- NAME
-
- gcloud privateca roots create - create a new root certificate authority
- SYNOPSIS
-
-
gcloud privateca roots create
(CERTIFICATE_AUTHORITY
:--location
=LOCATION
--pool
=POOL
) [--auto-enable
] [--bucket
=BUCKET
] [--dns-san
=[DNS_SAN
,…]] [--email-san
=[EMAIL_SAN
,…]] [--from-ca
=FROM_CA
] [--ip-san
=[IP_SAN
,…]] [--labels
=[KEY
=VALUE
,…]] [--subject
=[SUBJECT
,…]] [--subject-key-id
=SUBJECT_KEY_ID
] [--uri-san
=[URI_SAN
,…]] [--validity
=VALIDITY
; default="P10Y"] [--key-algorithm
=KEY_ALGORITHM
; default="rsa-pkcs1-4096-sha256" | [--kms-key-version
=KMS_KEY_VERSION
:--kms-key
=KMS_KEY
--kms-keyring
=KMS_KEYRING
--kms-location
=KMS_LOCATION
--kms-project
=KMS_PROJECT
]] [--use-preset-profile
=USE_PRESET_PROFILE
|--extended-key-usages
=[EXTENDED_KEY_USAGES
,…]--key-usages
=[KEY_USAGES
,…]--max-chain-length
=MAX_CHAIN_LENGTH
|--unconstrained-chain-length
--no-name-constraints-critical
--name-excluded-dns
=[NAME_EXCLUDED_DNS
,…]--name-excluded-email
=[NAME_EXCLUDED_EMAIL
,…]--name-excluded-ip
=[NAME_EXCLUDED_IP
,…]--name-excluded-uri
=[NAME_EXCLUDED_URI
,…]--name-permitted-dns
=[NAME_PERMITTED_DNS
,…]--name-permitted-email
=[NAME_PERMITTED_EMAIL
,…]--name-permitted-ip
=[NAME_PERMITTED_IP
,…]--name-permitted-uri
=[NAME_PERMITTED_URI
,…]] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
- TIP: Consider setting a project lien on the project to prevent it from accidental deletion.
- EXAMPLES
-
To create a root CA that supports one layer of subordinates:
gcloud privateca roots create prod-root --location=us-west1 --pool=my-pool --kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" --subject="CN=Example Production Root CA, O=Google" --max-chain-length=1
To create a root CA that is based on an existing CA:
gcloud privateca roots create prod-root --location=us-west1 --pool=my-pool --kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" --from-ca=source-root
- POSITIONAL ARGUMENTS
-
-
Certificate Authority resource - The name of the root CA to create. The
arguments in this group can be used to specify the attributes of this resource.
(NOTE) Some attributes are not given arguments in this group but can be set in
other ways.
To set the
project
attribute:-
provide the argument
CERTIFICATE_AUTHORITY
on the command line with a fully specified name; -
provide the argument
--project
on the command line; -
set the property
core/project
.
This must be specified.
CERTIFICATE_AUTHORITY
-
ID of the Certificate Authority or fully qualified identifier for the
Certificate Authority.
To set the
certificate_authority
attribute:-
provide the argument
CERTIFICATE_AUTHORITY
on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--location
=LOCATION
-
The location of the Certificate Authority.
To set the
location
attribute:-
provide the argument
CERTIFICATE_AUTHORITY
on the command line with a fully specified name; -
provide the argument
--location
on the command line; -
set the property
privateca/location
.
-
provide the argument
--pool
=POOL
-
The parent CA Pool of the Certificate Authority.
To set the
pool
attribute:-
provide the argument
CERTIFICATE_AUTHORITY
on the command line with a fully specified name; -
provide the argument
--pool
on the command line.
-
provide the argument
-
provide the argument
-
Certificate Authority resource - The name of the root CA to create. The
arguments in this group can be used to specify the attributes of this resource.
(NOTE) Some attributes are not given arguments in this group but can be set in
other ways.
- FLAGS
-
--auto-enable
- If this flag is set, the Certificate Authority will be automatically enabled upon creation.
