Overview

Google Cloud Certificate Authority Service (CAS) is a highly available & scalable service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).

In this hands-on lab you’ll learn how to enable the service API, create a root, a subordinate CA and eventually issue a certificate.

What you’ll do

• Enable the CA service API in the Google Cloud Platform Console
• Create a root CA using cloud shell
• Create a subordinate CA with gcloud command line
• Generate a certificate from the Sub-CA

Create a Root CA

In this section you’ll learn how to enable the service and create a root CA.

In the Google Cloud Platform Console, click the Menu icon on the top left of the screen:

Select APIs and services -> Library.

Search for Certificate Authority Service API in the search bar.

Enable the API.

Now create a root CA for this organization using cloud shell.

From the Cloud Console, click on Cloud Shell.

If prompted click Continue.

Now, using the command below, set the location for the CA. (You might have to set your project in case it is not set already):

gcloud config set privateca/location us-west1

Next, create a CA pool. A CA pool is a collection of multiple CAs with a common certificate issuance policy and IAM policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.

Run the following to create a CA pool:

gcloud privateca pools create my-pool-1  --tier=devops

List the new pool:

gcloud privateca pools list

After creating the pool, now create the root CA:

gcloud privateca roots create root-1 --pool my-pool-1  --subject "CN=example Internal, O=Example ORG LLC" --location us-west1

Press ‘Y’ and then Enter to continue.

List the CA:

gcloud privateca roots list

Issue a Certificate from the root CA

In order to issue a certificate from Cloud Shell, you first need to install a Cryptography package.

Note: The Cryptography library includes low and high level interfaces to common cryptographic algorithms. GCP gcloud CLI utility uses some of these functions. More details about the library here.

Run the following to install the Cryptography package:

sudo apt install build-essential libssl-dev libffi-dev python3-dev cargo

If asked Press ‘Y’ and then Enter to continue.

Run this command to ensure your Cloud Shell’s pip is at the latest version:

pip3 install --upgrade pip

Next, run the command below:

pip3 install "cryptography>=2.2.0"

Enable site packages. ​​By default, the Cloud SDK ignores Python libraries installed on your local system. To allow the Cloud SDK to use the cryptographic library, you need to enable site packages.

export CLOUDSDK_PYTHON_SITEPACKAGES=1

You can now issue a certificate from the CA:

gcloud privateca certificates create \
    --issuer-pool my-pool-1 \
    --dns-san example.com \
    --generate-key \
    --key-output-file key_file \
    --cert-output-file cert_file

A new cert\_file and key\_file have been created. You can view the certificate and key using the commands below:

cat cert_file
cat key_file

Note that the key\_file is the private key that is associated with the public key in the certificate. This private key should be secured at all times.

You can view the public key of the certificate with the following command:

openssl x509 -inform pem -in cert_file -pubkey -noout | openssl rsa -pubin -text -noout

Note: OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. This lab uses the decoding option to read values from certificates.

Now decode the certificate using openSSL and see a summary of the certificate information:

openssl x509 -in cert_file -text -noout

Create a sub-CA

Certificates are usually issued from subordinate CA (sub-CA). These are CAs that build a chain of trust to the root CA, clients that trust the root CA will accept certificates that have been issued by these subordinate CAs.

Subordinate CA can have the root CA in Google Cloud, which you will test in this lab. The root CA can also be outside of Google Cloud boundaries, for example on-premises. The process to create a subordinate CA from an external root CA requires a certificate signing request (CSR) which is supported by Google Cloud but not part of this lab.

Create a subordinate CA in another region. Remember – CAs are regional. Start by creating a new CA pool, in us-central-1:

gcloud privateca pools create sub-1-pool --tier=devops --location us-central1

Verify that the new pool has been created:

gcloud privateca pools list

Now you can create the sub-ca which will be chained to the root-CA, called root-1:

gcloud privateca subordinates create sub-ca-1 \
  --issuer-pool my-pool-1 \
  --pool sub-1-pool \
  --location us-central1 \
  --issuer-ca root-1   --issuer-location us-west1 \
  --key-algorithm "ec-p256-sha256" \
  --subject "CN=Example Internal Dev, O=Example ORG LLC" \
  --use-preset-profile "subordinate_server_tls_pathlen_0"

If prompted press ‘y’ and then press ‘Enter’.

Issue a Certificate from the sub-CA

Now generate a cert from the newly created sub-CA for the DNS name example-dev.com:

gcloud privateca certificates create \
    --issuer-pool sub-1-pool \
    --dns-san example-dev.com \
    --generate-key \
    --issuer-location us-central1 \
    --key-output-file key_file \
    --cert-output-file cert_file

Run the following to review the certificate from the sub-CA:

openssl x509 -in cert_file -text -noout

Note that the SAN (Subject Alternative Name) for this cert is example-dev.com and the issuer of the certificate is Example Internal Dev – this is the sub-ca that was just created.

Congratulations !!

You have learned how to enable the service API, create a root, a subordinate CA, and issue a certificate.

Happy Learning !!