mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 18:45:13 +00:00
233 lines
10 KiB
Text
233 lines
10 KiB
Text
NAME
|
|
gcloud privateca roots create - create a new root certificate authority
|
|
|
|
SYNOPSIS
|
|
gcloud privateca roots create
|
|
(CERTIFICATE_AUTHORITY : --location=LOCATION --pool=POOL)
|
|
--from-ca=FROM_CA [--auto-enable] [--bucket=BUCKET]
|
|
[--dns-san=[DNS_SAN,...]] [--email-san=[EMAIL_SAN,...]]
|
|
[--ip-san=[IP_SAN,...]] [--labels=[KEY=VALUE,...]]
|
|
[--subject=[SUBJECT,...]] [--uri-san=[URI_SAN,...]]
|
|
[--validity=VALIDITY; default="P10Y"]
|
|
[--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
|
|
| [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
|
|
--kms-keyring=KMS_KEYRING
|
|
--kms-location=KMS_LOCATION --kms-project=KMS_PROJECT]]
|
|
[--use-preset-profile=USE_PRESET_PROFILE
|
|
| --extended-key-usages=[EXTENDED_KEY_USAGES,...]
|
|
--key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
EXAMPLES
|
|
To create a root CA that supports one layer of subordinates:
|
|
|
|
$ gcloud privateca roots create prod-root --location=us-west1 \
|
|
--pool=my-pool \
|
|
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
|
|
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" \
|
|
--subject="CN=Example Production Root CA, O=Google" \
|
|
--max-chain-length=1
|
|
|
|
To create a root CA that is based on an existing CA:
|
|
|
|
$ gcloud privateca roots create prod-root --location=us-west1 \
|
|
--pool=my-pool \
|
|
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
|
|
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" --from-ca=source-root
|
|
|
|
POSITIONAL ARGUMENTS
|
|
Certificate Authority resource - The name of the root CA to create. The
|
|
arguments in this group can be used to specify the attributes of this
|
|
resource. (NOTE) Some attributes are not given arguments in this group but
|
|
can be set in other ways. To set the project attribute:
|
|
◆ provide the argument CERTIFICATE_AUTHORITY on the command line with a
|
|
fully specified name;
|
|
◆ provide the argument --project on the command line;
|
|
◆ set the property core/project.
|
|
|
|
This must be specified.
|
|
|
|
CERTIFICATE_AUTHORITY
|
|
ID of the Certificate Authority or fully qualified identifier for the
|
|
Certificate Authority. To set the certificate_authority attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line.
|
|
|
|
This positional must be specified if any of the other arguments in
|
|
this group are specified.
|
|
|
|
--location=LOCATION
|
|
The location of the Certificate Authority. To set the location
|
|
attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
|
|
with a fully specified name;
|
|
▸ provide the argument --location on the command line;
|
|
▸ set the property privateca/location.
|
|
|
|
--pool=POOL
|
|
The parent CA Pool of the Certificate Authority. To set the pool
|
|
attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
|
|
with a fully specified name;
|
|
▸ provide the argument --pool on the command line.
|
|
|
|
FLAGS
|
|
Source CA resource - An existing CA from which to copy configuration
|
|
values for the new CA. You can still override any of those values by
|
|
explicitly providing the appropriate flags. The specified existing CA must
|
|
be part of the same pool as the one being created. This represents a Cloud
|
|
resource. (NOTE) Some attributes are not given arguments in this group but
|
|
can be set in other ways. To set the project attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --project on the command line;
|
|
◆ set the property core/project. To set the location attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --location on the command line;
|
|
◆ set the property privateca/location. To set the pool attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --pool on the command line.
|
|
|
|
--from-ca=FROM_CA
|
|
ID of the source CA or fully qualified identifier for the source CA.
|
|
To set the certificate_authority attribute:
|
|
▸ provide the argument --from-ca on the command line.
|
|
|
|
--auto-enable
|
|
If this flag is set, the Certificate Authority will be automatically
|
|
enabled upon creation.
|
|
|
|
--bucket=BUCKET
|
|
The name of an existing storage bucket to use for storing the CA
|
|
certificates and CRLs for CAs in this pool. If omitted, a new bucket
|
|
will be created and managed by the service on your behalf.
|
|
|
|
--dns-san=[DNS_SAN,...]
|
|
One or more comma-separated DNS Subject Alternative Names.
|
|
|
|
--email-san=[EMAIL_SAN,...]
|
|
One or more comma-separated email Subject Alternative Names.
