Console
    Contact Us Start free

    Create a subordinate CA from an external CA

    This page describes how to create a subordinate certificate authority (CA) that chains up to an external root CA.

    If you have an existing public key infrastructure (PKI) hierarchy containing a root CA and subordinate CAs, you can maintain the same root CA and create a subordinate CA in CA Service that chains up to your external root CA. The external root CA's key and operations remains outside of Google Cloud. You can only use the external root CA to issue the subordinate CA certificate to Google Cloud. The subordinate CA is immediately trusted by any workload that trusts the external root CA. You can then use the subordinate CA to issue certificates without needing to reach back to the external root CA at run time.

    Before you begin

    • Make sure you have the CA Service Operation Manager ( roles/privateca.caManager ) or the CA Service Admin ( roles/privateca.admin ) IAM role. For information, see Configure IAM policies .
    • Identify the external root CA.
    • Define the name, subject, validity period, and key size for the subordinate CA. For information, see Determine CA Settings .

    Create a subordinate CA from an external CA

    Creating a subordinate CA from an external CA involves the following steps:

    1. Generate the subordinate CA Certificate Signing Request (CSR): The first step is to generate a CSR for the subordinate CA and then download the CSR.

    2. Get the subordinate CA certificate signed by the external root CA: The second step is to submit the CSR to the external root CA for signing. Ensure that you follow the external root CA's specific instructions for submitting CSRs and obtaining signed certificates.

    3. Import the signed subordinate CA certificate into CA Service: The final step is to upload the signed PEM certificate chain using either the Google Cloud CLI or the Google Cloud console.

    The following section shows you how to create a subordinate CA from an external root CA.

    Create a CSR

    Console

    1. Visit the Security > Certificate Authority Servicemenu in Google Cloud console.

      Go to Certificate Authority Service

    2. Click the CA managertab.

    3. Click Create CA.

    Select CA type:

    1. Click Subordinate CA.
    2. In the Valid forfield, enter the duration for which you want the certificates issued by the CA certificate to be valid.
    3. Click Root CA is external.
    4. Pick one of the available options for the CA Tier. For more information, see Select the operation tiers .
    5. Under Regionalization, select a CA locationfrom the list.
    6. Click Next.
    Configure CA subject name
    1. In the Organization (O) field, enter the name of your company.
    2. Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
    3. Optional: In the Country name (C) field, enter a two letter country code.
    4. Optional: In the State or province name field, enter the name of your state.
    5. Optional: In the Locality name field, enter the name of your city.
    6. In the CA common name (CN) field, enter the CA name.
    7. Click Continue .
    Configure CA key size and algorithm
    1. Choose the key algorithm that best meets your needs. For information about deciding the suitable key algorithm, see Choose a key algorithm .
    2. Click Continue .
    Configure CA artifacts
    1. Choose whether you want to use a Google-managed or a customer-managed Cloud Storage bucket.
      1. For a google-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
      2. For a customer-managed Cloud Storage bucket, click Browse and select one of the existing Cloud Storage buckets.
    2. Click Continue .
    Add labels

    The following steps are optional.

    If you want to add labels to the CA, do the following:

    1. Click Add item .
    2. In the Key 1 field, enter the label key.
    3. In the Value 1 field, enter the label value.
    4. If you want to add another label, click Add item . Then, add the label key and value as mentioned in steps 2 and 3.
    5. Click Continue .
    Review the settings

    Carefully review all the settings, then click Done to create the CA.

    Download the CSR

    1. On the Certificate authoritypage, select the CA you want to activate.
    2. Click Activate.

    3. In the dialog that opens, click Download CSR.

      Download the CSR of the CA.

    gcloud

    1. To create a CA pool for the subordinate CA, run the following command. For more information, see Create a CA pool .

       gcloud privateca pools create SUBORDINATE_POOL_ID 
--location= LOCATION

      Replace the following:

      • SUBORDINATE_POOL_ID : the name of the CA pool.
      • LOCATION : the location of the CA pool.

