1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00
gcloud-help/gcloud/privateca/roots/create
2023-03-01 10:23:17 +00:00

313 lines
15 KiB
Text

NAME
gcloud privateca roots create - create a new root certificate authority
SYNOPSIS
gcloud privateca roots create
(CERTIFICATE_AUTHORITY : --location=LOCATION --pool=POOL)
[--auto-enable] [--bucket=BUCKET] [--dns-san=[DNS_SAN,...]]
[--email-san=[EMAIL_SAN,...]] [--from-ca=FROM_CA]
[--ip-san=[IP_SAN,...]] [--labels=[KEY=VALUE,...]]
[--subject=[SUBJECT,...]] [--uri-san=[URI_SAN,...]]
[--validity=VALIDITY; default="P10Y"]
[--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
| [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
--kms-keyring=KMS_KEYRING
--kms-location=KMS_LOCATION --kms-project=KMS_PROJECT]]
[--use-preset-profile=USE_PRESET_PROFILE
| --extended-key-usages=[EXTENDED_KEY_USAGES,...]
--key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH
| --unconstrained-chain-length --no-name-constraints-critical
--name-excluded-dns=[NAME_EXCLUDED_DNS,...]
--name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
--name-excluded-ip=[NAME_EXCLUDED_IP,...]
--name-excluded-uri=[NAME_EXCLUDED_URI,...]
--name-permitted-dns=[NAME_PERMITTED_DNS,...]
--name-permitted-email=[NAME_PERMITTED_EMAIL,...]
--name-permitted-ip=[NAME_PERMITTED_IP,...]
--name-permitted-uri=[NAME_PERMITTED_URI,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
TIP: Consider setting a project lien
(https://cloud.google.com/resource-manager/docs/project-liens) on the
project to prevent it from accidental deletion.
EXAMPLES
To create a root CA that supports one layer of subordinates:
$ gcloud privateca roots create prod-root --location=us-west1 \
--pool=my-pool \
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" \
--subject="CN=Example Production Root CA, O=Google" \
--max-chain-length=1
To create a root CA that is based on an existing CA:
$ gcloud privateca roots create prod-root --location=us-west1 \
--pool=my-pool \
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" --from-ca=source-root
POSITIONAL ARGUMENTS
Certificate Authority resource - The name of the root CA to create. The
arguments in this group can be used to specify the attributes of this
resource. (NOTE) Some attributes are not given arguments in this group but
can be set in other ways. To set the project attribute:
◆ provide the argument CERTIFICATE_AUTHORITY on the command line with a
fully specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
This must be specified.
CERTIFICATE_AUTHORITY
ID of the Certificate Authority or fully qualified identifier for the
Certificate Authority. To set the certificate_authority attribute:
▸ provide the argument CERTIFICATE_AUTHORITY on the command line.
This positional argument must be specified if any of the other
arguments in this group are specified.
--location=LOCATION
The location of the Certificate Authority. To set the location
attribute:
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
with a fully specified name;
▸ provide the argument --location on the command line;
▸ set the property privateca/location.
--pool=POOL
The parent CA Pool of the Certificate Authority. To set the pool
attribute:
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
with a fully specified name;
▸ provide the argument --pool on the command line.
FLAGS
--auto-enable
If this flag is set, the Certificate Authority will be automatically
enabled upon creation.
--bucket=BUCKET
The name of an existing storage bucket to use for storing the CA
certificates and CRLs for CAs in this pool. If omitted, a new bucket
will be created and managed by the service on your behalf.
--dns-san=[DNS_SAN,...]
One or more comma-separated DNS Subject Alternative Names.
--email-san=[EMAIL_SAN,...]
One or more comma-separated email Subject Alternative Names.
Source CA resource - An existing CA from which to copy configuration
values for the new CA. You can still override any of those values by
explicitly providing the appropriate flags. The specified existing CA must
be part of the same pool as the one being created. This represents a Cloud
resource. (NOTE) Some attributes are not given arguments in this group but
can be set in other ways. To set the project attribute:
◆ provide the argument --from-ca on the command line with a fully
specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project. To set the location attribute:
◆ provide the argument --from-ca on the command line with a fully
specified name;
◆ provide the argument --location on the command line;
◆ set the property privateca/location. To set the pool attribute:
◆ provide the argument --from-ca on the command line with a fully
specified name;
◆ provide the argument --pool on the command line.
--from-ca=FROM_CA
ID of the source CA or fully qualified identifier for the source CA.
To set the certificate_authority attribute:
▸ provide the argument --from-ca on the command line.
--ip-san=[IP_SAN,...]
One or more comma-separated IP Subject Alternative Names.
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
--subject=[SUBJECT,...]
X.501 name of the certificate subject. Example: --subject
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
--uri-san=[URI_SAN,...]
One or more comma-separated URI Subject Alternative Names.
--validity=VALIDITY; default="P10Y"
The validity of this CA, as an ISO8601 duration. Defaults to 10 years.
The key configuration used for the CA certificate. Defaults to a managed
key if not specified.
At most one of these can be specified:
--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
The crypto algorithm to use for creating a managed KMS key for the
Certificate Authority. The default is rsa-pkcs1-4096-sha256.
