创建根证书授权机构

本页介绍了如何在 CA 池中创建根证书授权机构 (CA)。

根 CA 位于公钥基础架构 (PKI) 层次结构的顶部,负责构成 PKI 的信任锚。为了正确参与 PKI 并使用证书,设备、软件或组件需要信任 PKI。为此,您需要将设备、软件或组件配置为信任根 CA。因此,根 CA 颁发的所有证书都受信任。

准备工作

创建根 CA

根 CA 具有自签名证书,您必须将其分发到客户端的信任存储区。根 CA 的证书位于证书链的顶部。任何其他 CA 都无法撤消 CA 证书。根 CA 的 CRL 仅适用于根 CA 颁发的其他证书,而非自身。

控制台

如需创建根 CA,请执行以下操作。

  1. 前往 Google Cloud 控制台中的 Certificate Authority Service 页面。

    前往 Certificate Authority Service

  2. 点击 CA 管理器标签页。

  3. 点击创建 CA

选择 CA 类型

如需配置 CA 的永久性设置(例如层级、位置、生命周期和创建时的运行状态),请执行以下操作:

  1. 选择根 CA
  2. Valid for 字段中,输入您希望由 CA 证书颁发的证书有效的期限。
  3. 可选:为 CA 选择层级
  4. 点击区域,然后在列表中选择要创建 CA 的位置。我们建议您在靠近应用客户端的地理位置创建 CA。如需了解详情,请参阅选择最佳位置

  5. 可选:选择要创建的 CA 的操作状态。

    选择要创建的 CA 的操作状态。

  6. 可选:点击证书配置文件。在列表中,选择与您希望 CA 颁发的证书类型相符的证书配置文件。

  7. 点击下一步

配置 CA 主题名称
  1. 组织 (O) 字段中,输入贵公司的名称。
  2. 可选:在组织部门 (OU) 字段中,输入公司分支或业务部门。
  3. 可选:在国家/地区名称字段中,输入两个字母的国家/地区代码。
  4. 可选:在州或省名称字段中,输入您所在的州/省的名称。
  5. 可选:在地理位置名称字段中,输入您所在的城市的名称。
  6. CA 通用名称 (CN) 字段中,输入 CA 名称。
  7. Pool ID 字段中,输入 CA 池名称。CA 一经创建,便无法更改 CA 池。
  8. 点击下一步
配置 CA 密钥大小和算法
  1. 选择最符合您需求的密钥算法。如需了解如何确定合适的密钥算法,请参阅选择密钥算法
  2. 点击下一步
配置 CA 工件

以下步骤是可选的。如果您跳过这些步骤,系统会应用默认设置。

  1. 选择要使用 Google 管理的 Cloud Storage 存储桶还是自行管理的 Cloud Storage 存储桶。

    2. 如果您未选择自有 Cloud Storage 存储桶,CA Service 会在与 CA 相同的位置创建一个 Google 管理的存储桶。

  2. 选择是否要停用将证书吊销列表 (CRL) 和 CA 证书发布到 Cloud Storage 存储桶的功能。

    3. 默认情况下,系统会启用在 Cloud Storage 存储桶中发布 CRL 和 CA 证书的功能。如需停用这些设置,请点击相应切换开关。

  3. 点击下一步
添加标签

以下步骤是可选的。

如果您想向 CA 添加标签,请执行以下操作:

  1. 点击 Add item(添加内容)。
  2. 密钥 1 字段中,输入标签键。
  3. 值 1 字段中,输入标签值。
  4. 如果您想添加其他标签,请点击 Add item(添加项)。然后,添加标签键和值(如第 2 步和第 3 步所述)。
  5. 点击下一步
查看设置

仔细检查所有设置,然后点击创建以创建 CA。

gcloud

  1. 如需创建 CA 池,请运行以下命令:

    gcloud privateca pools create POOL_ID

    POOL_ID 替换为 CA 池的名称。

    如需了解详情,请参阅创建 CA 池

    如需详细了解此 gcloud 命令,请参阅 gcloud privateca pools create

  2. 在您创建的 CA 池中创建新的根 CA。

    gcloud privateca roots create ROOT_CA_ID --pool=POOL_ID \
  --key-algorithm=KEY_ALGORITHM \
  --subject="CN=my-ca, O=Test LLC"

    替换以下内容:

    • ROOT_CA_ID:CA 的名称。
    • POOL_ID:CA 池的名称。
    • KEY_ALGORITHM:用于创建 Cloud KMS 密钥的算法。此标志是可选标志。如果您不添加此标志,则密钥算法默认为 rsa-pkcs1-4096-sha256。如需了解详情,请参阅 --key-algorithm 标志