--bucket
=BUCKET
- The name of an existing storage bucket to use for storing the CA certificates and CRLs for CAs in this pool. If omitted, a new bucket will be created and managed by the service on your behalf.
--dns-san
=[DNS_SAN
,…]- One or more comma-separated DNS Subject Alternative Names.
--email-san
=[EMAIL_SAN
,…]- One or more comma-separated email Subject Alternative Names.
-
Source CA resource - An existing CA from which to copy configuration values for
the new CA. You can still override any of those values by explicitly providing
the appropriate flags. The specified existing CA must be part of the same pool
as the one being created. This represents a Cloud resource. (NOTE) Some
attributes are not given arguments in this group but can be set in other ways.
To set the
project
attribute:-
provide the argument
--from-ca
on the command line with a fully specified name; -
provide the argument
--project
on the command line; -
set the property
core/project
.
To set the
location
attribute:-
provide the argument
--from-ca
on the command line with a fully specified name; -
provide the argument
--location
on the command line; -
set the property
privateca/location
.
To set the
pool
attribute:-
provide the argument
--from-ca
on the command line with a fully specified name; -
provide the argument
--pool
on the command line.
--from-ca
=FROM_CA
-
ID of the source CA or fully qualified identifier for the source CA.
To set the
certificate_authority
attribute:-
provide the argument
--from-ca
on the command line.
-
provide the argument
-
provide the argument
--ip-san
=[IP_SAN
,…]- One or more comma-separated IP Subject Alternative Names.
--labels
=[KEY
=VALUE
,…]-
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens (
-
), underscores (_
), lowercase characters, and numbers. Values must contain only hyphens (-
), underscores (_
), lowercase characters, and numbers. --subject
=[SUBJECT
,…]- X.501 name of the certificate subject. Example: --subject "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
--subject-key-id
=SUBJECT_KEY_ID
- Optional field to specify subject key ID for certificate. DO NOT USE except to maintain a previously established identifier for a public key, whose SKI was not generated using method (1) described in RFC 5280 section 4.2.1.2.
--uri-san
=[URI_SAN
,…]- One or more comma-separated URI Subject Alternative Names.
--validity
=VALIDITY
; default="P10Y"- The validity of this CA, as an ISO8601 duration. Defaults to 10 years.
-
The key configuration used for the CA certificate. Defaults to a managed key if
not specified.
At most one of these can be specified:
--key-algorithm
=KEY_ALGORITHM
; default="rsa-pkcs1-4096-sha256"-
The crypto algorithm to use for creating a managed KMS key for the Certificate
Authority. The default is
rsa-pkcs1-4096-sha256
.KEY_ALGORITHM
must be one of:ec-p256-sha256
,ec-p384-sha384
,rsa-pkcs1-2048-sha256
,rsa-pkcs1-3072-sha256
,rsa-pkcs1-4096-sha256
,rsa-pss-2048-sha256
,rsa-pss-3072-sha256
,rsa-pss-4096-sha256
. -
Key version resource - An existing KMS key version to back this CA. The
arguments in this group can be used to specify the attributes of this resource.
--kms-key-version
=KMS_KEY_VERSION
-
ID of the key version or fully qualified identifier for the key version.
To set the
kms-key-version
attribute:-
provide the argument
--kms-key-version
on the command line.
This flag argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--kms-key
=KMS_KEY
-
The KMS key of the key version.
To set the
kms-key
attribute:-
provide the argument
--kms-key-version
on the command line with a fully specified name; -
provide the argument
--kms-key
on the command line.
-
provide the argument
--kms-keyring
=KMS_KEYRING
-
The KMS keyring of the key version.
To set the
kms-keyring
attribute:-
provide the argument
--kms-key-version
on the command line with a fully specified name; -
provide the argument
--kms-keyring
on the command line.
-
provide the argument
--kms-location
=KMS_LOCATION
-
The location of the key version.
To set the
kms-location
attribute:-
provide the argument
--kms-key-version
on the command line with a fully specified name; -
provide the argument
--kms-location
on the command line; -
provide the argument
location
on the command line; -
set the property
privateca/location
.
