Create a CA pool

Console

Choose a name for the CA pool

1. Go to the Certificate Authority Service page in the Google Cloud console.

   Go to Certificate Authority Service

2. Click CA pool manager.

3. Click add_boxCreate pool.

4. Add a name for the CA pool that is unique for the region.

5. Select a region from the drop-down in the Region field. For more information, see Choosing the best location.

6. Select either the Enterprise or the DevOps tier. For more information, see Select the operation tiers.

7. Click Next.

Configure allowed key algorithms and sizes

CA Service lets you choose the signing algorithms for the Cloud KMS keys that back the CAs in the CA pool. All key algorithms are allowed by default.

To restrict the allowed keys in the certificates issued by the CA pool, do the following. This is an optional procedure.

1. Click the toggle.
2. Click Add an item.

3. In the Type list, select the key type.

   If you want to use RSA keys, do the following:

   1. Optional: Add the minimum modulus size in bits.
   2. Optional: Add the maximum modulus size in bits.
   3. Click Done.

   If you want to use elliptic curve keys, do the following:

   1. Optional: In the Elliptic curve type list, select the elliptic curve type.
   2. Click Done.

4. To add another allowed key, click Add an item, and repeat Step 2.

5. Click Next.

Configure certificate request methods

To place limitations on the methods that certificate requesters can use to request certificates from the CA pool, do the following:

1. Optional: To restrict CSR-based certificate requests, click the toggle.
2. Optional: To restrict configuration-based certificate requests, click the toggle.

Configure publishing options

To configure publishing options, do the following:

1. Optional: To disallow publishing CA certificates to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.
2. Optional: To disallow publishing CRLs to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.

3. Click the menu to select the encoding format for published CA certificates and CRLs.

   

4. Click Next.

This setting refers to the Key Usage field within a digital certificate. It specifies how the certificate's private key can be used, such as for key encipherment, data encipherment, certificate signing, and CRL signing. For more information, see Key usage.

1. To select the base key usages, click the Specify base key usages for certificates issued from this CA pool toggle, and then select from the options listed.
2. Click Next.

This setting refers to the Extended Key Usage (EKU) field in a digital certificate. It provides more specific and refined restrictions on how the key can be used, such as for server authentication, client authentication, code signing, and email protection. For more information, see Extended key usage.

Extended key usages are defined using object identifiers (OIDs). If you don't configure the extended key usages, all key usage scenarios are allowed.

1. To select the extended key usages, click the Write extended key usages for certificates issued from this CA pool toggle, and then select from the options listed.
2. Click Next.

The certificate policies extension in the certificate expresses the policies that the issuing CA pool follows. This extension can include information about how identities are validated before certificate issuance, how certificates are revoked, and how the CA pool's integrity is ensured. This extension helps you verify the certificates that the CA pool issues and see how the certificates are used.

For more information, see Certificate policies.

To specify the policy that defines the certificate usage, do the following:

1. Add the policy identifier in the Policy identifiers field.
2. Click Next.

The AIA extension in a certificate provides the following information:

• Address of the OCSP servers from where you can check the revocation status of the certificate.
• The access method for the issuer of the certificate.

For more information, see Authority information access.

To add the OCSP servers that appear in the AIA extension field in the certificates, do the following:

1. Click Add item.
2. In the Server URL field, add the URL of the OCSP server.
3. Click Done.
4. Click Next.

The CA options field within a certificate template defines how the resulting certificate can be used in a certificate authority (CA) hierarchy. CA options determine if a certificate can be used to sign other certificates and, if so, the restrictions on the certificates it issues.

Choose from the following options:

1. Include the configs to describe the CA X.509 extensions: Specify the settings within a certificate template that control the X.509 extensions.

2. Restrict issued certificates to be used only for CAs: This option appears only if you select the checkbox mentioned in the previous step. This boolean value indicates whether the certificate is a CA certificate. If set to true, the certificate can be used to sign other certificates. If false, the certificate is an end-entity certificate and cannot sign other certificates. If you click this toggle, you are further prompted to define name constraints for the extension in CA certificates.

