1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 18:45:13 +00:00
gcloud-help/gcloud/privateca/certificates/create
2022-03-16 08:47:18 +00:00

291 lines
13 KiB
Text

NAME
gcloud privateca certificates create - create a new certificate
SYNOPSIS
gcloud privateca certificates create
[[CERTIFICATE]
--issuer-location=ISSUER_LOCATION --issuer-pool=ISSUER_POOL]
(--cert-output-file=CERT_OUTPUT_FILE | --validate-only)
(--csr=CSR | [(--dns-san=[DNS_SAN,...] --email-san=[EMAIL_SAN,...]
--ip-san=[IP_SAN,...] --subject=[SUBJECT,...]
--uri-san=[URI_SAN,...])
(--generate-key --key-output-file=KEY_OUTPUT_FILE
| [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
--kms-keyring=KMS_KEYRING
--kms-location=KMS_LOCATION --kms-project=KMS_PROJECT])
: --use-preset-profile=USE_PRESET_PROFILE
| --extended-key-usages=[EXTENDED_KEY_USAGES,...] --is-ca-cert
--key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH])
[--ca=CA] [--labels=[KEY=VALUE,...]]
[--validity=VALIDITY; default="P30D"]
[--template=TEMPLATE : --template-location=TEMPLATE_LOCATION]
[GCLOUD_WIDE_FLAG ...]
EXAMPLES
To create a certificate using a CSR:
$ gcloud privateca certificates create frontend-server-tls \
--issuer-pool=my-pool --issuer-location=us-west1 \
--csr=./csr.pem --cert-output-file=./cert.pem --validity=P30D
To create a certificate using a client-generated key:
$ gcloud privateca certificates create frontend-server-tls \
--issuer-pool=my-pool --issuer-location=us-west1 \
--generate-key --key-output-file=./key \
--cert-output-file=./cert.pem --dns-san=www.example.com \
--use-preset-profile=leaf_server_tls
POSITIONAL ARGUMENTS
CERTIFICATE resource - The name of the certificate to issue. If the
certificate ID is omitted, a random identifier will be generated according
to the following format: {YYYYMMDD}-{3 random alphanumeric characters}-{3
random alphanumeric characters}. The certificate ID is not required when
the issuing CA pool is in the DevOps tier. The arguments in this group can
be used to specify the attributes of this resource. (NOTE) Some attributes
are not given arguments in this group but can be set in other ways. To set
the project attribute:
◆ provide the argument CERTIFICATE on the command line with a fully
specified name;
◆ certificate id will default to an automatically generated id with a
fully specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
[CERTIFICATE]
ID of the CERTIFICATE or fully qualified identifier for the
CERTIFICATE. To set the certificate attribute:
▸ provide the argument CERTIFICATE on the command line;
▸ certificate id will default to an automatically generated id.
--issuer-location=ISSUER_LOCATION
The location of the CERTIFICATE. To set the issuer-location
attribute:
▸ provide the argument CERTIFICATE on the command line with a fully
specified name;
▸ certificate id will default to an automatically generated id with
a fully specified name;
▸ provide the argument --issuer-location on the command line;
▸ set the property privateca/location.
--issuer-pool=ISSUER_POOL
The parent CA Pool of the CERTIFICATE. To set the issuer-pool
attribute:
▸ provide the argument CERTIFICATE on the command line with a fully
specified name;
▸ certificate id will default to an automatically generated id with
a fully specified name;
▸ provide the argument --issuer-pool on the command line.
REQUIRED FLAGS
Certificate persistence options.
Exactly one of these must be specified:
--cert-output-file=CERT_OUTPUT_FILE
The path where the resulting PEM-encoded certificate chain file
should be written (ordered from leaf to root).
--validate-only
If this flag is set, the certificate resource will not be persisted
and the returned certificate will not contain the pem_certificate
field.
Certificate generation method.
Exactly one of these must be specified:
--csr=CSR
A PEM-encoded certificate signing request file path.
Alternatively, you may describe the certificate and key to use.
The subject names for the certificate.
At least one of these must be specified:
--dns-san=[DNS_SAN,...]
One or more comma-separated DNS Subject Alternative Names.
--email-san=[EMAIL_SAN,...]
One or more comma-separated email Subject Alternative Names.
--ip-san=[IP_SAN,...]
One or more comma-separated IP Subject Alternative Names.
--subject=[SUBJECT,...]
X.501 name of the certificate subject. Example: --subject
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
--uri-san=[URI_SAN,...]
One or more comma-separated URI Subject Alternative Names.
To describe the key that will be used for this certificate, use one of
the following options.
Exactly one of these must be specified:
To generate a new key pair, use the following:
--generate-key
Use this flag to have a new RSA-2048 private key securely
generated on your machine.
