mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 10:35:03 +00:00
334 lines
15 KiB
Text
334 lines
15 KiB
Text
NAME
|
|
gcloud privateca roots create - create a new root certificate authority
|
|
|
|
SYNOPSIS
|
|
gcloud privateca roots create
|
|
(CERTIFICATE_AUTHORITY : --location=LOCATION --pool=POOL)
|
|
[--auto-enable] [--bucket=BUCKET] [--dns-san=[DNS_SAN,...]]
|
|
[--email-san=[EMAIL_SAN,...]] [--from-ca=FROM_CA]
|
|
[--ip-san=[IP_SAN,...]] [--labels=[KEY=VALUE,...]]
|
|
[--subject=[SUBJECT,...]] [--subject-key-id=SUBJECT_KEY_ID]
|
|
[--uri-san=[URI_SAN,...]] [--validity=VALIDITY; default="P10Y"]
|
|
[--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
|
|
| [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY
|
|
--kms-keyring=KMS_KEYRING
|
|
--kms-location=KMS_LOCATION --kms-project=KMS_PROJECT]]
|
|
[--use-preset-profile=USE_PRESET_PROFILE
|
|
| --extended-key-usages=[EXTENDED_KEY_USAGES,...]
|
|
--key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH
|
|
| --unconstrained-chain-length --no-name-constraints-critical
|
|
--name-excluded-dns=[NAME_EXCLUDED_DNS,...]
|
|
--name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
|
|
--name-excluded-ip=[NAME_EXCLUDED_IP,...]
|
|
--name-excluded-uri=[NAME_EXCLUDED_URI,...]
|
|
--name-permitted-dns=[NAME_PERMITTED_DNS,...]
|
|
--name-permitted-email=[NAME_PERMITTED_EMAIL,...]
|
|
--name-permitted-ip=[NAME_PERMITTED_IP,...]
|
|
--name-permitted-uri=[NAME_PERMITTED_URI,...]] [GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
TIP: Consider setting a project lien
|
|
(https://cloud.google.com/resource-manager/docs/project-liens) on the
|
|
project to prevent it from accidental deletion.
|
|
|
|
EXAMPLES
|
|
To create a root CA that supports one layer of subordinates:
|
|
|
|
$ gcloud privateca roots create prod-root --location=us-west1 \
|
|
--pool=my-pool \
|
|
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
|
|
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" \
|
|
--subject="CN=Example Production Root CA, O=Google" \
|
|
--max-chain-length=1
|
|
|
|
To create a root CA that is based on an existing CA:
|
|
|
|
$ gcloud privateca roots create prod-root --location=us-west1 \
|
|
--pool=my-pool \
|
|
--kms-key-version="projects/my-project-pki/locations/us-west1/ke\
|
|
yRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" --from-ca=source-root
|
|
|
|
POSITIONAL ARGUMENTS
|
|
Certificate Authority resource - The name of the root CA to create. The
|
|
arguments in this group can be used to specify the attributes of this
|
|
resource. (NOTE) Some attributes are not given arguments in this group but
|
|
can be set in other ways.
|
|
|
|
To set the project attribute:
|
|
◆ provide the argument CERTIFICATE_AUTHORITY on the command line with a
|
|
fully specified name;
|
|
◆ provide the argument --project on the command line;
|
|
◆ set the property core/project.
|
|
|
|
This must be specified.
|
|
|
|
CERTIFICATE_AUTHORITY
|
|
ID of the Certificate Authority or fully qualified identifier for the
|
|
Certificate Authority.
|
|
|
|
To set the certificate_authority attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line.
|
|
|
|
This positional argument must be specified if any of the other
|
|
arguments in this group are specified.
|
|
|
|
--location=LOCATION
|
|
The location of the Certificate Authority.
|
|
|
|
To set the location attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
|
|
with a fully specified name;
|
|
▸ provide the argument --location on the command line;
|
|
▸ set the property privateca/location.
|
|
|
|
--pool=POOL
|
|
The parent CA Pool of the Certificate Authority.
|
|
|
|
To set the pool attribute:
|
|
▸ provide the argument CERTIFICATE_AUTHORITY on the command line
|
|
with a fully specified name;
|
|
▸ provide the argument --pool on the command line.
|
|
|
|
FLAGS
|
|
--auto-enable
|
|
If this flag is set, the Certificate Authority will be automatically
|
|
enabled upon creation.
|
|
|
|
--bucket=BUCKET
|
|
The name of an existing storage bucket to use for storing the CA
|
|
certificates and CRLs for CAs in this pool. If omitted, a new bucket
|
|
will be created and managed by the service on your behalf.
|
|
|
|
--dns-san=[DNS_SAN,...]
|
|
One or more comma-separated DNS Subject Alternative Names.
|
|
|
|
--email-san=[EMAIL_SAN,...]
|
|
One or more comma-separated email Subject Alternative Names.
|
|
|
|
Source CA resource - An existing CA from which to copy configuration
|
|
values for the new CA. You can still override any of those values by
|
|
explicitly providing the appropriate flags. The specified existing CA must
|
|
be part of the same pool as the one being created. This represents a Cloud
|
|
resource. (NOTE) Some attributes are not given arguments in this group but
|
|
can be set in other ways.
|
|
|
|
To set the project attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --project on the command line;
|
|
◆ set the property core/project.
|
|
|
|
To set the location attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --location on the command line;
|
|
◆ set the property privateca/location.
