Émettre ou créer un certificat à l'aide d'une autorité de certification
En savoir plus
Pour obtenir une documentation détaillée incluant cet exemple de code, consultez les articles suivants :
- Émettre des certificats prouvant l'identité d'un tiers
- Demander un certificat et afficher les certificats émis
Exemple de code
Go
Pour vous authentifier auprès du service CA, configurez les Identifiants par défaut de l'application. Pour en savoir plus, consultez Configurer l'authentification pour un environnement de développement local.
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
"google.golang.org/protobuf/types/known/durationpb"
)
// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The key used to sign the certificate is created by the Cloud KMS.
func createCertificate(
w io.Writer,
projectId string,
location string,
caPoolId string,
caId string,
certId string,
commonName string,
domainName string,
certDuration int64,
publicKeyBytes []byte) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The CA Pool id in which the certificate authority exists.
// caId := "ca-id" // The name of the certificate authority which issues the certificate.
// certId := "certificate" // A unique name for the certificate.
// commonName := "cert-name" // A common name for the certificate.
// domainName := "cert.example.com" // Fully qualified domain name for the certificate.
// certDuration := int64(31536000) // The validity of the certificate in seconds.
// publicKeyBytes // The public key used in signing the certificates.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
// Set the Public Key and its format.
publicKey := &privatecapb.PublicKey{
Key: publicKeyBytes,
Format: privatecapb.PublicKey_PEM,
}
// Set Certificate subject config.
subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
Subject: &privatecapb.Subject{
CommonName: commonName,
},
SubjectAltName: &privatecapb.SubjectAltNames{
DnsNames: []string{domainName},
},
}
// Set the X.509 fields required for the certificate.
x509Parameters := &privatecapb.X509Parameters{
KeyUsage: &privatecapb.KeyUsage{
BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
DigitalSignature: true,
KeyEncipherment: true,
},
ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
ServerAuth: true,
ClientAuth: true,
},
},
}
// Set certificate settings.
cert := &privatecapb.Certificate{
CertificateConfig: &privatecapb.Certificate_Config{
Config: &privatecapb.CertificateConfig{
PublicKey: publicKey,
SubjectConfig: subjectConfig,
X509Config: x509Parameters,
},
},
Lifetime: &durationpb.Duration{
Seconds: certDuration,
},
}
fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)
// Create the CreateCertificateRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateRequest.
req := &privatecapb.CreateCertificateRequest{
Parent: fullCaPoolName,
CertificateId: certId,
Certificate: cert,
IssuingCertificateAuthorityId: caId,
}
_, err = caClient.CreateCertificate(ctx, req)
if err != nil {
return fmt.Errorf("CreateCertificate failed: %w", err)
}
fmt.Fprintf(w, "Certificate %s created", certId)
return nil
}
Java
Pour vous authentifier auprès du service CA, configurez les Identifiants par défaut de l'application. Pour en savoir plus, consultez Configurer l'authentification pour un environnement de développement local.
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.PublicKey;
import com.google.cloud.security.privateca.v1.PublicKey.KeyFormat;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.protobuf.ByteString;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateCertificate {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// publicKeyBytes: Public key used in signing the certificates.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set a unique id for the CA pool.
// certificateAuthorityName: The name of the certificate authority which issues the certificate.
// certificateName: Set a unique name for the certificate.
String project = "your-project-id";
ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{});
String location = "ca-location";
String poolId = "ca-poolId";
String certificateAuthorityName = "certificate-authority-name";
String certificateName = "certificate-name";
createCertificate(
project, location, poolId, certificateAuthorityName, certificateName, publicKeyBytes);
}
// Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
// The public key used to sign the certificate can be generated using any crypto
// library/framework.
public static void createCertificate(
String project,
String location,
String poolId,
String certificateAuthorityName,
String certificateName,
ByteString publicKeyBytes)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// commonName: Enter a title for your certificate.
// orgName: Provide the name of your company.
// domainName: List the fully qualified domain name.
// certificateLifetime: The validity of the certificate in seconds.
String commonName = "commonname";
String orgName = "orgname";
String domainName = "dns.example.com";
long certificateLifetime = 1000L;
// Set the Public Key and its format.
PublicKey publicKey =
PublicKey.newBuilder().setKey(publicKeyBytes).setFormat(KeyFormat.PEM).build();
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
// Set the common name and org name.
