Stay organized with collections Save and categorize content based on your preferences.

Create a certificate by using Terraform

Terraform is an open-source software tool that lets you create and manage your CA Service resources using its infrastructure-as-code paradigm.

Objective

This page describes how you can use Terraform to perform the following operations with Certificate Authority Service:

  • Create a certificate authority (CA) pool.
  • Create a CA in the new CA pool.
  • Generate a new Certificate Signing Request (CSR).
  • Use the generated CSR to request a certificate from the new CA pool.

This tutorial uses the Google Cloud Terraform Provider for Terraform.

Before you begin

Make sure that you have the CA Service Admin (roles/privateca.admin) IAM role. If you don't have this IAM role, read Grant a single role for information about granting this role.

Create a Google Cloud project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Enable the CA Service API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  7. Enable the CA Service API.

    Enable the API

Install the Google Cloud CLI

If you haven't already, install the Google Cloud CLI. When prompted, choose the project that you selected or created earlier.

If you already have the Google Cloud CLI installed, update it using the following Google Cloud CLI command:

gcloud components update

For more information about this gcloud CLI command, see gcloud components update.

Create a Terraform configuration file

To create a Terraform configuration file that you can use to perform operations on CA Service, do the following:

  1. Create a new directory for the project to live.

  2. In this new directory, create a main.tf file for the Terraform configuration.

  3. Copy the following Terraform configuration, and paste it in the main.tf file.

    provider google{}
    provider tls{}
    
    resource "google_project_service" "privateca_api" {
      service            = "privateca.googleapis.com"
      disable_on_destroy = false
    }
    
    resource "tls_private_key" "example" {
      algorithm   = "RSA"
    }
    
    resource "tls_cert_request" "example" {
      private_key_pem = tls_private_key.example.private_key_pem
    
      subject {
        common_name  = "example.com"
        organization = "ACME Examples, Inc"
      }
    }
    
    resource "google_privateca_ca_pool" "default" {
      name = "my-ca-pool"
      location = "us-central1"
      tier = "ENTERPRISE"
      publishing_options {
        publish_ca_cert = true
        publish_crl = true
      }
      labels = {
        foo = "bar"
      }
      issuance_policy {
        baseline_values {
          ca_options {
            is_ca = false
          }
          key_usage {
            base_key_usage {
              digital_signature = true
              key_encipherment = true
            }
            extended_key_usage {
              server_auth = true
            }
          }
        }
      }
    }
    
    resource "google_privateca_certificate_authority" "test-ca" {
      certificate_authority_id = "my-authority"
      location = "us-central1"
      pool = google_privateca_ca_pool.default.name
      config {
        subject_config {
          subject {
            country_code = "us"
            organization = "google"
            organizational_unit = "enterprise"
            locality = "mountain view"
            province = "california"
            street_address = "1600 amphitheatre parkway"
            postal_code = "94109"
            common_name = "my-certificate-authority"
          }
        }
        x509_config {
          ca_options {
            is_ca = true
          }
          key_usage {
            base_key_usage {
              cert_sign = true
              crl_sign = true
            }
            extended_key_usage {
              server_auth = true
            }
          }
        }
      }
      type = "SELF_SIGNED"
      key_spec {
        algorithm = "RSA_PKCS1_4096_SHA256"
      }
    }
    
    resource "google_privateca_certificate" "default" {
      pool = google_privateca_ca_pool.default.name
      certificate_authority = google_privateca_certificate_authority.test-ca.certificate_authority_id
      location = "us-central1"
      lifetime = "860s"
      name = "my-certificate"
      pem_csr = tls_cert_request.example.cert_request_pem
    }

    For information about operating CA Service with Terraform, see Using Terraform with CA Service.

For more information about setting up Terraform with Google Cloud, see Getting started with the Google Cloud Provider.

Run the Terraform configuration file

To run the Terraform configuration file you created, run the following commands in Cloud Shell.

For information about running gcloud CLI commands using Cloud Shell, see Running gcloud commands with Cloud Shell.

  1. Initialize Terraform in the directory where you have stored the main.tf file.

    terraform init
    
  2. Run the created Terraform configuration file.

    terraform apply
    
  3. When prompted to confirm if you want to run the configuration file, enter yes.

What's next