Issue/ create a new certificate using a certificate authority.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Java
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.PublicKey;
import com.google.cloud.security.privateca.v1.PublicKey.KeyFormat;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.protobuf.ByteString;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificate {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// publicKeyBytes: Public key used in signing the certificates.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set a unique id for the CA pool.
// certificateAuthorityName: The name of the certificate authority which issues the certificate.
// certificateName: Set a unique name for the certificate.
String project = "your-project-id";
ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{});
String location = "ca-location";
String poolId = "ca-poolId";
String certificateAuthorityName = "certificate-authority-name";
String certificateName = "certificate-name";
createCertificate(
project, location, poolId, certificateAuthorityName, certificateName, publicKeyBytes);
}
// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The public key used to sign the certificate can be generated using any crypto
// library/framework.
public static void createCertificate(
String project,
String location,
String poolId,
String certificateAuthorityName,
String certificateName,
ByteString publicKeyBytes)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// commonName: Enter a title for your certificate.
// orgName: Provide the name of your company.
// domainName: List the fully qualified domain name.
// certificateLifetime: The validity of the certificate in seconds.
String commonName = "commonname";
String orgName = "orgname";
String domainName = "dns.example.com";
long certificateLifetime = 1000L;
// Set the Public Key and its format.
PublicKey publicKey =
PublicKey.newBuilder().setKey(publicKeyBytes).setFormat(KeyFormat.PEM).build();
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
// Set the common name and org name.
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
// Set the fully qualified domain name.
.setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
.build();
// Set the X.509 fields required for the certificate.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder()
.setDigitalSignature(true)
.setKeyEncipherment(true)
.setCertSign(true)
.build())
.setExtendedKeyUsage(
ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).buildPartial())
.build();
// Create certificate.
Certificate certificate =
Certificate.newBuilder()
.setConfig(
CertificateConfig.newBuilder()
.setPublicKey(publicKey)
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
.setLifetime(Duration.newBuilder().setSeconds(certificateLifetime).build())
.build();
// Create the Certificate Request.
CreateCertificateRequest certificateRequest =
CreateCertificateRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateId(certificateName)
.setCertificate(certificate)
.setIssuingCertificateAuthorityId(certificateAuthorityName)
.build();
// Get the Certificate response.
ApiFuture<Certificate> future =
certificateAuthorityServiceClient
.createCertificateCallable()
.futureCall(certificateRequest);
Certificate response = future.get();
// Get the PEM encoded, signed X.509 certificate.
System.out.println(response.getPemCertificate());
// To verify the obtained certificate, use this intermediate chain list.
System.out.println(response.getPemCertificateChainList());
}
}
}
Python
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
certificate_name: str,
common_name: str,
domain_name: str,
certificate_lifetime: int,
public_key_bytes: bytes,
) -> None:
"""
Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
The key used to sign the certificate is created by the Cloud KMS.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set a unique name for the CA pool.
ca_name: the name of the certificate authority which issues the certificate.
certificate_name: set a unique name for the certificate.
common_name: a title for your certificate.
domain_name: fully qualified domain name for your certificate.
certificate_lifetime: the validity of the certificate in seconds.
public_key_bytes: public key used in signing the certificates.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# The public key used to sign the certificate can be generated using any crypto library/framework.
# Also you can use Cloud KMS to retrieve an already created public key.
# For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Set the Public Key and its format.
public_key = privateca_v1.PublicKey(
key=public_key_bytes,
format_=privateca_v1.PublicKey.KeyFormat.PEM,
)
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name),
subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]),
)
# Set the X.509 fields required for the certificate.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
digital_signature=True,
key_encipherment=True,
),
extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
server_auth=True,
client_auth=True,
),
),
)
# Create certificate.
certificate = privateca_v1.Certificate(
config=privateca_v1.CertificateConfig(
public_key=public_key,
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
)
# Create the Certificate Request.
request = privateca_v1.CreateCertificateRequest(
parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name),
certificate_id=certificate_name,
certificate=certificate,
issuing_certificate_authority_id=ca_name,
)
result = caServiceClient.create_certificate(request=request)
print("Certificate creation result:", result)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.