Console
    Start free

    Create a subordinate CA from an external CA

    This page describes how to create a subordinate certificate authority (CA) that chains up to an external root CA.

    If you have an existing public key infrastructure (PKI) hierarchy containing a root CA and subordinate CAs, you can maintain the same root CA and create a subordinate CA in CA Service that chains up to your external root CA. The external root CA's key and operations remain outside of Google Cloud. You can only use the external root CA to issue the subordinate CA certificate to Google Cloud. The subordinate CA is immediately trusted by any workload that trusts the external root CA. You can then use the subordinate CA to issue certificates without needing to reach back to the external root CA at runtime.

    Before you begin

    • Make sure you have the CA Service Operation Manager ( roles/privateca.caManager ) or the CA Service Admin ( roles/privateca.admin ) IAM role. For information, see Configure IAM policies .
    • Identify the external root CA.
    • Define the name, subject, validity period, and key size for the subordinate CA. For information, see Determine CA Settings .

    Create a subordinate CA from an external CA

    Creating a subordinate CA from an external CA involves the following steps:

    1. Generate the subordinate CA Certificate Signing Request (CSR): The first step is to generate a CSR for the subordinate CA and then download the CSR.

    2. Get the subordinate CA certificate signed by the external root CA: The second step is to submit the CSR to the external root CA for signing. Ensure that you follow the external root CA's specific instructions for submitting CSRs and obtaining signed certificates.

    3. Import the signed subordinate CA certificate into CA Service: The final step is to upload the signed PEM certificate chain using either the Google Cloud CLI or the Google Cloud console.

    The following section shows you how to create a subordinate CA from an external root CA.

    Create a CSR

    Console

    1. In Google Cloud console, go to the Certificate Authority Servicepage.

      Go to Certificate Authority Service

    2. Click the CA managertab.

    3. Click Create CA.

    Select CA type:

    1. Click Subordinate CA.
    2. In the Valid forfield, enter the duration that you want the certificates issued by the subordinate CA to be valid for.
    3. Click Root CA is external.
    4. Select one of the available options for the CA Tier. For more information, see Select the operation tiers .
    5. Under Regionalization, select a CA locationfrom the list.
    6. Click Next.
    Configure CA subject name
    1. In the Organization (O) field, enter the name of your company.
    2. Optional: In the Organization unit (OU) field, enter the company subdivision or business unit.
    3. Optional: In the Country name (C) field, enter a two letter country code.
    4. Optional: In the State or province name field, enter the name of your state.
    5. Optional: In the Locality name field, enter the name of your city.
    6. In the CA common name (CN) field, enter the CA name.
    7. Click Continue .
    Configure CA key size and algorithm
    1. Choose the key algorithm that best meets your needs. For more details on signing key options, see Configure CA signing keys .
    2. To use a customer-managed signing key, select Customer-managed key and provide the Cloud Key Management Service crypto key version.
    3. Click Continue .
    Configure CA artifacts
    1. Choose whether you want to use a Google-managed or a customer-managed Cloud Storage bucket.
      1. For a Google-managed Cloud Storage bucket, CA Service creates a Google-managed bucket in the same location as the CA.
      2. For a customer-managed Cloud Storage bucket, click Browse and select one of the existing Cloud Storage buckets.
    2. Click Continue .
    Add labels

    The following steps are optional.

    If you want to add labels to the CA, do the following:

    1. Click Add item .
    2. In the Key 1 field, enter the label key.
    3. In the Value 1 field, enter the label value.
    4. If you want to add another label, click Add item . Then, add the label key and value as mentioned in steps 2 and 3.
    5. Click Continue .
    Review the settings

    Carefully review all the settings, then click Done to create the CA.

    Download the CSR

    1. On the Certificate authoritypage, select the CA you want to activate.
    2. Click Activate.

    3. In the dialog that opens, click Download CSR.

      Download the CSR of the CA.

    gcloud

    1. To create a CA pool for the subordinate CA, run the following command. For more information, see Create a CA pool .

       gcloud  
privateca  
pools  
create  
 SUBORDINATE_POOL_ID 
  
--location = 
 LOCATION

      Replace the following:

      • SUBORDINATE_POOL_ID : the name of the CA pool.
      • LOCATION : the location of the CA pool.

