Enable Certificate Authority Service API
Create a Root CA.
Create sub CA.
Getting started with Certificate Authority Service: Qwik Start
Google Cloud Certificate Authority Service (CAS) is a highly available & scalable service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).
In this hands-on lab you'll learn how to enable the service API, create a root, a subordinate CA and eventually issue a certificate.
Although you can easily copy and paste commands from the lab to the appropriate place, students should type the commands themselves to reinforce their understanding of the core concepts.
What you'll do
Enable the CA service API in the Google Cloud Platform Console
Create a root CA using cloud shell
Create a subordinate CA with gcloud command line
Generate a certificate from the Sub-CA
Familiarity with standard Linux text editors such as
nanowill be helpful.
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
What you need
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.
Note: If you are using a Chrome OS device, open an Incognito window to run this lab.
How to start your lab and sign in to the Google Cloud Console
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.
Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Open the tabs in separate windows, side-by-side.
In the Sign in page, paste the username that you copied from the left panel. Then copy and paste the password.
Important: You must use the credentials from the left panel. Do not use your Google Cloud Training credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).
Click through the subsequent pages:
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
After a few moments, the Cloud Console opens in this tab.
Create a Root CA
In this section you'll learn how to enable the service and create a root CA.
In the Google Cloud Platform Console, click the Menu icon on the top left of the screen:
Select APIs and services -> Library.
Search for Certificate Authority Service API in the search bar.
Enable the API.
Click Check my progress to verify the objective.
Now create a root CA for this organization using cloud shell.
From the Cloud Console, click on Cloud Shell.
If prompted click Continue.
Now, using the command below, set the location for the CA. (You might have to set your project in case it is not set already):
Next, create a CA pool. A CA pool is a collection of multiple CAs with a common certificate issuance policy and IAM policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.
Run the following to create a CA pool:
List the new pool:
After creating the pool, now create the root CA:
Press ‘Y' and then Enter to continue.
List the CA:
Click Check my progress to verify the objective.
Issue a Certificate from the root CA
In order to issue a certificate from Cloud Shell, you first need to install a Cryptography package.
Run the following to install the Cryptography package:
If asked Press ‘Y' and then Enter to continue.
Run this command to ensure your Cloud Shell's
pip is at the latest version:
Next, run the command below:
Enable site packages. By default, the Cloud SDK ignores Python libraries installed on your local system. To allow the Cloud SDK to use the cryptographic library, you need to enable site packages.
You can now issue a certificate from the CA:
key\_file have been created. You can view the certificate and key using the commands below:
Note that the
key\_file is the private key that is associated with the public key in the certificate. This private key should be secured at all times.
You can view the public key of the certificate with the following command:
Now decode the certificate using
openSSL and see a summary of the certificate information:
Create a sub-CA
Certificates are usually issued from subordinate CA (sub-CA). These are CAs that build a chain of trust to the root CA, clients that trust the root CA will accept certificates that have been issued by these subordinate CAs.
Subordinate CA can have the root CA in Google Cloud, which you will test in this lab. The root CA can also be outside of Google Cloud boundaries, for example on-premises. The process to create a subordinate CA from an external root CA requires a certificate signing request (CSR) which is supported by Google Cloud but not part of this lab.
Create a subordinate CA in another region. Remember - CAs are regional. Start by creating a new CA pool, in
Verify that the new pool has been created:
Now you can create the sub-ca which will be chained to the root-CA, called
If prompted press ‘y' and then press ‘Enter'.
Issue a Certificate from the sub-CA
Now generate a cert from the newly created sub-CA for the DNS name
Run the following to review the certificate from the sub-CA:
Note that the SAN (Subject Alternative Name) for this cert is
example-dev.com and the issuer of the certificate is Example Internal Dev - this is the sub-ca that was just created.
You have learned how to enable the service API, create a root, a subordinate CA, and issue a certificate.
Google Cloud Training & Certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated: January 24, 2022
Lab Last Tested: January 24, 2022
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.