通过根 CA 或从属 CA 创建从属 CA。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
Java
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class CreateSubordinateCa {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set it to the CA Pool under which the CA should be created.
// subordinateCaName: Unique name for the Subordinate CA.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String subordinateCaName = "subordinate-certificate-authority-name";
createSubordinateCertificateAuthority(project, location, poolId, subordinateCaName);
}
public static void createSubordinateCertificateAuthority(
String project, String location, String poolId, String subordinateCaName)
throws IOException, ExecutionException, InterruptedException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
String commonName = "commonname";
String orgName = "csr-org-name";
String domainName = "dns.example.com";
int caDuration = 100000; // Validity of this CA in seconds.
// Set the type of Algorithm.
KeyVersionSpec keyVersionSpec =
KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();
// Set CA subject config.
SubjectConfig subjectConfig =
SubjectConfig.newBuilder()
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
// Set the fully qualified domain name.
.setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
.build();
// Set the key usage options for X.509 fields.
X509Parameters x509Parameters =
X509Parameters.newBuilder()
.setKeyUsage(
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
.build())
.setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
.build();
// Set certificate authority settings.
CertificateAuthority subCertificateAuthority =
CertificateAuthority.newBuilder()
.setType(CertificateAuthority.Type.SUBORDINATE)
.setKeySpec(keyVersionSpec)
.setConfig(
CertificateConfig.newBuilder()
.setSubjectConfig(subjectConfig)
.setX509Config(x509Parameters)
.build())
// Set the CA validity duration.
.setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
.build();
// Create the CertificateAuthorityRequest.
CreateCertificateAuthorityRequest subCertificateAuthorityRequest =
CreateCertificateAuthorityRequest.newBuilder()
.setParent(CaPoolName.of(project, location, poolId).toString())
.setCertificateAuthorityId(subordinateCaName)
.setCertificateAuthority(subCertificateAuthority)
.build();
// Create Subordinate CA.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.createCertificateAuthorityCallable()
.futureCall(subCertificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while creating Subordinate CA !" + response.getError());
return;
}
System.out.println(
"Subordinate Certificate Authority created successfully : " + subordinateCaName);
}
}
}
Python
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2
def create_subordinate_ca(
project_id: str,
location: str,
ca_pool_name: str,
subordinate_ca_name: str,
common_name: str,
organization: str,
domain: str,
ca_duration: int,
) -> None:
"""
Create Certificate Authority (CA) which is the subordinate CA in the given CA Pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
subordinate_ca_name: unique name for the Subordinate CA.
common_name: a title for your certificate authority.
organization: the name of your company for your certificate authority.
domain: the name of your company for your certificate authority.
ca_duration: the validity of the certificate authority in seconds.
"""
ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
# Set the type of Algorithm
key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
)
# Set CA subject config.
subject_config = privateca_v1.CertificateConfig.SubjectConfig(
subject=privateca_v1.Subject(
common_name=common_name, organization=organization
),
# Set the fully qualified domain name.
subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain]),
)
# Set the key usage options for X.509 fields.
x509_parameters = privateca_v1.X509Parameters(
key_usage=privateca_v1.KeyUsage(
base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
crl_sign=True,
cert_sign=True,
)
),
ca_options=privateca_v1.X509Parameters.CaOptions(
is_ca=True,
),
)
# Set certificate authority settings.
certificate_authority = privateca_v1.CertificateAuthority(
type_=privateca_v1.CertificateAuthority.Type.SUBORDINATE,
key_spec=key_version_spec,
config=privateca_v1.CertificateConfig(
subject_config=subject_config,
x509_config=x509_parameters,
),
# Set the CA validity duration.
lifetime=duration_pb2.Duration(seconds=ca_duration),
)
ca_pool_path = ca_service_client.ca_pool_path(project_id, location, ca_pool_name)
# Create the CertificateAuthorityRequest.
request = privateca_v1.CreateCertificateAuthorityRequest(
parent=ca_pool_path,
certificate_authority_id=subordinate_ca_name,
certificate_authority=certificate_authority,
)
operation = ca_service_client.create_certificate_authority(request=request)
result = operation.result()
print(f"Operation result: {result}")
Terraform
如需了解如何应用或移除 Terraform 配置,请参阅基本 Terraform 命令。 如需了解详情,请参阅 Terraform 提供程序参考文档。
resource "google_privateca_certificate_authority" "root_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "ACME"
common_name = "my-certificate-authority"
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// valid for 10 years
lifetime = "${10 * 365 * 24 * 3600}s"
}
resource "google_privateca_certificate_authority" "sub_ca" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "my-sub-pool"
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = false # set to true to prevent destruction of the resource
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root_ca.name
}
config {
subject_config {
subject {
organization = "ACME"
common_name = "my-subordinate-authority"
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs.
# Use e.g.
# max_issuer_path_length = 1
# if you need to chain more subordinates.
zero_max_issuer_path_length = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
}
}
}
}
// valid for 5 years
lifetime = "${5 * 365 * 24 * 3600}s"
key_spec {
algorithm = "RSA_PKCS1_2048_SHA256"
}
type = "SUBORDINATE"
}
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。