KEY_ALGORITHM must be one of: ec-p256-sha256, ec-p384-sha384,
rsa-pkcs1-2048-sha256, rsa-pkcs1-3072-sha256, rsa-pkcs1-4096-sha256,
rsa-pss-2048-sha256, rsa-pss-3072-sha256, rsa-pss-4096-sha256.
Key version resource - An existing KMS key version to back this CA. The
arguments in this group can be used to specify the attributes of this
resource.
--kms-key-version=KMS_KEY_VERSION
ID of the key version or fully qualified identifier for the key
version. To set the kms-key-version attribute:
▫ provide the argument --kms-key-version on the command line.
This flag argument must be specified if any of the other arguments
in this group are specified.
--kms-key=KMS_KEY
The KMS key of the key version. To set the kms-key attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-key on the command line.
--kms-keyring=KMS_KEYRING
The KMS keyring of the key version. To set the kms-keyring
attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-keyring on the command line.
--kms-location=KMS_LOCATION
The location of the key version. To set the kms-location attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-location on the command line;
▫ provide the argument location on the command line;
▫ set the property privateca/location.
--kms-project=KMS_PROJECT
The project containing the key version. To set the kms-project
attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-project on the command line;
▫ provide the argument project on the command line;
▫ set the property core/project.
The X.509 configuration used for the CA certificate.
At most one of these can be specified:
--use-preset-profile=USE_PRESET_PROFILE
The name of an existing preset profile used to encapsulate X.509
parameter values. USE_PRESET_PROFILE must be one of: leaf_client_tls,
leaf_code_signing, leaf_mtls, leaf_server_tls, leaf_smime,
root_unconstrained, subordinate_client_tls_pathlen_0,
subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0,
subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0,
subordinate_unconstrained_pathlen_0.
For more information, see
https://cloud.google.com/certificate-authority-service/docs/certificate-profile.
--extended-key-usages=[EXTENDED_KEY_USAGES,...]
The list of extended key usages for this CA. This can only be
provided if --use-preset-profile is not provided. EXTENDED_KEY_USAGES
must be one of: server_auth, client_auth, code_signing,
email_protection, time_stamping, ocsp_signing.
--key-usages=[KEY_USAGES,...]
The list of key usages for this CA. This can only be provided if
--use-preset-profile is not provided. KEY_USAGES must be one of:
digital_signature, content_commitment, key_encipherment,
data_encipherment, key_agreement, cert_sign, crl_sign, encipher_only,
decipher_only.
At most one of these can be specified:
--max-chain-length=MAX_CHAIN_LENGTH
Maximum depth of subordinate CAs allowed under this CA for a CA
certificate. This can only be provided if neither
--use-preset-profile nor --unconstrained-chain-length are provided.
--unconstrained-chain-length
If set, allows an unbounded number of subordinate CAs under this
newly issued CA certificate. This can only be provided if neither
--use-preset-profile nor --max-chain-length are provided.
The x509 name constraints configurations
--name-constraints-critical
Indicates whether or not name constraints are marked as critical.
Name constraints are considered critical unless explicitly set to
false. Enabled by default, use --no-name-constraints-critical to
disable.
--name-excluded-dns=[NAME_EXCLUDED_DNS,...]
One or more comma-separated DNS names which are excluded from being
issued certificates. Any DNS name that can be constructed by simply
adding zero or more labels to the left-hand side of the name
satisfies the name constraint. For example, example.com,
www.example.com, www.sub.example.com would satisfy example.com,
while example1.com does not.
--name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
One or more comma-separated emails which are excluded from being
issued certificates. The value can be a particular email address, a
hostname to indicate all email addresses on that host or a domain
with a leading period (e.g. .example.com) to indicate all email
addresses in that domain.
--name-excluded-ip=[NAME_EXCLUDED_IP,...]
One or more comma-separated IP ranges which are excluded from being
issued certificates. For IPv4 addresses, the ranges are expressed
using CIDR notation as specified in RFC 4632. For IPv6 addresses,
the ranges are expressed in similar encoding as IPv4
--name-excluded-uri=[NAME_EXCLUDED_URI,...]
One or more comma-separated URIs which are excluded from being
issued certificates. The value can be a hostname or a domain with a
leading period (like .example.com)
--name-permitted-dns=[NAME_PERMITTED_DNS,...]
One or more comma-separated DNS names which are permitted to be
issued certificates. Any DNS name that can be constructed by simply
adding zero or more labels to the left-hand side of the name
satisfies the name constraint. For example, example.com,
www.example.com, www.sub.example.com would satisfy example.com,
while example1.com does not.
--name-permitted-email=[NAME_PERMITTED_EMAIL,...]
One or more comma-separated email addresses which are permitted to
be issued certificates. The value can be a particular email
address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. .example.com) to indicate all
email addresses in that domain.
--name-permitted-ip=[NAME_PERMITTED_IP,...]
One or more comma-separated IP ranges which are permitted to be
issued certificates. For IPv4 addresses, the ranges are expressed
using CIDR notation as specified in RFC 4632. For IPv6 addresses,
the ranges are expressed in similar encoding as IPv4
--name-permitted-uri=[NAME_PERMITTED_URI,...]
One or more comma-separated URIs which are permitted to be issued
certificates. The value can be a hostname or a domain with a
leading period (like .example.com)
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This variant is also available:
$ gcloud beta privateca roots create