Certificate profiles
This topic provides certificate profiles that you can use for various certificate issuance scenarios. You can reference these certificate profiles when creating a certificate or a certificate authority (CA) using the Google Cloud CLI or the Google Cloud console.
Use the gcloud
references specified in this document along with the --use-preset-profile
flag to utilize the certificate profile that fits your needs.
Unconstrained
Unconstrained certificate profiles add no constraints or limits.
Root unconstrained
Accessible as: root_unconstrained
The following certificate profile has neither extended key usage nor path-length constraints.
This CA can issue any type of certificate, including subordinate CAs. These values are appropriate for a self-signed root CA but you can also use them for an unconstrained subordinate CA.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
caOptions
:
isCa
:
true
Subordinate unconstrained with path length of zero
Accessible as: subordinate_unconstrained_pathlen_0
You can use the following certificate profile to configure a CA that has no Extended Key Usage (EKU) constraints, but has a path-length restriction that doesn't allow the issuing of any subordinate CAs. These values are appropriate for CAs issuing end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
Mutual TLS
Mutual Transport Layer Security (mTLS) certificates can be used for server TLS, client TLS, or mutual TLS authentication.
Subordinate mTLS
Accessible as: subordinate_mtls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS, client TLS, or mutual TLS authentication. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
extendedKeyUsage
:
serverAuth
:
true
clientAuth
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
End-entity mTLS
Accessible as: leaf_mtls
You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS, server TLS, or mTLS. For example, SPIFFE certificates.
keyUsage
:
baseKeyUsage
:
digitalSignature
:
true
keyEncipherment
:
true
extendedKeyUsage
:
serverAuth
:
true
clientAuth
:
true
caOptions
:
isCa
:
false
Client TLS
Client TLS certificates are used to authenticate a client.
Subordinate client TLS
Accessible as: subordinate_client_tls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for client TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
extendedKeyUsage
:
clientAuth
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
End-entity client TLS
Accessible as: leaf_client_tls
You can use the following certificate profile to configure end-entity certificates that are compatible with client TLS. For example, a client authenticating itself to a TLS firewall.
keyUsage
:
baseKeyUsage
:
digitalSignature
:
true
keyEncipherment
:
true
extendedKeyUsage
:
clientAuth
:
true
caOptions
:
isCa
:
false
Server TLS
Server TLS certificates are used to authenticate a server.
Subordinate server TLS
Accessible as: subordinate_server_tls_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for server TLS. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
extendedKeyUsage
:
serverAuth
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
End-entity server TLS
Accessible as: leaf_server_tls
You can use the following certificate profile to configure end-entity certificates that are compatible with server TLS.
keyUsage
:
baseKeyUsage
:
digitalSignature
:
true
keyEncipherment
:
true
extendedKeyUsage
:
serverAuth
:
true
caOptions
:
isCa
:
false
Code signing
Digital signatures are used for code authentication.
Subordinate code signing
Accessible as: subordinate_code_signing_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for code signing. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also work for a self-signed CA that directly issues end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
extendedKeyUsage
:
codeSigning
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
End-entity code signing
Accessible as: leaf_code_signing
You can use the following certificate profile to configure end-entity certificates that are compatible with code signing.
keyUsage
:
baseKeyUsage
:
digitalSignature
:
true
contentCommitment
:
true
extendedKeyUsage
:
codeSigning
:
true
caOptions
:
isCa
:
false
S/MIME
S/MIME is an email-signing protocol that helps improve email security.
Subordinate S/MIME
Accessible as: subordinate_smime_pathlen_0
You can use the following certificate profile to configure a CA that can issue end-entity certificates usable for S/MIME. This certificate profile has a path-length restriction that does not allow further subordinate CAs. These values are appropriate for a subordinate CA but they can also be used for a self-signed CA that directly issues end-entity certificates.
keyUsage
:
baseKeyUsage
:
certSign
:
true
crlSign
:
true
extendedKeyUsage
:
emailProtection
:
true
caOptions
:
isCa
:
true
maxIssuerPathLength
:
0
End-entity S/MIME
Accessible as: leaf_smime
You can use the following certificate profile to configure end-entity certificates that are compatible with S/MIME. S/MIME is often used for end-to-end email integrity or encryption.
keyUsage
:
baseKeyUsage
:
digitalSignature
:
true
contentCommitment
:
true
extendedKeyUsage
:
emailProtection
:
true
caOptions
:
isCa
:
false
What's next
- Learn more about certificate templates .
- Learn more about policy controls .
- Learn more about using an issuance policy .