3. Include the configs to describe the path length restriction X.509 extensions: Specify the settings that control how long a chain of certificates can be, stemming from a particular certificate. If the max issuer path length is set to 0, then the CA can only issue end-entity certificates. If it's set to 1, then the chain beneath this CA certificate can include only one subordinate CA. If a value isn't declared, then the number of subordinate CAs in the chain beneath this CA is unbounded.

4. Click Next.

To configure additional custom extensions to include in the certificates issued by the CA pool, do the following:

1. Click Add item.
2. In the Object identifier field, add a valid object identifier that is formatted as dot-separated digits.
3. In the Value field, add the base64-encoded value for the identifier.
4. If the extension is critical, select Extension is critical.

To save all the baseline value configurations, click Done.

To create the CA pool, click Done.

gcloud

Run the following command:

gcloud privateca pools create POOL_NAME --location=LOCATION

Replace the following:

• POOL_NAME: the name of the CA pool.
• LOCATION: the location where you want to create the CA pool. For the complete list of locations, see Locations.

If you don't specify which tier you require for your CA pool, the Enterprise tier is selected by default. If you want to specify the tier for your CA pool, run the following gcloud command:

gcloud privateca pools create POOL_NAME --location=LOCATION --tier=TIER_NAME

Replace the following:

• POOL_NAME: the name of your CA pool.
• LOCATION: the location where you want to create the CA pool. For the complete list of locations, see Locations.
• TIER_NAME: either devops or enterprise. For more information, see Select the operation tiers.

If you don't specify the publishing encoding format for your CA pool, the PEM publishing encoding format is selected by default. If you want to specify the publishing encoding format for your CA pool, run the following gcloud command:

gcloud privateca pools create POOL_NAME --location=LOCATION --publishing-encoding-format=PUBLISHING_ENCODING_FORMAT

Replace the following:

• POOL_NAME: the name of your CA pool.
• LOCATION: the location where you want to create the CA pool. For the complete list of locations, see Locations.
• PUBLISHING_ENCODING_FORMAT: either PEM or DER.

For more information about the gcloud privateca pools create command, see gcloud privateca pools create.

For information about placing restrictions on the type of certificates that a CA pool can issue, see Add a certificate issuance policy to a CA pool.

Terraform

resource "google_privateca_ca_pool" "default" {
  name     = "ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
  publishing_options {
    publish_ca_cert = true
    publish_crl     = true
  }
  labels = {
    foo = "bar"
  }
}

Go

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Create a Certificate Authority pool. All certificates created under this CA pool will
// follow the same issuance policy, IAM policies, etc.
func createCaPool(w io.Writer, projectId string, location string, caPoolId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// A unique id/name for the ca pool.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	caPool := &privatecapb.CaPool{
		// Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
		Tier: privatecapb.CaPool_ENTERPRISE,
	}

	locationPath := fmt.Sprintf("projects/%s/locations/%s", projectId, location)

	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCaPoolRequest.
	req := &privatecapb.CreateCaPoolRequest{
		Parent:   locationPath,
		CaPoolId: caPoolId,
		CaPool:   caPool,
	}

	op, err := caClient.CreateCaPool(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateCaPool failed: %w", err)
	}

	if _, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("CreateCaPool failed during wait: %w", err)
	}

	fmt.Fprintf(w, "CA Pool created")

	return nil
}

Java

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPool;
import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy;
import com.google.cloud.security.privateca.v1.CaPool.Tier;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
import com.google.cloud.security.privateca.v1.CreateCaPoolRequest;
import com.google.cloud.security.privateca.v1.LocationName;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCaPool {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Set a unique poolId for the CA pool.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    createCaPool(project, location, poolId);
  }

  // Create a Certificate Authority Pool. All certificates created under this CA pool will
  // follow the same issuance policy, IAM policies,etc.,
  public static void createCaPool(String project, String location, String poolId)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      IssuancePolicy issuancePolicy = IssuancePolicy.newBuilder()
          .setIdentityConstraints(CertificateIdentityConstraints.newBuilder()
              .setAllowSubjectPassthrough(true)
              .setAllowSubjectAltNamesPassthrough(true)
              .build())
          .build();