-
provide the argument
--kms-project
=KMS_PROJECT
-
The project containing the key version.
To set the
kms-project
attribute:-
provide the argument
--kms-key-version
on the command line with a fully specified name; -
provide the argument
--kms-project
on the command line; -
provide the argument
project
on the command line; -
set the property
core/project
.
-
provide the argument
-
The X.509 configuration used for the CA certificate.
At most one of these can be specified:
--use-preset-profile
=USE_PRESET_PROFILE
-
The name of an existing preset profile used to encapsulate X.509 parameter
values. USE_PRESET_PROFILE must be one of: leaf_client_tls, leaf_code_signing,
leaf_mtls, leaf_server_tls, leaf_smime, root_unconstrained,
subordinate_client_tls_pathlen_0, subordinate_code_signing_pathlen_0,
subordinate_mtls_pathlen_0, subordinate_server_tls_pathlen_0,
subordinate_smime_pathlen_0, subordinate_unconstrained_pathlen_0.
For more information, see https://cloud.google.com/certificate-authority-service/docs/certificate-profile.
--extended-key-usages
=[EXTENDED_KEY_USAGES
,…]-
The list of extended key usages for this CA. This can only be provided if
--use-preset-profile
is not provided.EXTENDED_KEY_USAGES
must be one of:server_auth
,client_auth
,code_signing
,email_protection
,time_stamping
,ocsp_signing
. --key-usages
=[KEY_USAGES
,…]-
The list of key usages for this CA. This can only be provided if
--use-preset-profile
is not provided.KEY_USAGES
must be one of:digital_signature
,content_commitment
,key_encipherment
,data_encipherment
,key_agreement
,cert_sign
,crl_sign
,encipher_only
,decipher_only
. -
At most one of these can be specified:
--max-chain-length
=MAX_CHAIN_LENGTH
-
Maximum depth of subordinate CAs allowed under this CA for a CA certificate.
This can only be provided if neither
--use-preset-profile
nor--unconstrained-chain-length
are provided. --unconstrained-chain-length
-
If set, allows an unbounded number of subordinate CAs under this newly issued CA
certificate. This can only be provided if neither
--use-preset-profile
nor--max-chain-length
are provided.
-
The x509 name constraints configurations
--name-constraints-critical
-
Indicates whether or not name constraints are marked as critical. Name
constraints are considered critical unless explicitly set to false. Enabled by
default, use
--no-name-constraints-critical
to disable. --name-excluded-dns
=[NAME_EXCLUDED_DNS
,…]-
One or more comma-separated DNS names which are excluded from being issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left-hand side of the name satisfies the name constraint. For
example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
, whileexample1.com
does not. --name-excluded-email
=[NAME_EXCLUDED_EMAIL
,…]-
One or more comma-separated emails which are excluded from being issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g.
.example.com
) to indicate all email addresses in that domain. --name-excluded-ip
=[NAME_EXCLUDED_IP
,…]- One or more comma-separated IP ranges which are excluded from being issued certificates. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
--name-excluded-uri
=[NAME_EXCLUDED_URI
,…]-
One or more comma-separated URIs which are excluded from being issued
certificates. The value can be a hostname or a domain with a leading period
(like
.example.com
) --name-permitted-dns
=[NAME_PERMITTED_DNS
,…]-
One or more comma-separated DNS names which are permitted to be issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left-hand side of the name satisfies the name constraint. For
example,
example.com
,www.example.com
,www.sub.example.com
would satisfyexample.com
, whileexample1.com
does not. --name-permitted-email
=[NAME_PERMITTED_EMAIL
,…]-
One or more comma-separated email addresses which are permitted to be issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g.
.example.com
) to indicate all email addresses in that domain. --name-permitted-ip
=[NAME_PERMITTED_IP
,…]- One or more comma-separated IP ranges which are permitted to be issued certificates. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
--name-permitted-uri
=[NAME_PERMITTED_URI
,…]-
One or more comma-separated URIs which are permitted to be issued certificates.
The value can be a hostname or a domain with a leading period (like
.example.com
)
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-02 UTC.