample-certificate-authority"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
digital_signature = true
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_privateca_certificate" "default" {
pool = "my-pool"
location = "us-central1"
lifetime = "860s"
name = "my-sample-certificate"
config {
subject_config {
subject {
common_name = "san1.example.com"
country_code = "us"
organization = "google"
organizational_unit = "enterprise"
locality = "mountain view"
province = "california"
street_address = "1600 amphitheatre parkway"
postal_code = "94109"
}
}
x509_config {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
public_key {
format = "PEM"
key = base64encode(data.tls_public_key.example.public_key_pem)
}
}
// Certificates require an authority to exist in the pool, though they don't
// need to be explicitly connected to it
depends_on = [google_privateca_certificate_authority.authority]
}
resource "tls_private_key" "example" {
algorithm = "RSA"
}
data "tls_public_key" "example" {
private_key_pem = tls_private_key.example.private_key_pem
}What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.