Issue a certificate using the Google Cloud console

This quickstart guide shows you how to generate or issue certificates through Certificate Authority Service using the Google Cloud console.

Learn to manage private certificate authorities (CAs) securely without provisioning or maintaining infrastructure.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Certificate Authority Service API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Certificate Authority Service API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

Create a CA pool

A CA pool is a collection of multiple CAs. A CA pool provides the ability to rotate trust chains without any outage or downtime for workloads. A CA pool lives in a single Google Cloud location that you cannot change after creation.

To create a CA pool with the default settings, do the following:

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Under the CA pool manager tab, click Create pool.

  3. On the Create CA pool page, add a name for the CA pool.

  4. Click Region, and select us-east1 (South Carolina) as the region of the CA pool.

  5. Click Next for each step.

  6. Click Done.

You can see this CA pool in the list of CA pools under the CA pool manager tab.

Create a root CA

A CA pool is empty on creation. You must add a CA to the CA pool to request certificates.

A root CA has a self-signed certificate that resides in the client's trust store. This section explains how you can add a root CA to the CA pool you created.

To add a root CA to your CA pool, do the following:

  1. On the Certificate Authority Service page, click CA manager.
  2. Click the Create CA expander arrow, and then select Create CA in an existing CA pool.
  3. Select the CA pool you created.
  4. Click Continue.
  5. In the Select CA type section, click Continue.
  6. In the Organization (O) field, enter the name of your organization.
  7. In the CA common name (CN) field, enter the name of the CA. Note the CA name because you will need it for requesting a certificate.
  8. Click Continue for each step.
  9. Review the details of the CA, and click Done.

Optional: Create a subordinate CA pool

A subordinate CA pool lets you organize and manage multiple subordinate CAs. The root CA validates and signs all CAs within a subordinate CA pool.

To create a subordinate CA pool with the default settings, do the following:

  1. On the Certificate Authority Service page, click CA pool manager.
  2. Click Create pool.
  3. On the Create CA pool page, add a name for the subordinate CA pool.

  4. Click Region, and select us-east1 (South Carolina) as the region of the subordinate CA pool.

  5. Click Next for each step.

  6. Click Done.

Ensure that the subordinate CA pool is available in the list of CA pools under the CA pool manager tab.

Optional: Create a subordinate CA signed by your root CA

Subordinate CAs are responsible for distributing certificates to the end entities that need them, such as web servers, users, and devices. Subordinate CAs create a layer of separation between the highly sensitive root CA and the day-to-day certificate issuance.

To generate a subordinate CA that's signed by a root CA that you created earlier, do the following:

  1. On the Certificate Authority Service page, click CA manager.
  2. Click the Create CA expander arrow, and then select Create CA in an existing CA pool.
  3. Select the subordinate CA pool that you created.
  4. Click Continue.
  5. Click Subordinate CA.
  6. Click Root CA is in Google Cloud.
  7. In the Signing Certificate Authority field, click Browse.
  8. From the Select a CA dialog, select the root CA created in the Create a root CA section.
  9. Click Confirm.
  10. In the Valid for field, enter the duration for which you want the subordinate CA certificate to be valid.
  11. Click Continue.
  12. In the Organization (O) field, enter the name of your organization.
  13. In the CA common name (CN) field, enter the name of the subordinate CA. Note the subordinate CA name because you will need it for requesting a certificate.
  14. Click Continue for each step.
  15. Review the details of the subordinate CA, and click Done.

Request a certificate

To request a certificate using the CA, do the following:

  1. On the Certificate authority page, click Request a certificate.
  2. Click Enter details.

    The 'Request a certificate' page in the Google Cloud console with the 'Enter details' option highlighted.

  3. Under Add domain name, enter the fully qualified domain name of the site you want to secure with this certificate.

  4. Click Next.

  5. Under Configure key size and algorithm, click Continue.

    You will see the generated certificate that you can copy or download. To copy the certificate, click .

    A generated certificate displayed in the Google Cloud console, with options to copy or download.

  6. Click Done.

Clean up

Clean up by revoking the certificate and deleting the CA pool, the CA, and the project you created for this quickstart.

  1. Revoke the certificate.

    1. Click the Private certificate manager tab.
    2. In the list of certificates, click View more in the row of the certificate you want to delete.
    3. Click Revoke.
    4. In the dialog that opens, click Confirm.
  2. Delete the CA.

    You can delete a CA only after you have revoked all the certificates issued by it.

    After you have revoked the certificate, do the following:

    1. In the list of CAs, select the CA you want to delete.
    2. Click Delete. The Delete Certificate Authority dialog appears.
    3. Optional: Select one or both the following checkboxes if the conditions apply to you:
      • Delete this CA, even if there are active certificates

        This option lets you delete a CA with active certificates. Deleting a CA with active certificates might cause websites, applications, or systems relying on those certificates to fail. We recommend that you revoke all active certificates issued by a CA before you delete the CA.

      • Skip the 30 day grace period and delete this CA immediately

        The 30-day grace period allows you time to revoke all certificates issued by this CA and verify that no systems depend on this CA. We recommend that use this option only in non-production or test environments to prevent potential outages and data loss.

    4. Click Confirm.

    The CA state changes to Deleted. The CA is permanently deleted 30 days after you initiate the deletion.

  3. Delete the CA pool.

    You can delete a CA pool only after CA Service permanently deletes the CA.

    After you have deleted the CA in the CA pool, do the following:

    1. Click the CA pool manager tab.
    2. In the list of CA pools, select the CA pool you want to delete.
    3. Click Delete.
    4. Permanently delete a CA pool.
    5. In the dialog box that opens, click Confirm.
  4. To delete the project, do the following:

    1. In the Google Cloud console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next