Create a root certificate authority
This page describes how to create a root certificate authority (CA) in a CA pool.
A root CA is at the top of a public key infrastructure (PKI) hierarchy and is responsible for forming the trust anchor of the PKI. To properly participate and use certificates in a PKI, a device, software, or component needs to trust the PKI. This is accomplished by configuring the device, software, or component to trust the root CA. As a result, all the certificates issued by the root CA are trusted.
Before you begin
- Make sure you have the CA Service Operation Manager (
roles/privateca.caManager
) or the CA Service Admin (roles/privateca.admin
) IAM role. For information, see Configure IAM policies. - Create a CA pool.
- Determine your CA settings.
Create a root CA
A root CA has a self-signed certificate that you must distribute to the trust stores of your clients. The root CA's certificate is at the top of the certificate chain. No other CA can revoke the CA certificate. The CRL of the root CA applies only to the other certificates the root CA issued, but not to itself.
You can create a root CA either in an existing CA pool or a new CA pool. The following instructions use an existing pool.
Console
To create a root CA in an existing CA pool, do the following:
Go to the Certificate Authority Service page in the Google Cloud console.
Click the CA manager tab.
Click the Create CA
expander arrow, and then select Create CA in an existing CA pool.
Select CA pool
Select an existing CA pool from the list and click Continue.
Select CA type
- Under Type, select Root CA.
- In the Valid for field, enter the duration for which you want the certificates issued by the CA certificate to be valid.
- Under Initialized state, select the operational state of the CA to be created in.
- Click Continue.
- In the Organization (O) field, enter the name of your company.
- Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
- Optional: In the Country name (C) field, enter a two letter country code.
- Optional: In the State or province name field, enter the name of your state.
- Optional: In the Locality name field, enter the name of your city.
- In the CA common name (CN) field, enter the CA name.
- Click Continue.
- Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm.
- Click Continue.
- Choose whether you want to use a Google-managed or a customer-managed Cloud Storage bucket.
- For a google-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
- For a customer-managed Cloud Storage bucket, click Browse and select one of the existing Cloud Storage buckets.
- Click Continue.
The following steps are optional.
If you want to add labels to the CA, do the following:
- Click Add item.
- In the Key 1 field, enter the label key.
- In the Value 1 field, enter the label value.
- If you want to add another label, click Add item. Then, add the label key and value as mentioned in steps 2 and 3.
- Click Continue.
Carefully review all the settings, then click Done to create the CA.
gcloud
To create a new root CA in an existing CA pool, run the following command:
gcloud privateca roots create ROOT_CA_ID \ --location=LOCATION \ --pool=POOL_ID \ --key-algorithm=KEY_ALGORITHM \ --subject="CN=my-ca, O=Test LLC"
Replace the following:
- ROOT_CA_ID: the name of the CA.
- LOCATION: the location of the CA pool.
- POOL_ID: the name of the CA pool.
- KEY_ALGORITHM: the algorithm to use for creating a Cloud KMS key. This flag is optional. If you don't include this flag, the key algorithm defaults to
rsa-pkcs1-4096-sha256
. For more information, see --key-algorithm flag.
By default, the CA is created in the
STAGED
state. To enable a CA by default, include the--auto-enable
flag.If you want to use a customer-managed Cloud Storage bucket for publishing CA certificates and CRLs, add
--bucket bucket-name
to the command. Replace bucket-name with the name of the Cloud Storage bucket.To see the exhaustive list of settings, run the following command:
gcloud privateca roots create --help
Terraform
To create a root CA using a Google-owned and Google-managed encryption key, use the following sample configuration:
To create a root CA using a self-managed key, use the following sample configuration:
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST API
Create a root CA.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID
Request JSON body:
{ "type": "SELF_SIGNED", "lifetime": { "seconds": 315576000, "nanos": 0 }, "config": { "subject_config": { "subject": { "organization": "ORGANIZATION_NAME", "common_name": "COMMON_NAME" } }, "x509_config":{ "ca_options":{ "is_ca":true }, "key_usage":{ "base_key_usage":{ "cert_sign":true, "crl_sign":true } } } }, "key_spec":{ "algorithm":"RSA_PKCS1_4096_SHA256" } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false }
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", } }
After you have verified that the CA works as expected, you can enable it to start issuing load-balanced certificates for the CA pool.
