Issue a certificate using CA Service and verify in Certificate Manager (2nd gen)

Learn how to issue a private certificate with Certificate Authority Service and use Certificate Manager (2nd gen) to view and verify the certificate details in its directory.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the CA Service, Certificate Manager APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the CA Service, Certificate Manager APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    8.
  8. You need an existing CA pool with an enabled CA in CA Service. For more information, see Create a CA pool and Create a CA.
  9. Ensure you have the required IAM roles. For more information, see Required roles.

Required roles

To get the permissions that you need to issue a certificate and view resources, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Issue a certificate using CA Service

To issue a certificate, complete the following steps:

  1. In the Google Cloud console, go to CA Service.

    Go to CA Service

  2. Follow the instructions in the CA Service documentation to Request a certificate.

  3. Note the domain name or identity that you specify. You use this value to find the certificate in the directory.

View and verify the certificate details in Certificate Manager (2nd gen)

After CA Service issues the certificate, Certificate Manager (2nd gen) detects and adds it to the certificate directory as an observed certificate.

To view the certificate, complete the following steps:

  1. In the Google Cloud console, go to Certificates.

    Go to Certificates

  2. Wait a few minutes for the certificate to appear in the directory. If it doesn't appear, refresh the directory.

  3. To find the certificate you issued, use the Filter bar to search using a relevant filter.

  4. To open the details pane, click the certificate's domain name in the directory list.

  5. Inspect the certificate properties:

    • Validity: Check both the Not valid before and Not valid after dates.
    • Subject: Confirm the subject matches the details that you provided during issuance.
    • Issuance details: Note the issuing CA and organization.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

To avoid incurring unintended costs, revoke and delete the CA service resource.

For more information about managing certificates in CA Service, see Manage certificates.

What's next