Stay organized with collections
Save and categorize content based on your preferences.
This page describes the steps to create a root certificate authority (CA) in
Google Distributed Cloud (GDC) air-gapped.
A root CA, which sits atop the public key infrastructure (PKI) hierarchy,
establishes the trust anchor for the PKI. To use certificates within a PKI,
devices, software, and components must trust the root CA. This configuration
ensures trust in all certificates issued by the root CA, thereby enabling trust
in the PKI itself.
Before you begin
To get the permissions you need to create a root certificate authority, ask your
Organization IAM Admin to grant you the Certificate Authority Service Admin
(certificate-authority-service-admin) role. For more information on roles, see
Role definitions.
Get the kubeconfig file
To run commands against the Management API server, ensure you have the following
resources:
Sign in and generate the
kubeconfig file for the Management API server if you don't have one.
Use the path to the kubeconfig file of the Management API server to replace
MANAGEMENT_API_SERVER_KUBECONFIG in these
instructions.
Create a root certificate authority
To create a root CA, apply a custom resource to your Distributed Cloud
air-gapped instance.
Create a CertificateAuthority resource and save it as a YAML file called
root-ca.yaml:
The name of the namespace where the user project resides.
COMMON_NAME
The common name of the CA certificate.
DURATION
The requested lifetime of the CA certificate.
SECRET_NAME
The name of the Kubernetes Secret that holds the private key and
signed CA certificate.
The following variables are optional values:
Variable
Description
RENEW_BEFORE
The rotation time before the CA certificate expires.
ORGANIZATION
Organization to be used on the certificate.
ORGANIZATIONAL_UNITS
Organizational units to be used on the certificate.
COUNTRIES
Countries to be used on the certificate.
LOCALITIES
Cities to be used on the certificate.
PROVINCES
State or Provinces to be used on the certificate.
STREET_ADDRESSES
Street addresses to be used on the certificate.
POSTAL_CODES
Postal codes to be used on the certificate.
EXTENDED_KEY_USAGE
The extended key usage for the certificate. If provided, the allowed
values are serverAuth and clientAuth.
KEY_ALGORITHYM
The private key algorithm used for this certificate. Allowed values
are RSA, Ed25519, or ECDSA. If the
size is not provided, it defaults to 256 for ECDSA and 2048
for RSA. Key size is ignored for Ed25519.
KEY_SIZE
The size, in bits, of the private key for this certificate depends on
the algorithm. RSA allows 2048, 3072, 4096, or 8192
(default 2048). ECDSA allows 256, 384, or 521 (default 256).
Ed25519 ignores size.
ACME_ENABLED
If set to true, CA runs in ACME mode and outputs the
ACME server URL. You can then use the ACME client and protocol to manage
certificates.
Apply the custom resource to your Distributed Cloud instance:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Create a root certificate authority\n\nThis page describes the steps to create a root certificate authority (CA) in\nGoogle Distributed Cloud (GDC) air-gapped.\n\nA root CA, which sits atop the public key infrastructure (PKI) hierarchy,\nestablishes the trust anchor for the PKI. To use certificates within a PKI,\ndevices, software, and components must trust the root CA. This configuration\nensures trust in all certificates issued by the root CA, thereby enabling trust\nin the PKI itself.\n\nBefore you begin\n----------------\n\nTo get the permissions you need to create a root certificate authority, ask your\nOrganization IAM Admin to grant you the Certificate Authority Service Admin\n(`certificate-authority-service-admin`) role. For more information on roles, see\n[Role definitions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-definitions).\n\n### Get the kubeconfig file\n\nTo run commands against the Management API server, ensure you have the following\nresources:\n\n1. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in#cli) the\n kubeconfig file for the Management API server if you don't have one.\n\n2. Use the path to the kubeconfig file of the Management API server to replace\n \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e in these\n instructions.\n\nCreate a root certificate authority\n-----------------------------------\n\nTo create a root CA, apply a custom resource to your Distributed Cloud\nair-gapped instance.\n\n1. Create a `CertificateAuthority` resource and save it as a YAML file called\n `root-ca.yaml`:\n\n apiVersion: pki.security.gdc.goog/v1\n kind: CertificateAuthority\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eROOT_CA_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eUSER_PROJECT_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n caProfile:\n commonName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCOMMON_NAME\u003c/span\u003e\u003c/var\u003e\n duration: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDURATION\u003c/span\u003e\u003c/var\u003e\n renewBefore: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eRENEW_BEFORE\u003c/span\u003e\u003c/var\u003e\n organizations:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eORGANIZATION\u003c/span\u003e\u003c/var\u003e\n organizationalUnits:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eORGANIZATIONAL_UNITS\u003c/span\u003e\u003c/var\u003e\n countries:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCOUNTRIES\u003c/span\u003e\u003c/var\u003e\n localities:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eLOCALTIES\u003c/span\u003e\u003c/var\u003e\n provinces:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROVINCES\u003c/span\u003e\u003c/var\u003e\n streetAddresses:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSTREET_ADDRESSES\u003c/span\u003e\u003c/var\u003e\n postalCodes:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePOSTAL_CODES\u003c/span\u003e\u003c/var\u003e\n caCertificate:\n selfSignedCA: {}\n certificateProfile:\n keyUsage:\n - digitalSignature\n - keyCertSign\n - crlSign\n extendedKeyUsage:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eEXTENDED_KEY_USAGE\u003c/span\u003e\u003c/var\u003e\n secretConfig:\n secretName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSECRET_NAME\u003c/span\u003e\u003c/var\u003e\n privateKeyConfig:\n algorithm: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_ALGORITHM\u003c/span\u003e\u003c/var\u003e\n size: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEY_SIZE\u003c/span\u003e\u003c/var\u003e\n acme:\n enabled: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eACME_ENABLED\u003c/span\u003e\u003c/var\u003e\n\n Replace the following variables:\n\n The following variables are optional values:\n\n \u003cbr /\u003e\n\n2. Apply the custom resource to your Distributed Cloud instance:\n\n kubectl apply -f root-ca.yaml --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e with the\n path to the kubeconfig file of the Management API server.\n3. Verify the readiness of the root CA. It normally takes around 40 minutes for\n the CA to become ready:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e -n \u003cvar translate=\"no\"\u003eUSER_PROJECT_NAMESPACE\u003c/var\u003e get certificateauthority.pki.security.gdc.goog/\u003cvar translate=\"no\"\u003eROOT_CA_NAME\u003c/var\u003e -ojson | jq -r ' \n .status.conditions[] | select( .type as $id | \"Ready\" | index($id))\n\n The output looks similar to the following: \n\n {\n \"lastTransitionTime\": \"2025-01-24T17:09:19Z\",\n \"message\": \"CA reconciled\",\n \"observedGeneration\": 2,\n \"reason\": \"Ready\",\n \"status\": \"True\",\n \"type\": \"Ready\"\n }\n\nList CAs\n--------\n\nTo list all of the Certificate Authority Service resources in your\nDistributed Cloud air-gapped instance, do the following:\n\nUse the `certificateauthorities` parameter to list all `CertificateAuthority`\nresources: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e -n \u003cvar translate=\"no\"\u003eUSER_PROJECT_NAMESPACE\u003c/var\u003e get certificateauthorities\n\nThe output looks similar to the following: \n\n NAMESPACE NAME READY REASON AGE\n foo root-ca True Ready 7h24m\n foo sub-ca True Ready 7h24m"]]