    默认情况下,CA 会在 STAGED 状态下创建。如需默认启用 CA,请添加 --auto-enable 标志。

    如果您想使用客户管理的 Cloud Storage 存储桶发布 CA 证书和 CRL,请将 --bucket bucket-name 添加到该命令。将 bucket-name 替换为 Cloud Storage 存储桶的名称。

    如需查看完整的设置列表,请运行以下命令:

    gcloud privateca roots create --help

Terraform

如需使用 Google 拥有且由 Google 管理的密钥创建根 CA,请使用以下示例配置:

resource "google_privateca_certificate_authority" "root_ca" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool                                   = "my-pool"
  certificate_authority_id               = "my-certificate-authority-root"
  location                               = "us-central1"
  deletion_protection                    = false # set to true to prevent destruction of the resource
  ignore_active_certificates_on_deletion = true
  config {
    subject_config {
      subject {
        organization = "ACME"
        common_name  = "my-certificate-authority"
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
  // valid for 10 years
  lifetime = "${10 * 365 * 24 * 3600}s"
}

如需使用自有密钥创建根 CA,请使用以下示例配置:

resource "google_project_service_identity" "privateca_sa" {
  provider = google-beta
  service  = "privateca.googleapis.com"
}

resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/cloudkms.signerVerifier"

  members = [
    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
  ]
}

resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/viewer"
  members = [
    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
  ]
}

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool                     = "ca-pool"
  certificate_authority_id = "my-certificate-authority"
  location                 = "us-central1"
  deletion_protection      = false # set to true to prevent destruction of the resource
  key_spec {
    cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
  }

  config {
    subject_config {
      subject {
        organization = "Example, Org."
        common_name  = "Example Authority"
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca                  = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }

  depends_on = [
    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
  ]
}

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
	"google.golang.org/protobuf/types/known/durationpb"
)

// Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
// responsible for signing certificates within this pool.
func createCa(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	caId string,
	caCommonName string,
	org string,
	caDuration int64) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id under which the CA should be created.
	// caId := "ca-id"					// A unique id/name for the ca.
	// caCommonName := "ca-name"		// A common name for your certificate authority.
	// org := "ca-org"					// The name of your company for your certificate authority.
	// ca_duration := int64(31536000)	// The validity of the certificate authority in seconds.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	// Set the types of Algorithm used to create a cloud KMS key.
	keySpec := &privatecapb.CertificateAuthority_KeyVersionSpec{
		KeyVersion: &privatecapb.CertificateAuthority_KeyVersionSpec_Algorithm{
			Algorithm: privatecapb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
		},
	}

	// Set CA subject config.
	subjectConfig := &privatecapb.CertificateConfig_SubjectConfig{
		Subject: &privatecapb.Subject{
			CommonName:   caCommonName,
			Organization: org,
		},
	}

	// Set the key usage options for X.509 fields.
	isCa := true
	x509Parameters := &privatecapb.X509Parameters{
		KeyUsage: &privatecapb.KeyUsage{
			BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
				CrlSign:  true,
				CertSign: true,
			},
		},
		CaOptions: &privatecapb.X509Parameters_CaOptions{
			IsCa: &isCa,
		},
	}

	// Set certificate authority settings.
	// Type: SELF_SIGNED denotes that this CA is a root CA.
	ca := &privatecapb.CertificateAuthority{
		Type:    privatecapb.CertificateAuthority_SELF_SIGNED,
		KeySpec: keySpec,
		Config: &privatecapb.CertificateConfig{
			SubjectConfig: subjectConfig,
			X509Config:    x509Parameters,
		},
		Lifetime: &durationpb.Duration{
			Seconds: caDuration,
		},
	}

	fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)

	// Create the CreateCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCertificateAuthorityRequest.
	req := &privatecapb.CreateCertificateAuthorityRequest{
		Parent:                 fullCaPoolName,
		CertificateAuthorityId: caId,
		CertificateAuthority:   ca,
	}

	op, err := caClient.CreateCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateCertificateAuthority failed: %w", err)
	}

	if _, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("CreateCertificateAuthority failed during wait: %w", err)
	}

	fmt.Fprintf(w, "CA %s created", caId)

	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthority.KeyVersionSpec;
import com.google.cloud.security.privateca.v1.CertificateAuthority.SignHashAlgorithm;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateConfig;
import com.google.cloud.security.privateca.v1.CertificateConfig.SubjectConfig;
import com.google.cloud.security.privateca.v1.CreateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.protobuf.Duration;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Set it to the CA Pool under which the CA should be created.
    // certificateAuthorityName: Unique name for the CA.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    createCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Create Certificate Authority which is the root CA in the given CA Pool.
  public static void createCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      String commonName = "common-name";
      String orgName = "org-name";
      int caDuration = 100000; // Validity of this CA in seconds.