    2. To create a subordinate CA in the created CA pool, run the following gcloud command. The gcloud command also creates a CSR and saves it to the FILE_NAME file.

       gcloud privateca subordinates create SUBORDINATE_CA_ID 
\
      --pool= SUBORDINATE_POOL_ID 
\
      --location= LOCATION 
\
      --create-csr --csr-output-file= FILE_NAME 
\
      --key-algorithm="ec-p256-sha256" \
      --subject="CN=Example Server TLS CA, O=Example LLC"

      Replace the following:

      • SUBORDINATE_CA_ID : the unique identifier of the subordinate CA.
      • SUBORDINATE_POOL_ID : the name of the CA pool.
      • LOCATION : the location of the CA pool.
      • FILE_NAME : the name of the file where the PEM-encoded CSR is written.

      The --key-algorithm flag specifies the cryptographic algorithm that you want to use for creating a managed Cloud HSM key for the CA.

      The --subject flag specifies the X.501 name of the certificate subject.

      For more information about the gcloud privateca subordinates create command, see gcloud privateca subordinates create .

      To create a subordinate CA using a customer-managed signing key, run the following command:

       gcloud privateca subordinates create SUBORDINATE_CA_ID 
\
      --pool= SUBORDINATE_POOL_ID 
\
      --location= LOCATION 
\
      --create-csr --csr-output-file= FILE_NAME 
\
      --kms-key-version= KMS_KEY_VERSION 
\
      --subject="CN=Example Server TLS CA, O=Example LLC"

      Replace the following:

      • SUBORDINATE_CA_ID : the unique identifier of the subordinate CA.
      • SUBORDINATE_POOL_ID : the name of the CA pool.
      • LOCATION : the location of the CA pool.
      • FILE_NAME : the name of the file where the PEM-encoded CSR is written.
      • KMS_KEY_VERSION : the full resource ID of a customer-managed Cloud KMS crypto key version to use as the signing key.

      For more details on signing key options and preparing a customer-managed signing key, see Configure CA signing keys .

    The following statement is returned when the CSR is created:

    Created Certificate Authority [projects/my-project-pki/locations/us-west1/caPools/ SUBORDINATE_POOL_ID 
/certificateAuthorities/ SUBORDINATE_CA_ID 
] and saved CSR to FILE_NAME 
.

    To see the exhaustive list of available settings, run the following command:

     gcloud privateca subordinates create --help

    If you lose the CSR, you can download it again using the following command:

     gcloud privateca subordinates get-csr SUBORDINATE_CA_ID 
\
    --pool= SUBORDINATE_POOL_ID 
\
    --location= LOCATION

    Terraform

    1. To create a CA pool and a subordinate CA in that CA pool, use the following configuration file:

        resource 
  
 "google_privateca_ca_pool" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "test-ca-pool" 
  
 location 
  
 = 
  
 "us-central1" 
  
 tier 
  
 = 
  
 "ENTERPRISE" 
 } 
 resource 
  
 "google_privateca_certificate_authority" 
  
 "sub-ca" 
  
 { 
  
 pool 
  
 = 
  
 google_privateca_ca_pool.default.name 
  
 certificate_authority_id 
  
 = 
  
 "my-certificate-authority-sub" 
  
 location 
  
 = 
  
 "us-central1" 
  
 config 
  
 { 
  
 subject_config 
  
 { 
  
 subject 
  
 { 
  
 organization 
  
 = 
  
 "HashiCorp" 
  
 common_name 
  
 = 
  
 "my-subordinate-authority" 
  
 } 
  
 subject_alt_name 
  
 { 
  
 dns_names 
  
 = 
  
 [ 
 "hashicorp.com" 
 ] 
  
 } 
  
 } 
  
 x509_config 
  
 { 
  
 ca_options 
  
 { 
  
 is_ca 
  
 = 
  
 true 
 # Force the sub CA to only issue leaf certs 
  
 max_issuer_path_length 
  
 = 
  
 0 
  
 } 
  
 key_usage 
  
 { 
  
 base_key_usage 
  
 { 
  
 cert_sign 
  
 = 
  
 true 
  
 crl_sign 
  
 = 
  
 true 
  
 } 
  
 extended_key_usage 
  
 { 
  
 } 
  
 } 
  
 } 
  
 } 
  
 lifetime 
  
 = 
  
 "86400s" 
  
 key_spec 
  
 { 
  
 algorithm 
  
 = 
  
 "RSA_PKCS1_4096_SHA256" 
  
 } 
  
 type 
  
 = 
  
 "SUBORDINATE" 
 }

    2. To fetch the CSR, append the following configuration.

        data 
  
 "google_privateca_certificate_authority" 
  
 "sub-ca-csr" 
  
 { 
  
 location 
  
 = 
  
 "us-central1" 
  
 pool 
  
 = 
  
 google_privateca_ca_pool.default.name 
  
 certificate_authority_id 
  
 = 
  
 google_privateca_certificate_authority.sub-ca.certificate_authority_id 
 } 
 output 
  
 "csr" 
  
 { 
  
 value 
  
 = 
  
 data.google_privateca_certificate_authority.sub-ca-csr.pem_csr 
 }

    3. Run terraform apply .

    Sign the CSR

    Pass the generated CSR file to the member of your organization responsible for certificate issuance, and request that they sign it. The specific steps depend on your organization's setup.

