1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 18:45:13 +00:00
gcloud-help/gcloud/beta/privateca/subordinates/create
2023-05-04 10:43:54 +00:00

354 lines
14 KiB
Text

NAME
gcloud beta privateca subordinates create - create a new subordinate
certificate authority
SYNOPSIS
gcloud beta privateca subordinates create
(CERTIFICATE_AUTHORITY : --location=LOCATION)
(--create-csr --csr-output-file=CSR_OUTPUT_FILE
| [--issuer=ISSUER : --issuer-location=ISSUER_LOCATION])
[--bucket=BUCKET] [--dns-san=[DNS_SAN,...]]
[--email-san=[EMAIL_SAN,...]] [--ip-san=[IP_SAN,...]]
[--issuance-policy=ISSUANCE_POLICY] [--labels=[KEY=VALUE,...]]
[--no-publish-ca-cert] [--no-publish-crl] [--subject=[SUBJECT,...]]
[--tier=TIER; default="enterprise"] [--uri-san=[URI_SAN,...]]
[--validity=VALIDITY; default="P3Y"]
[--from-ca=FROM_CA : --from-ca-location=FROM_CA_LOCATION
--from-ca-project=FROM_CA_PROJECT]
[--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-2048-sha256"
| [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
--kms-keyring=KMS_KEYRING
--kms-location=KMS_LOCATION --kms-project=KMS_PROJECT]]
[--reusable-config=REUSABLE_CONFIG
| --extended-key-usages=[EXTENDED_KEY_USAGES,...]
--key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH]
[GCLOUD_WIDE_FLAG ...]
EXAMPLES
To create a subordinate CA named 'server-tls-1' whose issuer is on Private
CA:
$ gcloud beta privateca subordinates create server-tls-1 \
--subject="CN=Example TLS CA, O=Google" --issuer=prod-root \
--issuer-location=us-west1 \
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
To create a subordinate CA named 'server-tls-1' whose issuer is located
elsewhere:
$ gcloud beta privateca subordinates create server-tls-1 \
--subject="CN=Example TLS CA, O=Google" --create-csr \
--csr-output-file="./csr.pem" \
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
To create a subordinate CA named 'server-tls-1' chaining up to a root CA
named 'prod-root' based on an existing CA:
$ gcloud beta privateca subordinates create server-tls-1 \
--issuer=prod-root --issuer-location=us-west1 \
--from-ca=source-ca --from-ca-location=us-central1 \
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
POSITIONAL ARGUMENTS
Certificate Authority resource - The name of the subordinate CA to create.
The arguments in this group can be used to specify the attributes of this
resource. (NOTE) Some attributes are not given arguments in this group but
can be set in other ways.
To set the project attribute:
◆ provide the argument CERTIFICATE_AUTHORITY on the command line with a
fully specified name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
This must be specified.
CERTIFICATE_AUTHORITY
ID of the Certificate Authority or fully qualified identifier for the
Certificate Authority.
To set the certificate_authority attribute:
▸ provide the argument CERTIFICATE_AUTHORITY on the command line.
This positional argument must be specified if any of the other
arguments in this group are specified.
--location=LOCATION
The location of the Certificate Authority.
To set the location attribute:
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
with a fully specified name;
▸ provide the argument --location on the command line;
▸ set the property privateca/location.
REQUIRED FLAGS
The issuer configuration used for this CA certificate.
Exactly one of these must be specified:
If the issuing CA is not hosted on Private CA, you must provide these
settings:
--create-csr
Indicates that a CSR should be generated which can be signed by the
issuing CA. This must be set if --issuer is not provided.
This flag argument must be specified if any of the other arguments
in this group are specified.
--csr-output-file=CSR_OUTPUT_FILE
The path where the resulting PEM-encoded CSR file should be
written.
This flag argument must be specified if any of the other arguments
in this group are specified.
Issuer resource - The issuing certificate authority to use, if it is on
Private CA. The arguments in this group can be used to specify the
attributes of this resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
▸ provide the argument --issuer on the command line with a fully
specified name;
▸ provide the argument --project on the command line;
▸ set the property core/project.
--issuer=ISSUER
ID of the Issuer or fully qualified identifier for the Issuer.
To set the certificate_authority attribute:
▫ provide the argument --issuer on the command line.
This flag argument must be specified if any of the other arguments
in this group are specified.
--issuer-location=ISSUER_LOCATION
The location of the Issuer.
To set the location attribute:
▫ provide the argument --issuer on the command line with a fully
specified name;
▫ provide the argument --issuer-location on the command line;
▫ set the property privateca/location.
OPTIONAL FLAGS
--bucket=BUCKET
The name of an existing storage bucket to use for storing the CA
certificate and CRLs. If omitted, a new bucket will be created and
managed by the service on your behalf.
--dns-san=[DNS_SAN,...]
One or more comma-separated DNS Subject Alternative Names.
--email-san=[EMAIL_SAN,...]
One or more comma-separated email Subject Alternative Names.
--ip-san=[IP_SAN,...]
One or more comma-separated IP Subject Alternative Names.
--issuance-policy=ISSUANCE_POLICY
A YAML file describing this Certificate Authority's issuance policy.
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
--publish-ca-cert
If this is enabled, the following will happen: 1) The CA certificate
will be written to a known location within the CA distribution point.