      // Set the type of Algorithm.
      KeyVersionSpec keyVersionSpec =
          KeyVersionSpec.newBuilder().setAlgorithm(SignHashAlgorithm.RSA_PKCS1_4096_SHA256).build();

      // Set CA subject config.
      SubjectConfig subjectConfig =
          SubjectConfig.newBuilder()
              .setSubject(
                  Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
              .build();

      //  Set the key usage options for X.509 fields.
      X509Parameters x509Parameters =
          X509Parameters.newBuilder()
              .setKeyUsage(
                  KeyUsage.newBuilder()
                      .setBaseKeyUsage(
                          KeyUsageOptions.newBuilder().setCrlSign(true).setCertSign(true).build())
                      .build())
              .setCaOptions(CaOptions.newBuilder().setIsCa(true).build())
              .build();

      // Set certificate authority settings.
      CertificateAuthority certificateAuthority =
          CertificateAuthority.newBuilder()
              // CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
              .setType(CertificateAuthority.Type.SELF_SIGNED)
              .setKeySpec(keyVersionSpec)
              .setConfig(
                  CertificateConfig.newBuilder()
                      .setSubjectConfig(subjectConfig)
                      .setX509Config(x509Parameters)
                      .build())
              // Set the CA validity duration.
              .setLifetime(Duration.newBuilder().setSeconds(caDuration).build())
              .build();

      // Create the CertificateAuthorityRequest.
      CreateCertificateAuthorityRequest certificateAuthorityRequest =
          CreateCertificateAuthorityRequest.newBuilder()
              .setParent(CaPoolName.of(project, location, poolId).toString())
              .setCertificateAuthorityId(certificateAuthorityName)
              .setCertificateAuthority(certificateAuthority)
              .build();

      // Create Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .createCertificateAuthorityCallable()
              .futureCall(certificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while creating CA !" + response.getError());
        return;
      }

      System.out.println(
          "Certificate Authority created successfully : " + certificateAuthorityName);
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2


def create_certificate_authority(
    project_id: str,
    location: str,
    ca_pool_name: str,
    ca_name: str,
    common_name: str,
    organization: str,
    ca_duration: int,
) -> None:
    """
    Create Certificate Authority which is the root CA in the given CA Pool. This CA will be
    responsible for signing certificates within this pool.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: set it to the CA Pool under which the CA should be created.
        ca_name: unique name for the CA.
        common_name: a title for your certificate authority.
        organization: the name of your company for your certificate authority.
        ca_duration: the validity of the certificate authority in seconds.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Set the types of Algorithm used to create a cloud KMS key.
    key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
        algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
    )

    # Set CA subject config.
    subject_config = privateca_v1.CertificateConfig.SubjectConfig(
        subject=privateca_v1.Subject(common_name=common_name, organization=organization)
    )

    # Set the key usage options for X.509 fields.
    x509_parameters = privateca_v1.X509Parameters(
        key_usage=privateca_v1.KeyUsage(
            base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
                crl_sign=True,
                cert_sign=True,
            )
        ),
        ca_options=privateca_v1.X509Parameters.CaOptions(
            is_ca=True,
        ),
    )

    # Set certificate authority settings.
    certificate_authority = privateca_v1.CertificateAuthority(
        # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA.
        type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED,
        key_spec=key_version_spec,
        config=privateca_v1.CertificateConfig(
            subject_config=subject_config,
            x509_config=x509_parameters,
        ),
        lifetime=duration_pb2.Duration(seconds=ca_duration),
    )

    ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)

    # Create the CertificateAuthorityRequest.
    request = privateca_v1.CreateCertificateAuthorityRequest(
        parent=ca_pool_path,
        certificate_authority_id=ca_name,
        certificate_authority=certificate_authority,
    )

    operation = caServiceClient.create_certificate_authority(request=request)
    result = operation.result()

    print("Operation result:", result)

REST API

  1. 创建根 CA。

    HTTP 方法和网址:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities?certificate_authority_id=ROOT_CA_ID

    请求 JSON 正文:

    {
"type": "SELF_SIGNED",
"lifetime": {
 "seconds": 315576000,
 "nanos": 0
},
"config": {
 "subject_config": {
   "subject": {
     "organization": "ORGANIZATION_NAME",
     "common_name": "COMMON_NAME"
   }
 },
 "x509_config":{
   "ca_options":{
     "is_ca":true
   },
   "key_usage":{
     "base_key_usage":{
       "cert_sign":true,
       "crl_sign":true
     }
   }
 }
},
"key_spec":{
 "algorithm":"RSA_PKCS1_4096_SHA256"
}
}

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": false
}

  2. 轮询该操作,直到它完成为止。

    HTTP 方法和网址:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": true,
 "response": {
   "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
   "name": "...",
 }
}

验证 CA 是否按预期运行后,您可以启用该 CA 以开始为 CA 池签发负载均衡证书。

启用根 CA

gcloud

如需启用根 CA,请运行以下 gcloud 命令:

gcloud privateca roots enable ROOT_CA_ID --pool=POOL_ID

替换以下内容:

  • ROOT_CA_ID:CA 的名称。
  • POOL_ID:CA 池的名称。

Terraform

如果您使用 Terraform 创建根 CA,则根 CA 会在创建时启用。如需创建处于 STAGED 状态的根 CA,请在创建 CA 时将 desired_state 字段设置为 STAGED

创建 CA 后,您可以将 desired_state 字段设置为 ENABLEDDISABLED

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be enabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the EnableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.
	req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.EnableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_ENABLED {
		return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)
	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class EnableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be enabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    enableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Enable the Certificate Authority present in the given ca pool.
  // CA cannot be enabled if it has been already deleted.
  public static void enableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {
      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Enable Certificate Authority Request.
      EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
          EnableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent.toString())
              .build();

      // Enable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .enableCertificateAuthorityCallable()
              .futureCall(enableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while enabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityParent)
              .getState();

      // Check if the CA is enabled.
      if (caState == State.ENABLED) {
        System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot enable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1


def enable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Enable the Certificate Authority present in the given ca pool.
    CA cannot be enabled if it has been already deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be enabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Enable Certificate Authority Request.
    request = privateca_v1.EnableCertificateAuthorityRequest(
        name=ca_path,
    )

    # Enable the Certificate Authority.
    operation = caServiceClient.enable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is enabled.
    if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
        print("Enabled Certificate Authority:", ca_name)
    else:
        print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

REST API

  1. 让 CA 能够从 CA 池颁发证书。

    HTTP 方法和网址:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/ROOT_CA_ID:enable

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": false
}

  2. 轮询该操作,直到它完成为止。

    HTTP 方法和网址:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    如需发送您的请求,请展开以下选项之一:

    您应该收到类似以下内容的 JSON 响应:

    {
 "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
 "metadata": {...},
 "done": true,
 "response": {
   "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CertificateAuthority",
   "name": "...",
 }
}

测试 CA

如需验证 CA 是否能够颁发证书,请从关联的 CA 池请求证书,并使用 --ca 标志明确提及要测试的 CA 的名称。

您可以使用以下方法向 CA 池请求证书:

  1. 让 CA Service 为您创建私钥或公钥。
  2. 生成您自己的私钥或公钥,并提交证书签名请求 (CSR)。

使用自动生成的私钥或公钥向 CA 池中的 CA 请求证书更为简单。本部分介绍了如何使用该方法测试 CA。

如需使用自动生成的私钥或公钥向 CA 池中的 CA 请求证书,请运行以下 gcloud 命令:

gcloud privateca certificates create \
  --issuer-pool=POOL_ID \
  --ca=ROOT_CA_ID \
  --generate-key \
  --key-output-file=KEY_FILENAME \
  --cert-output-file=CERT_FILENAME \
  --dns-san=DNS_NAME

替换以下内容:

  • POOL_ID:CA 池的名称。
  • ROOT_CA_ID:您要测试的 CA 的唯一标识符。
  • KEY_FILENAME:以 PEM 格式写入生成的密钥的文件。
  • CERT_FILENAME:用于写入生成的 PEM 编码证书链文件的文件。证书链的顺序为从叶级证书到根证书。

  • DNS_NAME:一个或多个以英文逗号分隔的 DNS 主题备用名称 (SAN)。

    --generate-key 标志会在您的计算机上生成新的 RSA-2048 私钥。

如需使用证书签名请求 (CSR) 向 CA 池中的 CA 请求证书,或者详细了解如何请求证书,请参阅请求证书和查看已颁发的证书

克隆证书授权机构

如需克隆现有 CA 以续订该 CA,或创建具有相同配置的新 CA,请运行以下命令:

gcloud privateca roots create NEW_CA_ID --pool=POOL_ID \
  --from-ca=EXISTING_CA_ID \
  --key-algorithm "ec-p384-sha384"

替换以下内容:

  • NEW_CA_ID:新 CA 的唯一标识符。
  • POOL_ID:您要创建新 CA 的 CA 池的名称。

创建根 CA 和从属 CA 时支持使用 --from-ca 标志。现有 CA 必须与新 CA 位于同一 CA 池中。

--key-algorithm 标志会从现有 CA 复制所有 CA 配置(Cloud KMS 密钥版本和 Cloud Storage 存储桶除外)。不过,您仍然可以通过显式提供适当的标志来替换新 CA 中的任何配置值。例如,您仍然可以指定 `--subject SUBJECT 以使用新主题。

如果您省略 --key-algorithm 标志,则算法默认为:

  • rsa-pkcs1-4096-sha256(适用于根 CA)。
  • rsa-pkcs1-2048-sha256(适用于从属 CA)。

如需详细了解此 gcloud 命令,请参阅 gcloud privateca roots create

后续步骤