    You can experiment with a simple root CA using the following openssl commands:

    Shell

    Configure settings for the new root CA.

     cat > 
root.conf  
<<-  
EOM [ 
  
req  
 ] 
 distinguished_name 
  
 = 
  
req_distinguished_name x509_extensions 
  
 = 
  
v3_ca prompt 
  
 = 
  
no [ 
  
req_distinguished_name  
 ] 
 commonName 
  
 = 
  
Sample  
Root [ 
  
v3_ca  
 ] 
 subjectKeyIdentifier 
 = 
 hash 
 basicConstraints 
 = 
critical,  
CA:true
EOM

    Create the new root CA.

     openssl  
req  
-x509  
-new  
-nodes  
-config  
root.conf  
-keyout  
rootCA.key  
 \ 
  
-days  
 3000 
  
-out  
rootCA.crt  
-batch

    Configure the extensions that must be added to the new subordinate CA certificate.

     cat > 
extensions.conf  
<<-  
EOM basicConstraints 
 = 
critical,CA:TRUE,pathlen:0 keyUsage 
 = 
critical,keyCertSign,cRLSign extendedKeyUsage 
 = 
critical,serverAuth subjectKeyIdentifier 
 = 
 hash 
 authorityKeyIdentifier 
 = 
keyid
EOM

    Sign the subordinate CA's CSR with this root.

     openssl  
x509  
-req  
-in  
 FILE_NAME 
  
-CA  
rootCA.crt  
-CAkey  
rootCA.key  
 \ 
  
-CAcreateserial  
-out  
subordinate.crt  
-days  
 1095 
  
-sha256  
-extfile  
extensions.conf

    Concatenate the entire certificate chain into a single file.

     cat  
subordinate.crt > 
chain.crt
cat  
rootCA.crt >> 
chain.crt

    Upload the signed certificate

    To activate a subordinate CA using a signed certificate, do the following:

    Console

    1. Go to the Certificate Authority Servicepage in the Google Cloud console.

      Go to Certificate Authority Service

    2. Click the CA managertab.

    3. Under Certificate authorities, choose the subordinate CA that you created.

    4. Click Activate.

    5. In the dialog that opens, click Download CSRto download the PEM-encoded CSR file that the issuing CA can sign.

    6. Click Next.

    7. In the Upload Certificate Chainfield, click Browse.

    8. Upload the signed certificate file with .crt extension.

    9. Click Activate.

    gcloud

     gcloud privateca subordinates activate SUBORDINATE_CA_ID 
\
    --pool= SUBORDINATE_POOL_ID 
\
    --location= LOCATION 
\
    --pem-chain ./chain.crt

    Replace the following:

    • SUBORDINATE_CA_ID : the unique identifier of the subordinate CA that you want to activate.
    • SUBORDINATE_POOL_ID : the name of the CA pool that contains the subordinate CA.
    • LOCATION : the location of the CA pool. For the complete list of locations, see Locations .

    The --pem-chain flag is required. This flag specifies a file that contains the list of PEM-encoded certificates. The list of certificates starts with the current CA certificate and ends with the root CA certificate.

    For more information about the gcloud privateca subordinates activate command, see gcloud privateca subordinates activate .

    The following statement is returned when the signed certificate is uploaded:

    Activated certificate authority [ SUBORDINATE_CA_ID 
].

    Terraform

    1. Save the signed CA certificate locally as subordinate.crt .
    2. Save the signer CA certificates locally as rootCA.crt .
    3. Remove the configuration for fetching CSR mentioned in the first step as it tries to fetch CSR which is not allowed after CA activation.

    4. Update the subordinate CA configuration with the following fields and run terraform apply .

        pem_ca_certificate 
  
 = 
  
 file 
 ( 
 "subordinate.crt" 
 ) 
 subordinate_config 
  
 { 
  
 pem_issuer_chain 
  
 { 
  
 pem_certificates 
  
 = 
  
 [ 
 file 
 ( 
 "rootCA.crt" 
 )] 
  
 } 
 }

    If the issuer chain includes more than one CA, specify the value as [file("intermediateCA.cert"), file("rootCA.crt")] .

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: