Getting started with Certificate Authority Service: Qwik Start

Join Sign in

Getting started with Certificate Authority Service: Qwik Start

1 hour 1 Credit


Google Cloud Self-Paced Labs


Google Cloud Certificate Authority Service (CAS) is a highly available & scalable service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).

In this hands-on lab you'll learn how to enable the service API, create a root, a subordinate CA and eventually issue a certificate.

Although you can easily copy and paste commands from the lab to the appropriate place, students should type the commands themselves to reinforce their understanding of the core concepts.

What you'll do

  • Enable the CA service API in the Google Cloud Platform Console

  • Create a root CA using cloud shell

  • Create a subordinate CA with gcloud command line

  • Generate a certificate from the Sub-CA


  • Familiarity with standard Linux text editors such as vim, emacs, or nano will be helpful.


Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
  • Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Chrome OS device, open an Incognito window to run this lab.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

    Open Google Console

  2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Sign in

    Tip: Open the tabs in separate windows, side-by-side.

  3. In the Sign in page, paste the username that you copied from the left panel. Then copy and paste the password.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Training credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

  4. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Create a Root CA

In this section you'll learn how to enable the service and create a root CA.

In the Google Cloud Platform Console, click the Menu icon on the top left of the screen:


Select APIs and services -> Library.


Search for Certificate Authority Service API in the search bar.


Enable the API.


Click Check my progress to verify the objective. Enable Certificate Authority Service API.

Now create a root CA for this organization using cloud shell.

From the Cloud Console, click on Cloud Shell.


If prompted click Continue.

Now, using the command below, set the location for the CA. (You might have to set your project in case it is not set already):

gcloud config set privateca/location us-west1

Next, create a CA pool. A CA pool is a collection of multiple CAs with a common certificate issuance policy and IAM policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.

Run the following to create a CA pool:

gcloud privateca pools create my-pool-1 --tier=devops

List the new pool:

gcloud privateca pools list


NAME LOCATION TIER my-pool-1 us-west1 DEVOPS

After creating the pool, now create the root CA:

gcloud privateca roots create root-1 --pool my-pool-1 --subject "CN=example Internal, O=Example ORG LLC" --location us-west1

Press ‘Y' and then Enter to continue.

List the CA:

gcloud privateca roots list



Click Check my progress to verify the objective. Create a Root CA.

Issue a Certificate from the root CA

In order to issue a certificate from Cloud Shell, you first need to install a Cryptography package.

Run the following to install the Cryptography package:

sudo apt install build-essential libssl-dev libffi-dev python3-dev cargo

If asked Press ‘Y' and then Enter to continue.

Run this command to ensure your Cloud Shell's pip is at the latest version:

pip3 install --upgrade pip

Next, run the command below:

pip3 install "cryptography>=2.2.0"


Collecting cryptography>=2.2.0 Requirement already satisfied: cffi>=1.12 in /usr/local/lib/python3.7/dist-packages (from cryptography>=2.2.0) (1.14.5) Requirement already satisfied: pycparser in /usr/local/lib/python3.7/dist-packages (from cffi>=1.12->cryptography>=2.2.0) (2.20) Building wheels for collected packages: cryptography Running bdist_wheel for cryptography ... done Stored in directory: /root/.cache/pip/wheels/d5/1d/4c/5845f4531bb6365638488a91450942f9e242d4017bdf09126c Successfully built cryptography Installing collected packages: cryptography Successfully installed cryptography-3.4.7

Enable site packages. ​​By default, the Cloud SDK ignores Python libraries installed on your local system. To allow the Cloud SDK to use the cryptographic library, you need to enable site packages.


You can now issue a certificate from the CA:

gcloud privateca certificates create \ --issuer-pool my-pool-1 \ --dns-san \ --generate-key \ --key-output-file key_file \ --cert-output-file cert_file

A new cert\_file and key\_file have been created. You can view the certificate and key using the commands below:

cat cert_file cat key_file

Note that the key\_file is the private key that is associated with the public key in the certificate. This private key should be secured at all times.

You can view the public key of the certificate with the following command:

openssl x509 -inform pem -in cert_file -pubkey -noout | openssl rsa -pubin -text -noout

Now decode the certificate using openSSL and see a summary of the certificate information:

openssl x509 -in cert_file -text -noout

Create a sub-CA

Certificates are usually issued from subordinate CA (sub-CA). These are CAs that build a chain of trust to the root CA, clients that trust the root CA will accept certificates that have been issued by these subordinate CAs.

Subordinate CA can have the root CA in Google Cloud, which you will test in this lab. The root CA can also be outside of Google Cloud boundaries, for example on-premises. The process to create a subordinate CA from an external root CA requires a certificate signing request (CSR) which is supported by Google Cloud but not part of this lab.

Create a subordinate CA in another region. Remember - CAs are regional. Start by creating a new CA pool, in us-central-1:

gcloud privateca pools create sub-1-pool --tier=devops --location us-central1

Verify that the new pool has been created:

gcloud privateca pools list


NAME LOCATION TIER sub-1-pool us-central1 DEVOPS my-pool-1 us-west1 DEVOPS

Now you can create the sub-ca which will be chained to the root-CA, called root-1:

gcloud privateca subordinates create sub-ca-1 \ --issuer-pool my-pool-1 \ --pool sub-1-pool \ --location us-central1 \ --issuer-ca root-1 --issuer-location us-west1 \ --key-algorithm "ec-p256-sha256" \ --subject "CN=Example Internal Dev, O=Example ORG LLC" \ --use-preset-profile "subordinate_server_tls_pathlen_0"

If prompted press ‘y' and then press ‘Enter'.

Create a sub CA.

Issue a Certificate from the sub-CA

Now generate a cert from the newly created sub-CA for the DNS name

gcloud privateca certificates create \ --issuer-pool sub-1-pool \ --dns-san \ --generate-key \ --issuer-location us-central1 \ --key-output-file key_file \ --cert-output-file cert_file

Run the following to review the certificate from the sub-CA:

openssl x509 -in cert_file -text -noout


Certificate: Data: Version: 3 (0x2) Serial Number: f7:cc:61:f1:75:f9:ca:b3:66:4c:81:e0:23:9b:06:3e:1b:64:07 Signature Algorithm: ecdsa-with-SHA256 Issuer: O = Example ORG LLC, CN = Example Internal Dev Validity Not Before: Jun 14 22:33:30 2021 GMT Not After : Jul 14 22:33:30 2021 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b3:68:3b:f5:4f:73:9c:93:6b:15:f7:06:a7:64: 3d:b5:e1:cd:50:04:2a:cf:82:b2:1d:ba:91:9a:d3: 12:0a:7c:6c:35:b2:b8:03:ce:2f:3a:de:b5:be:27: f6:99:70:18:09:16:a9:ac:80:e9:33:5d:09:18:81: d4:41:fe:d4:5b:ff:7f:8b:9e:c5:2b:00:e0:88:7d: 8b:08:39:a9:7e:96:8b:4b:ef:24:b1:09:61:67:e5: b6:67:04:32:60:86:66:dc:ba:e7:ed:0d:7b:ce:d9: 4b:5d:97:dd:c5:81:ae:5a:77:23:2f:25:38:21:ef: 92:6d:ff:02:df:7c:b3:db:2b:be:fb:07:d7:32:28: 38:c6:9b:5f:bc:f7:39:07:ea:a1:17:43:85:73:c1: bd:7e:56:63:4c:f4:70:73:a0:d8:ab:9d:0c:63:2b: 2a:ab:29:71:86:36:6e:64:da:ce:4f:f4:21:2a:a2: 9e:05:7a:ac:e9:d5:16:6a:88:03:31:ad:43:30:42: 34:9c:45:df:00:fb:ce:57:26:e9:4e:b0:1f:15:d7: ef:f9:28:ff:0b:30:3b:b3:9e:67:63:66:b3:88:2b: b8:90:6c:0c:e4:45:fb:b1:e0:32:bc:38:2c:c8:81: 71:6d:ab:4f:02:c3:f1:f9:1d:d6:4f:f6:17:f8:d8: 44:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E4:1B:3E:A5:AD:64:61:13:24:8F:7C:2D:E5:0A:2E:0D:53:E4:1C:6D X509v3 Authority Key Identifier: keyid:73:88:3D:A7:FF:B4:9E:C7:42:AD:66:86:92:58:A4:76:70:E8:5F:97 Authority Information Access: CA Issuers - URI: X509v3 Subject Alternative Name: critical Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:97:bf:9e:3a:59:57:47:dd:b8:65:f3:6b:28: b8:44:ad:4f:c0:e8:f6:42:d5:f3:76:ab:2b:9c:49:db:0e:ee: 61:02:21:00:80:86:96:b8:dd:f8:29:af:d5:bd:2d:74:c8:5c: 97:69:2c:8c:ae:61:dd:6d:a2:d2:41:34:ab:a1:79:2d:4e:ab

Note that the SAN (Subject Alternative Name) for this cert is and the issuer of the certificate is Example Internal Dev - this is the sub-ca that was just created.


You have learned how to enable the service API, create a root, a subordinate CA, and issue a certificate.

Google Cloud Training & Certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: January 24, 2022
Lab Last Tested: January 24, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.