2) The AIA extension in all issued certificates will point to the CA
cert URL in that distribition point.
Note that the same bucket may be used for the CRLs if --publish-crl is
set.
Enabled by default, use --no-publish-ca-cert to disable.
--publish-crl
If this gets enabled, the following will happen: 1) CRLs will be
written to a known location within the CA distribution point. 2) The
CDP extension in all future issued certificates will point to the CRL
URL in that distribution point.
Note that the same bucket may be used for the CA cert if
--publish-ca-cert is set.
CRL publication is not supported for CAs in the DevOps tier.
Enabled by default, use --no-publish-crl to disable.
--subject=[SUBJECT,...]
X.501 name of the certificate subject. Example: --subject
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
--tier=TIER; default="enterprise"
The tier for the Certificate Authority. TIER must be one of: devops,
enterprise.
--uri-san=[URI_SAN,...]
One or more comma-separated URI Subject Alternative Names.
--validity=VALIDITY; default="P3Y"
The validity of this CA, as an ISO8601 duration. Defaults to 3 years.
Source CA resource - An existing CA from which to copy configuration
values for the new CA. You can still override any of those values by
explicitly providing the appropriate flags. The arguments in this group
can be used to specify the attributes of this resource.
--from-ca=FROM_CA
ID of the source CA or fully qualified identifier for the source CA.
To set the certificate_authority attribute:
▸ provide the argument --from-ca on the command line.
This flag argument must be specified if any of the other arguments in
this group are specified.
--from-ca-location=FROM_CA_LOCATION
The location of the source CA.
To set the location attribute:
▸ provide the argument --from-ca on the command line with a fully
specified name;
▸ provide the argument --from-ca-location on the command line;
▸ set the property privateca/location.
--from-ca-project=FROM_CA_PROJECT
Project ID of the Google Cloud project for the source CA.
To set the project attribute:
▸ provide the argument --from-ca on the command line with a fully
specified name;
▸ provide the argument --from-ca-project on the command line;
▸ provide the argument --project on the command line;
▸ set the property core/project.
The key configuration used for the CA certificate. Defaults to a managed
key if not specified.
At most one of these can be specified:
--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-2048-sha256"
The crypto algorithm to use for creating a managed KMS key for the
Certificate Authority. The default is rsa-pkcs1-2048-sha256.
KEY_ALGORITHM must be one of: ec-p256-sha256, ec-p384-sha384,
rsa-pkcs1-2048-sha256, rsa-pkcs1-3072-sha256, rsa-pkcs1-4096-sha256,
rsa-pss-2048-sha256, rsa-pss-3078-sha256, rsa-pss-4096-sha256.
Key version resource - The KMS key version backing this CA. The
arguments in this group can be used to specify the attributes of this
resource.
--kms-key-version=KMS_KEY_VERSION
ID of the key version or fully qualified identifier for the key
version.
To set the kms-key-version attribute:
▫ provide the argument --kms-key-version on the command line.
This flag argument must be specified if any of the other arguments
in this group are specified.
--kms-key=KMS_KEY
The KMS key of the key version.
To set the kms-key attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-key on the command line.
--kms-keyring=KMS_KEYRING
The KMS keyring of the key version.
To set the kms-keyring attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-keyring on the command line.
--kms-location=KMS_LOCATION
The location of the key version.
To set the kms-location attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-location on the command line;
▫ provide the argument location on the command line;
▫ set the property privateca/location.
--kms-project=KMS_PROJECT
The project containing the key version.
To set the kms-project attribute:
▫ provide the argument --kms-key-version on the command line with
a fully specified name;
▫ provide the argument --kms-project on the command line;
▫ provide the argument project on the command line;
▫ set the property core/project.
The X.509 configuration used for the CA certificate.
At most one of these can be specified:
Reusable config resource - The Reusable Config containing X.509 values
for this CA. This represents a Cloud resource. (NOTE) Some attributes
are not given arguments in this group but can be set in other ways.
To set the project attribute:
▸ provide the argument --reusable-config on the command line with a
fully specified name;
▸ project will default to privateca-data.
To set the location attribute:
▸ provide the argument --reusable-config on the command line with a
fully specified name;
▸ location will default to the same location as the CA.
--reusable-config=REUSABLE_CONFIG
ID of the reusable config or fully qualified identifier for the
reusable config.
To set the reusable_config attribute:
▫ provide the argument --reusable-config on the command line.
--extended-key-usages=[EXTENDED_KEY_USAGES,...]
The list of extended key usages for this CA. This can only be
provided if --reusable-config is not provided. EXTENDED_KEY_USAGES
must be one of: server_auth, client_auth, code_signing,
email_protection, time_stamping, ocsp_signing.
--key-usages=[KEY_USAGES,...]
The list of key usages for this CA. This can only be provided if
--reusable-config is not provided. KEY_USAGES must be one of:
digital_signature, content_commitment, key_encipherment,
data_encipherment, key_agreement, cert_sign, crl_sign, encipher_only,
decipher_only.
--max-chain-length=MAX_CHAIN_LENGTH
Maximum depth of subordinate CAs allowed under this CA for a CA
certificate. This can only be provided if --reusable-config is not
provided.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud privateca subordinates create