GCPcloud~5 mins

Certificate Authority Service in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to create and manage digital certificates to keep your websites and apps secure. Google Cloud's Certificate Authority Service helps you create these certificates easily and safely without needing to run your own certificate system.

When you want to issue SSL/TLS certificates for your internal company websites without buying from external providers.

When you need to create certificates for devices or apps that must trust each other securely.

When you want to automate certificate creation and renewal to avoid manual errors.

When you want to keep control over your certificates inside your cloud environment.

When you need to create a trusted chain of certificates for your organization's security.

Config File - ca-config.yaml

ca-config.yaml

apiVersion: privateca.googleapis.com/v1
kind: CertificateAuthority
metadata:
  name: my-root-ca
  location: us-central1
spec:
  tier: ENTERPRISE
  type: SELF_SIGNED
  config:
    subjectConfig:
      subject:
        commonName: "My Root CA"
        organization: "Example Corp"
        countryCode: "US"
    keySpec:
      cloudKmsKeyVersion: "projects/example-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1"
    lifetime: 87600h
    caOptions:
      isCa: true
      maxIssuerPathLength: 1

This YAML file defines a root Certificate Authority named my-root-ca in the us-central1 region.

tier sets the service level to enterprise for full features.

type is self-signed, meaning this CA signs its own certificate.

subjectConfig sets the identity details of the CA.

keySpec points to a Cloud KMS key that secures the CA's private key.

lifetime is how long the CA certificate is valid (10 years here).

caOptions marks this as a CA and limits the certificate chain length.

Commands

This command creates the root Certificate Authority using the configuration file. It sets up the CA in the specified region with the defined settings.

Terminal

gcloud privateca roots create my-root-ca --location=us-central1 --config=ca-config.yaml

Expected OutputExpected

Created Certificate Authority [my-root-ca].

→

--location - Specifies the region where the CA is created.

→

--config - Points to the YAML file with CA configuration.

This command shows details about the created root CA to confirm it was set up correctly.

Terminal

gcloud privateca roots describe my-root-ca --location=us-central1

Expected OutputExpected

name: projects/example-project/locations/us-central1/certificateAuthorities/my-root-ca state: ENABLED config: subjectConfig: subject: commonName: My Root CA organization: Example Corp countryCode: US keySpec: cloudKmsKeyVersion: projects/example-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1 lifetime: 87600h caOptions: isCa: true maxIssuerPathLength: 1

→

--location - Specifies the region of the CA to describe.

This command creates a new certificate signed by the root CA for the domain example.com, useful for securing websites or services.

Terminal

gcloud privateca certificates create my-cert --issuer=my-root-ca --location=us-central1 --certificate-template=server-auth --subject="CN=example.com"

Expected OutputExpected

Created certificate [my-cert].

→

--issuer - Specifies which CA signs the certificate.

→

--certificate-template - Defines the certificate usage, here for server authentication.

→

--subject - Sets the identity details for the certificate.

This command shows details about the issued certificate to verify its properties and status.

Terminal

gcloud privateca certificates describe my-cert --location=us-central1

Expected OutputExpected

name: projects/example-project/locations/us-central1/certificates/my-cert issuer: projects/example-project/locations/us-central1/certificateAuthorities/my-root-ca subject: commonName: example.com state: ACTIVE pemCertificate: -----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----

→

--location - Specifies the region of the certificate.

Key Concept

If you remember nothing else from this pattern, remember: Certificate Authority Service lets you create and manage your own trusted certificates securely inside Google Cloud.

Common Mistakes

Not specifying the correct location flag when creating or describing the CA or certificates.

The commands will fail or show no results because the service is regional and needs the location to find resources.

Always include the --location flag with the correct region for your CA and certificates.

Using a Cloud KMS key that does not exist or is in a different region than the CA.

The CA creation will fail because the key must be accessible and in the same region.

Create or use a Cloud KMS key in the same region as your CA before creating the CA.

Omitting the subject details in the CA config file.

The CA will not have a proper identity, causing errors or invalid certificates.

Always fill in the subjectConfig section with meaningful values like commonName and organization.

Summary

Create a root Certificate Authority using a YAML config file with gcloud.

Verify the CA details to ensure it is active and correctly configured.

Issue certificates signed by the CA for your domains or services.

Check issued certificates to confirm their properties and status.