      /* Create the pool request
        Set Parent which denotes the project id and location.
        Set the Tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
      */
      CreateCaPoolRequest caPoolRequest =
          CreateCaPoolRequest.newBuilder()
              .setParent(LocationName.of(project, location).toString())
              .setCaPoolId(poolId)
              .setCaPool(
                  CaPool.newBuilder()
                      .setIssuancePolicy(issuancePolicy)
                      .setTier(Tier.ENTERPRISE)
                      .build())
              .build();

      // Create the CA pool.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient.createCaPoolCallable().futureCall(caPoolRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while creating CA pool !" + response.getError());
        return;
      }

      System.out.println("CA pool created successfully: " + poolId);
    }
  }
}

Python

import google.cloud.security.privateca_v1 as privateca_v1


def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
    """
    Create a Certificate Authority pool. All certificates created under this CA pool will
    follow the same issuance policy, IAM policies,etc.,

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: a unique name for the ca pool.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    ca_pool = privateca_v1.CaPool(
        # Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
        tier=privateca_v1.CaPool.Tier.ENTERPRISE,
    )
    location_path = caServiceClient.common_location_path(project_id, location)

    # Create the pool request.
    request = privateca_v1.CreateCaPoolRequest(
        parent=location_path,
        ca_pool_id=ca_pool_name,
        ca_pool=ca_pool,
    )

    # Create the CA pool.
    operation = caServiceClient.create_ca_pool(request=request)

    print("Operation result:", operation.result())

REST API

1. Create a CA pool.

   HTTP method and URL:

   POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID

   Request JSON body:

   {
     "tier": "ENTERPRISE"
   }
   

   To send your request, expand one of these options:

   curl (Linux, macOS, or Cloud Shell)

   Save the request body in a file named request.json, and execute the following command:

   curl -X POST \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \
        -H "Content-Type: application/json; charset=utf-8" \
        -d @request.json \
        "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID"

   PowerShell (Windows)

   Save the request body in a file named request.json, and execute the following command:

   $cred = gcloud auth print-access-token
   $headers = @{ "Authorization" = "Bearer $cred" }
   
   Invoke-WebRequest `
       -Method POST `
       -Headers $headers `
       -ContentType: "application/json; charset=utf-8" `
       -InFile request.json `
       -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID" | Select-Object -Expand Content

   You should receive a JSON response similar to the following:

   {
       "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
       "metadata": {...},
       "done": false
   }
   

2. Poll the operation until it is complete.

   The operation is complete when the long-running operation's done property is set to true.

   HTTP method and URL:

   GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

   To send your request, expand one of these options:

   curl (Linux, macOS, or Cloud Shell)

   Execute the following command:

   curl -X GET \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \
        "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID"

   PowerShell (Windows)

   Execute the following command:

   $cred = gcloud auth print-access-token
   $headers = @{ "Authorization" = "Bearer $cred" }
   
   Invoke-WebRequest `
       -Method GET `
       -Headers $headers `
       -Uri "https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID" | Select-Object -Expand Content

   You should receive a JSON response similar to the following:

   {
       "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
       "metadata": {...},
       "done": true,
       "response": {
         "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CaPool",
         "name": "...",
         "tier": "ENTERPRISE"
       }
   }
   

Console

To add a label, do the following:

1. Go to the Certificate Authority Service page.

   Go to Certificate Authority Service

2. In the CA pool manager tab, select the CA pool.

3. Click Labels.

4. Click addAdd label.

5. Add a key-value pair.

6. Click Save.

   

To edit an existing label, do the following:

1. Go to the Certificate Authority Service page.

   Go to Certificate Authority Service

2. In the CA pool manager tab, select the CA pool.

3. Click Labels.

4. Edit the value of the label.

5. Click Save.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --location=LOCATION --update-labels foo=bar

Replace the following:

• POOL_ID: the name of the CA pool.
• LOCATION: the location of the CA pool. For the complete list of locations, see Locations.