    2. To create a subordinate CA in the created CA pool, run the following gcloud command. The gcloud command also creates a CSR and saves it to FILE_NAME file.

       gcloud privateca subordinates create SUBORDINATE_CA_ID 
\
      --pool= SUBORDINATE_POOL_ID 
\
      --location= LOCATION 
\
      --create-csr --csr-output-file= FILE_NAME 
\
      --key-algorithm="ec-p256-sha256" \
      --subject="CN=Example Server TLS CA, O=Example LLC"

      Replace the following:

      • SUBORDINATE_CA_ID : the unique identifier of the subordinate CA.
      • SUBORDINATE_POOL_ID : the name of the CA pool.
      • LOCATION : the location of the CA pool.
      • FILE_NAME : the name of the file where the PEM-encoded CSR is written.

      --key-algorithm flag takes the cryptographic algorithm that you want to use for creating a managed Cloud HSM key for the CA.

      --subject flag takes the X.501 name of the certificate subject.

      For more information about the gcloud privateca subordinates create command, see gcloud privateca subordinates create .

    The following statement is returned when the CSR is created:

    Created Certificate Authority [projects/my-project-pki/locations/us-west1/caPools/ SUBORDINATE_POOL_ID 
/certificateAuthorities/ SUBORDINATE_CA_ID 
] and saved CSR to FILE_NAME 
.

    To see the exhaustive list of available settings, run the following command:

     gcloud privateca subordinates create --help

    If you lose the CSR, you can download it again using the following command:

     gcloud privateca subordinates get-csr SUBORDINATE_CA_ID 
\
    --pool= SUBORDINATE_POOL_ID 
\
    --location= LOCATION

    Terraform

    1. To create a CA pool and a subordinate CA in that CA pool, use the following configuration file:

        resource 
  
 "google_privateca_ca_pool" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "test-ca-pool" 
  
 location 
  
 = 
  
 "us-central1" 
  
 tier 
  
 = 
  
 "ENTERPRISE" 
 } 
 resource 
  
 "google_privateca_certificate_authority" 
  
 "sub-ca" 
  
 { 
  
 pool 
  
 = 
  
 google_privateca_ca_pool.default.name 
  
 certificate_authority_id 
  
 = 
  
 "my-certificate-authority-sub" 
  
 location 
  
 = 
  
 "us-central1" 
  
 config 
  
 { 
  
 subject_config 
  
 { 
  
 subject 
  
 { 
  
 organization 
  
 = 
  
 "HashiCorp" 
  
 common_name 
  
 = 
  
 "my-subordinate-authority" 
  
 } 
  
 subject_alt_name 
  
 { 
  
 dns_names 
  
 = 
  
 [ 
 "hashicorp.com" 
 ] 
  
 } 
  
 } 
  
 x509_config 
  
 { 
  
 ca_options 
  
 { 
  
 is_ca 
  
 = 
  
 true 
 # Force the sub CA to only issue leaf certs 
  
 max_issuer_path_length 
  
 = 
  
 0 
  
 } 
  
 key_usage 
  
 { 
  
 base_key_usage 
  
 { 
  
 cert_sign 
  
 = 
  
 true 
  
 crl_sign 
  
 = 
  
 true 
  
 } 
  
 extended_key_usage 
  
 { 
  
 } 
  
 } 
  
 } 
  
 } 
  
 lifetime 
  
 = 
  
 "86400s" 
  
 key_spec 
  
 { 
  
 algorithm 
  
 = 
  
 "RSA_PKCS1_4096_SHA256" 
  
 } 
  
 type 
  
 = 
  
 "SUBORDINATE" 
 }

    2. To fetch the CSR, append following configuration.

        data 
  
 "google_privateca_certificate_authority" 
  
 "sub-ca-csr" 
  
 { 
  
 location 
  
 = 
  
 "us-central1" 
  
 pool 
  
 = 
  
 google_privateca_ca_pool.default.name 
  
 certificate_authority_id 
  
 = 
  
 google_privateca_certificate_authority.sub-ca.certificate_authority_id 
 } 
 output 
  
 "csr" 
  
 { 
  
 value 
  
 = 
  
 data.google_privateca_certificate_authority.sub-ca-csr.pem_csr 
 }

    3. Run terraform apply .

    Sign the CSR

    Pass the generated CSR file to the member of your organization responsible for certificate issuance, and request that they sign it. The specific steps depend on your organization's setup.

