Issue a certificate using the Google Cloud CLI

This page explains how you can generate or issue certificates through Certificate Authority Service using the Google Cloud CLI.

CA Service lets you deploy and manage private CAs without managing infrastructure.

Before you begin

After installing the Google Cloud CLI, initialize it by running the following command:
```
gcloud init
```
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Note: You can run the gcloud CLI in the Google Cloud console without installing the Google Cloud CLI. To run the gcloud CLI in the Google Cloud console, use Cloud Shell.
Create or select a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.
- Create a Google Cloud project:
```
gcloud projects create PROJECT_ID
```
  Replace PROJECT_ID with a name for the Google Cloud project you are creating.
- Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID
```
  Replace PROJECT_ID with your Google Cloud project name.
Enable the Certificate Authority Service API:
```
gcloud services enable privateca.googleapis.com
```
Make sure that billing is enabled for your Google Cloud project.
Configure a default location for use in the gcloud commands in this quickstart.
```
gcloud config set privateca/location LOCATION
```
CA Service resources, such as CA pools and CAs live in a single Google Cloud location that you cannot change after creating these resources.

Note: If you skip this step, you must add the --location flag to some of the following commands.

Create a CA pool

A certificate authority (CA) pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads.

To create a CA pool in the Enterprise tier, run the following command:

gcloud privateca pools create POOL_ID --location LOCATION --tier "enterprise"

Replace the following:

POOL_ID: the name of the CA pool.
LOCATION: the location of the CA pool. For the complete list of locations, see Locations.

The names of all CA Service resources must contain only the allowed characters, which are all the letters, numbers, hyphen, and underscore. The maximum allowed length of a name is 63 characters.

Create a root CA

A CA pool is empty on creation. To request certificates from a CA pool, you must add a CA in it.

To create a root CA and add it in the CA pool you created, run the following command:

gcloud privateca roots create CA_ID --pool POOL_ID --location LOCATION --subject "CN=Example Prod Root CA, O=Google"

Replace the following:

CA_ID: the name of the root CA.
POOL_ID: the name of the CA pool.
LOCATION: the location of the CA pool. For the complete list of locations, see Locations.

CA Service returns the following command when it creates the root CA:

Created Certificate Authority [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/CA_ID]

Enable the root CA by entering y when prompted by the gcloud CLI.

Optional: Create a subordinate CA pool

To create a subordinate CA pool, run the following command:

    gcloud privateca pools create SUBORDINATE_POOL_ID
        --location LOCATION
        --tier TIER

Replace the following:

SUBORDINATE_POOL_ID: the ID of the subordinate CA pool.
LOCATION: the location of the subordinate CA pool. For the complete list of locations, see Locations.
TIER: the subordinate CA tier, either devops or enterprise.

Optional: Create a subordinate CA that's signed by a root CA stored in Google Cloud

To create a subordinate CA in the subordinate CA pool that you created in the previous step, run the following command:

    gcloud privateca subordinates create SUBORDINATE_CA_ID \
        --location=LOCATION \
        --pool=SUBORDINATE_POOL_ID \
        --issuer-pool=POOL_ID \
        --issuer-location=ISSUER_LOCATION \
        --from-ca=EXISTING_CA_ID \
        --kms-key-version projects/PROJECT_ID/locations/LOCATION_ID/keyRings/KEY_RING/cryptoKeys/KEY/cryptoKeyVersions/KEY_VERSION \"

Replace the following:

SUBORDINATE_CA_ID: the ID of the subordinate CA.
LOCATION: the location of the subordinate CA. For the complete list of locations, see Locations.
SUBORDINATE_POOL_ID: the ID of the subordinate CA pool that you created in the previous section.
POOL_ID: the ID of the parent CA pool.
ISSUER_LOCATION: the location of the certificate.
EXISTING_CA_ID: the ID of the source CA.
PROJECT_ID: the ID of the project.
LOCATION_ID: the location of the key ring.
KEY_RING: the name of the key ring where the key is located.
KEY: the name of the key.
KEY_VERSION: the version of the key.

The following statement is returned when the subordinate CA is created.

Created Certificate Authority [projects/my-project-pki/locations/us-west1/caPools/SUBORDINATE_POOL_ID/certificateAuthorities/SUBORDINATE_CA_ID].

Enable the subordinate CA by entering y when prompted by the gcloud CLI.

Create a certificate

To use the newly created CA to create a certificate, do the following:

Install the Pyca cryptography library using the pip command.
```
  pip install --user "cryptography>=2.2.0"
```
CA Service uses the Pyca cryptography library to generate and store a new asymmetric key-pair on your local machine. This key is never sent to CA Service.
To allow Google Cloud SDK to use the Pyca cryptography library, you must enable site packages.
macOS or Linux
```
export CLOUDSDK_PYTHON_SITEPACKAGES=1
```
Windows
```
set CLOUDSDK_PYTHON_SITEPACKAGES=1
```

Create a certificate.

  gcloud privateca certificates create \
      --issuer-pool POOL_ID \
      --issuer-location ISSUER_LOCATION \
      --subject "CN=Example Prod,O=Google" \
      --generate-key \
      --key-output-file=./key \
      --cert-output-file=./cert.pem

Replace the following:

POOL_ID: the resource ID of the CA pool you created.
ISSUER_LOCATION: the location of the certificate authority that issued the digital certificate.

CA Service returns the following response:

Created Certificate [projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificates/CERTIFICATE_ID]

Clean up

Clean up by deleting the CA pool, the CA, and the project you created for this quickstart.

Revoke the certificate.
Delete the CA.

You can delete a CA only after you have revoked all the certificates issued by it.
1. Disable the CA.
```
gcloud privateca roots disable CA_ID --pool=POOL_ID --location=LOCATION
```
  Replace the following:
  - CA_ID: the resource ID of the CA.
  - POOL_ID: the resource ID of the CA pool.
  - LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
2. Delete the CA.
```
gcloud privateca roots delete CA_ID --pool=POOL_ID --location=LOCATION
```
The CA state changes to Deleted. CA Service permanently deletes the CA 30 days after you initiate the deletion.
Delete the CA pool.

You can delete a CA pool only after the CA in it is permanently deleted.
```
gcloud privateca pools delete POOL_ID --location=LOCATION
```
Delete the project.

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

What's next

Learn more about CA pools.
Learn more about creating a CA pool.
Learn more about creating CAs.
Learn more about requesting certificates.
Learn how you can control the type of certificates a CA pool can issue.

Issue a certificate using the Google Cloud CLI

Before you begin

Create a CA pool

Create a root CA

Optional: Create a subordinate CA pool

Optional: Create a subordinate CA that's signed by a root CA stored in Google Cloud

Create a certificate

macOS or Linux

Windows

Clean up

What's next