This flag must be specified if any of the other arguments in
this group are specified.
--key-output-file=KEY_OUTPUT_FILE
The path where the generated private key file should be written
(in PEM format).
Note: possession of this key file could allow anybody to act as
this certificate's subject. Please make sure that you store
this key file in a secure location at all times, and ensure
that only authorized users have access to it.
This flag must be specified if any of the other arguments in
this group are specified.
Key version resource - An existing KMS key version backing this
certificate. The arguments in this group can be used to specify the
attributes of this resource.
--kms-key-version=KMS_KEY_VERSION
ID of the key version or fully qualified identifier for the key
version. To set the kms-key-version attribute:
▹ provide the argument --kms-key-version on the command line.
This flag must be specified if any of the other arguments in
this group are specified.
--kms-key=KMS_KEY
The KMS key of the key version. To set the kms-key attribute:
▹ provide the argument --kms-key-version on the command line
with a fully specified name;
▹ provide the argument --kms-key on the command line.
--kms-keyring=KMS_KEYRING
The KMS keyring of the key version. To set the kms-keyring
attribute:
▹ provide the argument --kms-key-version on the command line
with a fully specified name;
▹ provide the argument --kms-keyring on the command line.
--kms-location=KMS_LOCATION
The location of the key version. To set the kms-location
attribute:
▹ provide the argument --kms-key-version on the command line
with a fully specified name;
▹ provide the argument --kms-location on the command line;
▹ provide the argument location on the command line;
▹ set the property privateca/location.
--kms-project=KMS_PROJECT
The project containing the key version. To set the kms-project
attribute:
▹ provide the argument --kms-key-version on the command line
with a fully specified name;
▹ provide the argument --kms-project on the command line;
▹ provide the argument project on the command line;
▹ set the property core/project.
The x509 configuration used for this certificate.
At most one of these can be specified:
--use-preset-profile=USE_PRESET_PROFILE
The name of an existing preset profile used to encapsulate X.509
parameter values. USE_PRESET_PROFILE must be one of:
leaf_client_tls, leaf_code_signing, leaf_mtls, leaf_server_tls,
leaf_smime, root_unconstrained, subordinate_client_tls_pathlen_0,
subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0,
subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0,
subordinate_unconstrained_pathlen_0.
For more information, see
https://cloud.google.com/certificate-authority-service/docs/certificate-profile.
--extended-key-usages=[EXTENDED_KEY_USAGES,...]
The list of extended key usages for this certificate. This can
only be provided if --use-preset-profile is not provided.
EXTENDED_KEY_USAGES must be one of: server_auth, client_auth,
code_signing, email_protection, time_stamping, ocsp_signing.
--is-ca-cert
Whether this certificate is for a CertificateAuthority or not.
Indicates the Certificate Authority field in the x509 basic
constraints extension.
--key-usages=[KEY_USAGES,...]
The list of key usages for this certificate. This can only be
provided if --use-preset-profile is not provided. KEY_USAGES must
be one of: digital_signature, content_commitment,
key_encipherment, data_encipherment, key_agreement, cert_sign,
crl_sign, encipher_only, decipher_only.
--max-chain-length=MAX_CHAIN_LENGTH
Maximum depth of subordinate CAs allowed under this CA for a CA
certificate. This can only be provided if --use-preset-profile is
not provided.
OPTIONAL FLAGS
--ca=CA
The name of an existing certificate authority to use for issuing the
certificate. If omitted, a certificate authority will be will be chosen
from the CA pool by the service on your behalf.
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
--validity=VALIDITY; default="P30D"
The validity of this certificate, as an ISO8601 duration. Defaults to
30 days.
Certificate template resource - The name of a certificate template to use
for issuing this certificate, if desired. A template may overwrite parts
of the certificate request, and the use of certificate templates may be
required and/or regulated by the issuing CA Pool's CA Manager. The
specified template must be in the same location as the issuing CA Pool.
The arguments in this group can be used to specify the attributes of this
resource. (NOTE) Some attributes are not given arguments in this group but
can be set in other ways. To set the project attribute:
◆ provide the argument --template on the command line with a fully
specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
--template=TEMPLATE
ID of the certificate_template or fully qualified identifier for the
certificate_template. To set the certificate template attribute:
▸ provide the argument --template on the command line.
This flag must be specified if any of the other arguments in this
group are specified.
--template-location=TEMPLATE_LOCATION
The location of the certificate_template. To set the location
attribute:
▸ provide the argument --template on the command line with a fully
specified name;
▸ provide the argument --template-location on the command line;
▸ provide the argument --issuer-location on the command line;
▸ set the property privateca/location.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This variant is also available:
$ gcloud beta privateca certificates create