    You can experiment with a simple root CA using the following openssl commands:

    Shell

    Configure settings for the new root CA.

     cat > 
root.conf  
<<-  
EOM [ 
  
req  
 ] 
 distinguished_name 
  
 = 
  
req_distinguished_name x509_extensions 
  
 = 
  
v3_ca prompt 
  
 = 
  
no [ 
  
req_distinguished_name  
 ] 
 commonName 
  
 = 
  
Sample  
Root [ 
  
v3_ca  
 ] 
 subjectKeyIdentifier 
 = 
 hash 
 basicConstraints 
 = 
critical,  
CA:true
EOM

    Create the new root CA.

     openssl  
req  
-x509  
-new  
-nodes  
-config  
root.conf  
-keyout  
rootCA.key  
 \ 
  
-days  
 3000 
  
-out  
rootCA.crt  
-batch

    Configure the extensions that must be added to the new subordinate CA certificate.

     cat > 
extensions.conf  
<<-  
EOM basicConstraints 
 = 
critical,CA:TRUE,pathlen:0 keyUsage 
 = 
critical,keyCertSign,cRLSign extendedKeyUsage 
 = 
critical,serverAuth subjectKeyIdentifier 
 = 
 hash 
 authorityKeyIdentifier 
 = 
keyid
EOM

    Sign the subordinate CA's CSR with this root.

     openssl  
x509  
-req  
-in  
 FILE_NAME 
  
-CA  
rootCA.crt  
-CAkey  
rootCA.key  
 \ 
  
-CAcreateserial  
-out  
subordinate.crt  
-days  
 1095 
  
-sha256  
-extfile  
extensions.conf

    Concatenate the entire certificate chain into a single file.

     cat  
subordinate.crt > 
chain.crt
cat  
rootCA.crt >> 
chain.crt

    Upload the signed certificate

    To activate a subordinate CA using a signed certificate, do the following:

    Console

    1. Go to the Certificate Authority Servicepage in the Google Cloud console.

      Go to Certificate Authority Service

    2. Click the CA managertab.

    3. Under Certificate authorities, choose the subordinate CA that you created.

    4. Click Activate.

    5. In the dialog that opens, click Download CSRto download the PEM-encoded CSR file that the issuing CA can sign.

    6. Click Next.

    7. In the Upload Certificate Chainfield, click Browse.

    8. Upload the signed certificate file with .crt extension.

    9. Click Activate.

    gcloud

     gcloud privateca subordinates activate SUBORDINATE_CA_ID 
\
    --pool= SUBORDINATE_POOL_ID 
\
    --location= LOCATION 
\
    --pem-chain ./chain.crt

    Replace the following:

    • SUBORDINATE_CA_ID : the unique identifier of the subordinate CA that you want to activate.
    • SUBORDINATE_POOL_ID : the name of the CA pool that contains the subordinate CA.
    • LOCATION : the location of the CA pool. For the complete list of locations, see Locations .

    The --pem-chain flag is required. This flag takes the file containing the list of PEM-encoded certificates. The list of certificates starts with the current CA certificate and ends with the root CA certificate.

    For more information about the gcloud privateca subordinates activate command, see gcloud privateca subordinates activate .

    The following statement is returned when the signed certificate is uploaded:

    Activated certificate authority [ SUBORDINATE_CA_ID 
].

    Terraform

    1. Save signed CA certificate locally as subordinate.crt .
    2. Save signer CA certificates locally as rootCA.crt .
    3. Remove the configuration for fetching CSR mentioned in the first step as it tries to fetch CSR which is not allowed after CA activation.

    4. Update the subordinate CA configuration with following fields and run terraform apply .

        pem_ca_certificate 
  
 = 
  
 file 
 ( 
 "subordinate.crt" 
 ) 
 subordinate_config 
  
 { 
  
 pem_issuer_chain 
  
 { 
  
 pem_certificates 
  
 = 
  
 [ 
 file 
 ( 
 "rootCA.crt" 
 )] 
  
 } 
 }

    If the issuer chain includes more than one CA, specify the value as [file("intermediateCA.cert"), file("rootCA.crt")] .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: