Quickstart
Stay organized with collections
Save and categorize content based on your preferences.
This sample creates a certificate authority (CA) pool, creates a CA in the new CA pool, generates a new Certificate Signing Request (CSR) and uses the generated CSR to request a certificate from the new CA pool.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis code sample demonstrates the creation of a Certificate Authority (CA) pool using Terraform.\u003c/p\u003e\n"],["\u003cp\u003eIt showcases the process of generating a Certificate Signing Request (CSR) using Terraform's \u003ccode\u003etls\u003c/code\u003e provider.\u003c/p\u003e\n"],["\u003cp\u003eIt illustrates how to create a CA within the newly established CA pool for issuing certificates.\u003c/p\u003e\n"],["\u003cp\u003eThe code provides a sample of using the generated CSR to request a certificate from the newly created CA pool.\u003c/p\u003e\n"],["\u003cp\u003eThe code shows you how to publish CA certificate and CRL options in the CA pool.\u003c/p\u003e\n"]]],[],null,["# Quickstart\n\nThis sample creates a certificate authority (CA) pool, creates a CA in the new CA pool, generates a new Certificate Signing Request (CSR) and uses the generated CSR to request a certificate from the new CA pool.\n\nExplore further\n---------------\n\n\nFor detailed documentation that includes this code sample, see the following:\n\n- [Issue a certificate using Terraform](/certificate-authority-service/docs/using-terraform)\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n provider \"google\" {}\n provider \"tls\" {}\n\n resource \"google_project_service\" \"privateca_api\" {\n service = \"privateca.googleapis.com\"\n disable_on_destroy = false\n }\n\n # Root CaPool & CA\n\n resource \"google_privateca_ca_pool\" \"root\" {\n name = \"root-pool\"\n location = \"us-central1\"\n tier = \"ENTERPRISE\"\n publishing_options {\n publish_ca_cert = true\n publish_crl = true\n }\n }\n\n resource \"google_privateca_certificate_authority\" \"root-ca\" {\n certificate_authority_id = \"my-root-ca\"\n location = \"us-central1\"\n pool = google_privateca_ca_pool.root.name\n config {\n subject_config {\n subject {\n organization = \"google\"\n common_name = \"my-certificate-authority\"\n }\n }\n x509_config {\n ca_options {\n is_ca = true\n }\n key_usage {\n base_key_usage {\n cert_sign = true\n crl_sign = true\n }\n extended_key_usage {\n server_auth = true\n }\n }\n }\n }\n type = \"SELF_SIGNED\"\n key_spec {\n algorithm = \"RSA_PKCS1_4096_SHA256\"\n }\n\n // Disable CA deletion related safe checks for easier cleanup.\n deletion_protection = false\n skip_grace_period = true\n ignore_active_certificates_on_deletion = true\n }\n\n # Sub CaPool & CA\n\n resource \"google_privateca_ca_pool\" \"subordinate\" {\n name = \"sub-pool\"\n location = \"us-central1\"\n tier = \"ENTERPRISE\"\n publishing_options {\n publish_ca_cert = true\n publish_crl = true\n }\n\n issuance_policy {\n baseline_values {\n ca_options {\n is_ca = false\n }\n key_usage {\n base_key_usage {\n digital_signature = true\n key_encipherment = true\n }\n extended_key_usage {\n server_auth = true\n }\n }\n }\n }\n }\n\n resource \"google_privateca_certificate_authority\" \"sub-ca\" {\n pool = google_privateca_ca_pool.subordinate.name\n certificate_authority_id = \"my-sub-ca\"\n location = \"us-central1\"\n subordinate_config {\n certificate_authority = google_privateca_certificate_authority.root-ca.name\n }\n config {\n subject_config {\n subject {\n organization = \"HashiCorp\"\n common_name = \"my-subordinate-authority\"\n }\n subject_alt_name {\n dns_names = [\"hashicorp.com\"]\n }\n }\n x509_config {\n ca_options {\n is_ca = true\n # Force the sub CA to only issue leaf certs\n max_issuer_path_length = 0\n }\n key_usage {\n base_key_usage {\n cert_sign = true\n crl_sign = true\n }\n extended_key_usage {\n server_auth = true\n }\n }\n }\n }\n lifetime = \"31536000s\"\n key_spec {\n algorithm = \"RSA_PKCS1_4096_SHA256\"\n }\n type = \"SUBORDINATE\"\n\n // Disable CA deletion related safe checks for easier cleanup.\n deletion_protection = false\n skip_grace_period = true\n ignore_active_certificates_on_deletion = true\n }\n\n # Leaf cert\n\n resource \"tls_private_key\" \"example\" {\n algorithm = \"RSA\"\n }\n\n resource \"tls_cert_request\" \"example\" {\n private_key_pem = tls_private_key.example.private_key_pem\n\n subject {\n common_name = \"example.com\"\n organization = \"ACME Examples, Inc\"\n }\n }\n\n resource \"google_privateca_certificate\" \"default\" {\n pool = google_privateca_ca_pool.subordinate.name\n # Explicitly refer the sub-CA so that the certificate creation will wait for the CA creation.\n certificate_authority = google_privateca_certificate_authority.sub-ca.certificate_authority_id\n location = \"us-central1\"\n lifetime = \"860s\"\n name = \"my-certificate\"\n pem_csr = tls_cert_request.example.cert_request_pem\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=privateca)."]]