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
// Set the fully qualified domain name.
.setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
.build();
// Set the X.509 fields required for the certificate.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder()
.setDigitalSignature(true)
.setKeyEncipherment(true)
.setCertSign(true)
.build())
.setExtendedKeyUsage(
ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).buildPartial())
.build();
// Create certificate.
Certificate certificate =
Certificate.newBuilder()
.setConfig(
CertificateConfig.newBuilder()
.setPublicKey(publicKey)
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
.setLifetime(Duration.newBuilder().setSeconds(certificateLifetime).build())
.build();
// Create the Certificate Request.
CreateCertificateRequest certificateRequest =
CreateCertificateRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateId(certificateName)
.setCertificate(certificate)
.setIssuingCertificateAuthorityId(certificateAuthorityName)
.build();
// Get the Certificate response.
ApiFuture<Certificate> future =
certificateAuthorityServiceClient
.createCertificateCallable()
.futureCall(certificateRequest);
Certificate response = future.get();
// Get the PEM encoded, signed X.509 certificate.
System.out.println(response.getPemCertificate());
// To verify the obtained certificate, use this intermediate chain list.
System.out.println(response.getPemCertificateChainList());
}
}
}Python
Pour vous authentifier auprès du service CA, configurez les Identifiants par défaut de l'application. Pour en savoir plus, consultez Configurer l'authentification pour un environnement de développement local.
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_certificate(
project_id: str,
location: str,
ca_pool_name: str,
ca_name: str,
certificate_name: str,
common_name: str,
domain_name: str,
certificate_lifetime: int,
public_key_bytes: bytes,
) -> None:
"""
Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
The key used to sign the certificate is created by the Cloud KMS.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set a unique name for the CA pool.
ca_name: the name of the certificate authority which issues the certificate.
certificate_name: set a unique name for the certificate.
common_name: a title for your certificate.
domain_name: fully qualified domain name for your certificate.
certificate_lifetime: the validity of the certificate in seconds.
public_key_bytes: public key used in signing the certificates.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
# The public key used to sign the certificate can be generated using any crypto library/framework.
# Also you can use Cloud KMS to retrieve an already created public key.
# For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Set the Public Key and its format.
public_key = privateca_v1.PublicKey(
key=public_key_bytes,
format_=privateca_v1.PublicKey.KeyFormat.PEM,
)
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(common_name=common_name),
subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]),
)
# Set the X.509 fields required for the certificate.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
digital_signature=True,
key_encipherment=True,
),
extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
server_auth=True,
client_auth=True,
),
),
)
# Create certificate.
certificate = privateca_v1.Certificate(
config=privateca_v1.CertificateConfig(
public_key=public_key,
subject_config=subject_config,
x509_config=x509_parameters,
),
lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
)
# Create the Certificate Request.
request = privateca_v1.CreateCertificateRequest(
parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name),
certificate_id=certificate_name,
certificate=certificate,
issuing_certificate_authority_id=ca_name,
)
result = caServiceClient.create_certificate(request=request)
print("Certificate creation result:", result)
Terraform
Pour savoir comment appliquer ou supprimer une configuration Terraform, consultez la page Commandes Terraform de base. Pour en savoir plus, consultez la documentation de référence du fournisseur Terraform.
resource "google_privateca_certificate_authority" "authority" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-sample-certificate-authority"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
digital_signature = true
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_privateca_certificate" "default" {
pool = "my-pool"
location = "us-central1"
lifetime = "860s"
name = "my-sample-certificate"
config {
subject_config {
subject {
common_name = "san1.example.com"
country_code = "us"
organization = "google"
organizational_unit = "enterprise"
locality = "mountain view"
province = "california"
street_address = "1600 amphitheatre parkway"
postal_code = "94109"
}
}
x509_config {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
public_key {
format = "PEM"
key = base64encode(data.tls_public_key.example.public_key_pem)
}
}
// Certificates require an authority to exist in the pool, though they don't
// need to be explicitly connected to it
depends_on = [google_privateca_certificate_authority.authority]
}
resource "tls_private_key" "example" {
algorithm = "RSA"
}
data "tls_public_key" "example" {
private_key_pem = tls_private_key.example.private_key_pem
}Étapes suivantes
Pour rechercher et filtrer des exemples de code pour d'autres produits Google Cloud, consultez l'exemple de navigateur Google Cloud.