Enable a root CA
gcloud
To enable a root CA, run the following gcloud
command:
gcloud privateca roots enable ROOT_CA_ID --location=LOCATION --pool=POOL_ID
Replace the following:
- ROOT_CA_ID: the name of the CA.
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- POOL_ID: the name of the CA pool.
Terraform
If you use Terraform to create a root CA, the root CA is enabled on creation. To create a root CA in the STAGED
state, set the desired_state
field to STAGED
when creating the CA.
You can set the desired_state
field to ENABLED
or DISABLED
after CA creation.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST API
Enable the CA to issue certificates from the CA pool.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false }
Poll the operation until it has completed.
HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority", "name": "...", } }
Test a CA
To verify that a CA is able to issue certificates, request a certificate from the associated CA pool and explicitly mention the name of the CA you want to test using the --ca
flag.
You can use the following methods to request a certificate from a CA pool:
- Have CA Service create a private or public key for you.
- Generate your own private or public key and submit a Certificate Signing Request (CSR).
It is easier to use an auto-generated private key or public key to request a certificate from a CA in a CA pool. This section provides information on testing a CA using that method.
To use an auto-generated private key or public key to request a certificate from a CA in a CA pool, run the following gcloud
command:
gcloud privateca certificates create \ --issuer-pool=POOL_ID \ --issuer-location=ISSUER_LOCATION \ --ca=ROOT_CA_ID \ --generate-key \ --key-output-file=KEY_FILENAME \ --cert-output-file=CERT_FILENAME \ --dns-san=DNS_NAME
Replace the following:
- POOL_ID: the name of the CA pool.
- ISSUER_LOCATION: the location of the Certificate Authority (CA) that issued the digital certificate.
- ROOT_CA_ID: the unique identifier of the CA that you want to test.
- KEY_FILENAME: the file where the generated key is written in PEM format.
- CERT_FILENAME: the file where the resulting PEM-encoded certificate chain file is written. the order of the certificate chain is from leaf to root.
DNS_NAME: one or more comma-separated DNS Subject Alternative Names (SANs).
The
--generate-key
flag generates a new RSA-2048 private key on your machine.
To use a Certificate Signing Request (CSR) to request a certificate from a CA in a CA pool, or for more information about requesting certificates, see Request a certificate and view issued certificates.
Clone certificate authorities
To clone an existing CA to renew that CA, or to create a new CA with the same configuration, run the following command:
gcloud privateca roots create NEW_CA_ID \ --location=LOCATION \ --pool=POOL_ID \ --from-ca=EXISTING_CA_ID \ --key-algorithm "ec-p384-sha384"
Replace the following:
- NEW_CA_ID: the unique identifier of the new CA.
- LOCATION: the location of the CA pool.
- POOL_ID: the name of the CA pool in which you want to create the new CA.
- EXISTING_CA_ID: the ID of the source CA or fully qualified identifier for the source CA.
The --from-ca
flag is supported for root and subordinate CA creation. The existing CA must be in the same CA pool as the new CA.
The --key-algorithm
flag copies all CA configuration from the existing CA (except for the Cloud KMS key version and Cloud Storage bucket). However, you can still override any of the configuration values in the new CA by explicitly providing the appropriate flag. For example, you can still specify `--subject SUBJECT to use a new subject.
If you omit the --key-algorithm
flag, the algorithm defaults to:
rsa-pkcs1-4096-sha256
for root CAs.rsa-pkcs1-2048-sha256
for subordinate CAs.
For more information about this gcloud
command, see gcloud privateca roots create.
What's next
- Learn how to create a subordinate CA.
- Learn how to request certificates.
- Learn about templates and issuance policies.