GCPcloud~30 mins

Certificate Authority Service in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Certificate Authority Service

📖 Scenario: You work for a company that needs to securely manage digital certificates for its internal applications. You will set up a Certificate Authority (CA) service on Google Cloud Platform (GCP) to issue and manage certificates.

🎯 Goal: Create a basic Certificate Authority Service setup on GCP using Terraform. You will define the CA pool, create a CA, and configure a certificate template.

📋 What You'll Learn

Create a Certificate Authority Pool named my-ca-pool in the us-central1 region.

Create a Certificate Authority named my-ca inside the my-ca-pool.

Configure the CA with the SUBORDINATE type and ACTIVE state.

Create a certificate template named my-cert-template with server_tls usage.

Use Terraform resource blocks with exact resource names and attributes.

💡 Why This Matters

🌍 Real World

Companies use Certificate Authority Services to securely issue and manage digital certificates for encryption and authentication in their networks and applications.

💼 Career

Understanding how to configure and manage Certificate Authority Services on cloud platforms like GCP is essential for cloud security engineers and infrastructure architects.

Progress0 / 4 steps

Create the Certificate Authority Pool

Create a Terraform resource block named google_privateca_ca_pool with the resource name my_ca_pool. Set the name to my-ca-pool and the location to us-central1. Use the tier attribute with value BASIC.

GCP

# Your code here to create the CA pool

Need a hint?

Use the google_privateca_ca_pool resource with the exact name my_ca_pool. Set the name, location, and tier attributes as specified.

Create the Certificate Authority

Add a Terraform resource block named google_privateca_certificate_authority with the resource name my_ca. Set the name to my-ca, location to us-central1, and ca_pool to reference the my_ca_pool resource. Set the type attribute to SUBORDINATE and the state attribute to ACTIVE.

GCP

resource "google_privateca_ca_pool" "my_ca_pool" {
  name     = "my-ca-pool"
  location = "us-central1"
  tier     = "BASIC"
}

# Your code here to create the Certificate Authority

Need a hint?

Reference the CA pool resource using google_privateca_ca_pool.my_ca_pool.name for the ca_pool attribute.

Create the Certificate Template

Add a Terraform resource block named google_privateca_certificate_template with the resource name my_cert_template. Set the name to my-cert-template and location to us-central1. Under the predefined_values block, set key_usage with base_key_usage having digital_signature and key_encipherment set to true. Also, set extended_key_usage with server_auth set to true.

GCP

resource "google_privateca_ca_pool" "my_ca_pool" {
  name     = "my-ca-pool"
  location = "us-central1"
  tier     = "BASIC"
}

resource "google_privateca_certificate_authority" "my_ca" {
  name     = "my-ca"
  location = "us-central1"
  ca_pool  = google_privateca_ca_pool.my_ca_pool.name
  type     = "SUBORDINATE"
  state    = "ACTIVE"
}

# Your code here to create the Certificate Template

Need a hint?

Use the predefined_values block to set key usage and extended key usage for the certificate template.

Link the Certificate Template to the CA Pool

Update the google_privateca_ca_pool resource named my_ca_pool to include the certificate_authority_config block. Inside it, add the certificate_authority block with the certificate_authority attribute referencing the my_ca resource. Also, add the certificate_templates attribute as a list containing the full resource name of the my_cert_template resource.

GCP

resource "google_privateca_ca_pool" "my_ca_pool" {
  name     = "my-ca-pool"
  location = "us-central1"
  tier     = "BASIC"

  # Your code here to link the CA and certificate template
}

resource "google_privateca_certificate_authority" "my_ca" {
  name     = "my-ca"
  location = "us-central1"
  ca_pool  = google_privateca_ca_pool.my_ca_pool.name
  type     = "SUBORDINATE"
  state    = "ACTIVE"
}

resource "google_privateca_certificate_template" "my_cert_template" {
  name     = "my-cert-template"
  location = "us-central1"

  predefined_values {
    key_usage {
      base_key_usage {
        digital_signature = true
        key_encipherment  = true
      }
    }
    extended_key_usage {
      server_auth = true
    }
  }
}

Need a hint?

Use the certificate_authority_config block inside the CA pool to link the CA and certificate template by referencing their resource names.