Getting started with Certificate Authority Service: Qwik Start

Join Sign in

Getting started with Certificate Authority Service: Qwik Start

1 hour 1 Credit


Google Cloud Self-Paced Labs


Google Cloud Certificate Authority Service (CAS) is a highly available & scalable service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).

In this hands-on lab you'll learn how to enable the service API, create a root, a subordinate CA and eventually issue a certificate.

Although you can easily copy and paste commands from the lab to the appropriate place, students should type the commands themselves to reinforce their understanding of the core concepts.

What you'll do

  • Enable the CA service API in the Google Cloud Platform Console

  • Create a root CA using cloud shell

  • Create a subordinate CA with gcloud command line

  • Generate a certificate from the Sub-CA


  • Familiarity with standard Linux text editors such as vim, emacs, or nano will be helpful.


Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
  • Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Pixelbook, open an Incognito window to run this lab.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

    Open Google Console

  2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Sign in

    Tip: Open the tabs in separate windows, side-by-side.

  3. In the Sign in page, paste the username that you copied from the Connection Details panel. Then copy and paste the password.

    Important: You must use the credentials from the Connection Details panel. Do not use your Qwiklabs credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

  4. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Create a Root CA

In this section you'll learn how to enable the service and create a root CA.

In the Google Cloud Platform Console, click the Menu icon on the top left of the screen:


Select APIs and services -> Library.


Search for Certificate Authority Service API in the search bar.


Enable the API.


Click Check my progress to verify the objective. Enable Certificate Authority Service API.

Now create a root CA for this organization using cloud shell.

From the Cloud Console, click on Cloud Shell.


If prompted click Continue.

Now, using the command below, set the location for the CA. (You might have to set your project in case it is not set already):

gcloud config set privateca/location us-west1

Next, create a CA pool. A CA pool is a collection of multiple CAs with a common certificate issuance policy and IAM policy. CA pools provide the ability to rotate trust chains without any outage or downtime for their payloads.

Run the following to create a CA pool:

gcloud privateca pools create my-pool-1  --tier=devops

List the new pool:

gcloud privateca pools list


my-pool-1  us-west1  DEVOPS

After creating the pool, now create the root CA:

gcloud privateca roots create root-1 --pool my-pool-1  --subject "CN=example Internal, O=Example ORG LLC" --location us-west1

Press ‘Y' and then Enter to continue.

List the CA:

gcloud privateca roots list


root-1 us-west1 my-pool-1 ENABLED YES 2021-07-07T17:57Z 2031-07-08T04:05Z

Click Check my progress to verify the objective. Create a Root CA.

Issue a Certificate from the root CA

In order to issue a certificate from Cloud Shell, you first need to install a Cryptography package.

Run the following to install the Cryptography package:

sudo apt install build-essential libssl-dev libffi-dev python3-dev cargo

If asked Press ‘Y' and then Enter to continue.

Next run the command below:

sudo pip3 install "cryptography>=2.2.0"


Collecting cryptography>=2.2.0
Requirement already satisfied: cffi>=1.12 in /usr/local/lib/python3.7/dist-packages (from cryptography>=2.2.0) (1.14.5)
Requirement already satisfied: pycparser in /usr/local/lib/python3.7/dist-packages (from cffi>=1.12->cryptography>=2.2.0) (2.20)
Building wheels for collected packages: cryptography
  Running bdist_wheel for cryptography ... done
  Stored in directory: /root/.cache/pip/wheels/d5/1d/4c/5845f4531bb6365638488a91450942f9e242d4017bdf09126c
Successfully built cryptography
Installing collected packages: cryptography
Successfully installed cryptography-3.4.7

Enable site packages. ​​By default, the Cloud SDK ignores Python libraries installed on your local system. To allow the Cloud SDK to use the cryptographic library, you need to enable site packages.


You can now issue a certificate from the CA:

gcloud privateca certificates create \
    --issuer-pool my-pool-1 \
    --dns-san \
    --generate-key \
    --key-output-file key_file \
    --cert-output-file cert_file

A new cert\_file and key\_file have been created. You can view the certificate and key using the commands below:

cat cert_file
cat key_file

Note that the key\_file is the private key that is associated with the public key in the certificate. This private key should be secured at all times.

You can view the public key of the certificate with the following command:

openssl x509 -inform pem -in cert_file -pubkey -noout | openssl rsa -pubin -text -noout

Now decode the certificate using openSSL and see a summary of the certificate information:

openssl x509 -in cert_file -text -noout

Create a sub-CA

Certificates are usually issued from subordinate CA (sub-CA). These are CAs that build a chain of trust to the root CA, clients that trust the root CA will accept certificates that have been issued by these subordinate CAs.

Subordinate CA can have the root CA in Google Cloud, which you will test in this lab. The root CA can also be outside of Google Cloud boundaries, for example on-premises. The process to create a subordinate CA from an external root CA requires a certificate signing request (CSR) which is supported by Google Cloud but not part of this lab.

Create a subordinate CA in another region. Remember - CAs are regional. Start by creating a new CA pool, in us-central-1:

gcloud privateca pools create sub-1-pool --tier=devops --location us-central1

Verify that the new pool has been created:

gcloud privateca pools list


sub-1-pool  us-central1  DEVOPS
my-pool-1   us-west1     DEVOPS 

Now you can create the sub-ca which will be chained to the root-CA, called root-1:

gcloud privateca subordinates create sub-ca-1 \
  --issuer-pool my-pool-1 \
  --pool sub-1-pool \
  --location us-central1 \
  --issuer-ca root-1   --issuer-location us-west1 \
  --key-algorithm "ec-p256-sha256" \
  --subject "CN=Example Internal Dev, O=Example ORG LLC" \
  --use-preset-profile "subordinate_server_tls_pathlen_0"

If prompted press ‘y' and then press ‘Enter'.

Create a sub CA.

Issue a Certificate from the sub-CA

Now generate a cert from the newly created sub-CA for the DNS name

gcloud privateca certificates create \
    --issuer-pool sub-1-pool \
    --dns-san \
    --generate-key \
    --issuer-location us-central1 \
    --key-output-file key_file \
    --cert-output-file cert_file

Run the following to review the certificate from the sub-CA:

openssl x509 -in cert_file -text -noout


        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = Example ORG LLC, CN = Example Internal Dev
            Not Before: Jun 14 22:33:30 2021 GMT
            Not After : Jul 14 22:33:30 2021 GMT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            Authority Information Access:
                CA Issuers - URI:
            X509v3 Subject Alternative Name: critical
    Signature Algorithm: ecdsa-with-SHA256

Note that the SAN (Subject Alternative Name) for this cert is and the issuer of the certificate is Example Internal Dev - this is the sub-ca that was just created.


You have learned how to enable the service API, create a root, a subordinate CA, and issue a certificate.

Google Cloud Training & Certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: July 16, 2021
Lab Last Tested: July 16, 2021

Copyright 2021 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.