|
|
|
|
--ip-san=[IP_SAN,...]
|
|
One or more comma-separated IP Subject Alternative Names.
|
|
|
|
--labels=[KEY=VALUE,...]
|
|
List of label KEY=VALUE pairs to add.
|
|
|
|
Keys must start with a lowercase character and contain only hyphens
|
|
(-), underscores (_), lowercase characters, and numbers. Values must
|
|
contain only hyphens (-), underscores (_), lowercase characters, and
|
|
numbers.
|
|
|
|
--subject=[SUBJECT,...]
|
|
X.501 name of the certificate subject. Example: --subject
|
|
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
|
|
|
|
--uri-san=[URI_SAN,...]
|
|
One or more comma-separated URI Subject Alternative Names.
|
|
|
|
--validity=VALIDITY; default="P10Y"
|
|
The validity of this CA, as an ISO8601 duration. Defaults to 10 years.
|
|
|
|
The key configuration used for the CA certificate. Defaults to a managed
|
|
key if not specified.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
|
|
The crypto algorithm to use for creating a managed KMS key for the
|
|
Certificate Authority. The default is rsa-pkcs1-4096-sha256.
|
|
KEY_ALGORITHM must be one of: ec-p256-sha256, ec-p384-sha384,
|
|
rsa-pkcs1-2048-sha256, rsa-pkcs1-3072-sha256, rsa-pkcs1-4096-sha256,
|
|
rsa-pss-2048-sha256, rsa-pss-3072-sha256, rsa-pss-4096-sha256.
|
|
|
|
Key version resource - An existing KMS key version to back this CA. The
|
|
arguments in this group can be used to specify the attributes of this
|
|
resource.
|
|
|
|
--kms-key-version=KMS_KEY_VERSION
|
|
ID of the key version or fully qualified identifier for the key
|
|
version. To set the kms-key-version attribute:
|
|
▫ provide the argument --kms-key-version on the command line.
|
|
|
|
This flag must be specified if any of the other arguments in this
|
|
group are specified.
|
|
|
|
--kms-key=KMS_KEY
|
|
The KMS key of the key version. To set the kms-key attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-key on the command line.
|
|
|
|
--kms-keyring=KMS_KEYRING
|
|
The KMS keyring of the key version. To set the kms-keyring
|
|
attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-keyring on the command line.
|
|
|
|
--kms-location=KMS_LOCATION
|
|
The location of the key version. To set the kms-location attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-location on the command line;
|
|
▫ provide the argument location on the command line;
|
|
▫ set the property privateca/location.
|
|
|
|
--kms-project=KMS_PROJECT
|
|
The project containing the key version. To set the kms-project
|
|
attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-project on the command line;
|
|
▫ provide the argument project on the command line;
|
|
▫ set the property core/project.
|
|
|
|
The X.509 configuration used for the CA certificate.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--use-preset-profile=USE_PRESET_PROFILE
|
|
The name of an existing preset profile used to encapsulate X.509
|
|
parameter values. USE_PRESET_PROFILE must be one of: leaf_client_tls,
|
|
leaf_code_signing, leaf_mtls, leaf_server_tls, leaf_smime,
|
|
root_unconstrained, subordinate_client_tls_pathlen_0,
|
|
subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0,
|
|
subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0,
|
|
subordinate_unconstrained_pathlen_0.
|
|
|
|
For more information, see
|
|
https://cloud.google.com/certificate-authority-service/docs/certificate-profile.
|
|
|
|
--extended-key-usages=[EXTENDED_KEY_USAGES,...]
|
|
The list of extended key usages for this CA. This can only be
|
|
provided if --use-preset-profile is not provided. EXTENDED_KEY_USAGES
|
|
must be one of: server_auth, client_auth, code_signing,
|
|
email_protection, time_stamping, ocsp_signing.
|
|
|
|
--key-usages=[KEY_USAGES,...]
|
|
The list of key usages for this CA. This can only be provided if
|
|
--use-preset-profile is not provided. KEY_USAGES must be one of:
|
|
digital_signature, content_commitment, key_encipherment,
|
|
data_encipherment, key_agreement, cert_sign, crl_sign, encipher_only,
|
|
decipher_only.
|
|
|
|
--max-chain-length=MAX_CHAIN_LENGTH
|
|
Maximum depth of subordinate CAs allowed under this CA for a CA
|
|
certificate. This can only be provided if --use-preset-profile is not
|
|
provided.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This variant is also available:
|
|
|
|
$ gcloud beta privateca roots create
|
|
|