|
|
|
|
To set the pool attribute:
|
|
◆ provide the argument --from-ca on the command line with a fully
|
|
specified name;
|
|
◆ provide the argument --pool on the command line.
|
|
|
|
--from-ca=FROM_CA
|
|
ID of the source CA or fully qualified identifier for the source CA.
|
|
|
|
To set the certificate_authority attribute:
|
|
▸ provide the argument --from-ca on the command line.
|
|
|
|
--ip-san=[IP_SAN,...]
|
|
One or more comma-separated IP Subject Alternative Names.
|
|
|
|
--labels=[KEY=VALUE,...]
|
|
List of label KEY=VALUE pairs to add.
|
|
|
|
Keys must start with a lowercase character and contain only hyphens
|
|
(-), underscores (_), lowercase characters, and numbers. Values must
|
|
contain only hyphens (-), underscores (_), lowercase characters, and
|
|
numbers.
|
|
|
|
--subject=[SUBJECT,...]
|
|
X.501 name of the certificate subject. Example: --subject
|
|
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
|
|
|
|
--subject-key-id=SUBJECT_KEY_ID
|
|
Optional field to specify subject key ID for certificate. DO NOT USE
|
|
except to maintain a previously established identifier for a public
|
|
key, whose SKI was not generated using method (1) described in RFC 5280
|
|
section 4.2.1.2.
|
|
|
|
--uri-san=[URI_SAN,...]
|
|
One or more comma-separated URI Subject Alternative Names.
|
|
|
|
--validity=VALIDITY; default="P10Y"
|
|
The validity of this CA, as an ISO8601 duration. Defaults to 10 years.
|
|
|
|
The key configuration used for the CA certificate. Defaults to a managed
|
|
key if not specified.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
|
|
The crypto algorithm to use for creating a managed KMS key for the
|
|
Certificate Authority. The default is rsa-pkcs1-4096-sha256.
|
|
KEY_ALGORITHM must be one of: ec-p256-sha256, ec-p384-sha384,
|
|
rsa-pkcs1-2048-sha256, rsa-pkcs1-3072-sha256, rsa-pkcs1-4096-sha256,
|
|
rsa-pss-2048-sha256, rsa-pss-3072-sha256, rsa-pss-4096-sha256.
|
|
|
|
Key version resource - An existing KMS key version to back this CA. The
|
|
arguments in this group can be used to specify the attributes of this
|
|
resource.
|
|
|
|
--kms-key-version=KMS_KEY_VERSION
|
|
ID of the key version or fully qualified identifier for the key
|
|
version.
|
|
|
|
To set the kms-key-version attribute:
|
|
▫ provide the argument --kms-key-version on the command line.
|
|
|
|
This flag argument must be specified if any of the other arguments
|
|
in this group are specified.
|
|
|
|
--kms-key=KMS_KEY
|
|
The KMS key of the key version.
|
|
|
|
To set the kms-key attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-key on the command line.
|
|
|
|
--kms-keyring=KMS_KEYRING
|
|
The KMS keyring of the key version.
|
|
|
|
To set the kms-keyring attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-keyring on the command line.
|
|
|
|
--kms-location=KMS_LOCATION
|
|
The location of the key version.
|
|
|
|
To set the kms-location attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-location on the command line;
|
|
▫ provide the argument location on the command line;
|
|
▫ set the property privateca/location.
|
|
|
|
--kms-project=KMS_PROJECT
|
|
The project containing the key version.
|
|
|
|
To set the kms-project attribute:
|
|
▫ provide the argument --kms-key-version on the command line with
|
|
a fully specified name;
|
|
▫ provide the argument --kms-project on the command line;
|
|
▫ provide the argument project on the command line;
|
|
▫ set the property core/project.
|
|
|
|
The X.509 configuration used for the CA certificate.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--use-preset-profile=USE_PRESET_PROFILE
|
|
The name of an existing preset profile used to encapsulate X.509
|
|
parameter values. USE_PRESET_PROFILE must be one of: leaf_client_tls,
|
|
leaf_code_signing, leaf_mtls, leaf_server_tls, leaf_smime,
|
|
root_unconstrained, subordinate_client_tls_pathlen_0,
|
|
subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0,
|
|
subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0,
|
|
subordinate_unconstrained_pathlen_0.
|
|
|
|
For more information, see
|
|
https://cloud.google.com/certificate-authority-service/docs/certificate-profile.
|
|
|
|
--extended-key-usages=[EXTENDED_KEY_USAGES,...]
|
|
The list of extended key usages for this CA. This can only be
|
|
provided if --use-preset-profile is not provided. EXTENDED_KEY_USAGES
|
|
must be one of: server_auth, client_auth, code_signing,
|
|
email_protection, time_stamping, ocsp_signing.
|
|
|
|
--key-usages=[KEY_USAGES,...]
|
|
The list of key usages for this CA. This can only be provided if
|
|
--use-preset-profile is not provided. KEY_USAGES must be one of:
|
|
digital_signature, content_commitment, key_encipherment,
|
|
data_encipherment, key_agreement, cert_sign, crl_sign, encipher_only,
|
|
decipher_only.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--max-chain-length=MAX_CHAIN_LENGTH
|
|
Maximum depth of subordinate CAs allowed under this CA for a CA
|
|
certificate. This can only be provided if neither
|
|
--use-preset-profile nor --unconstrained-chain-length are provided.
|
|
|
|
--unconstrained-chain-length
|
|
If set, allows an unbounded number of subordinate CAs under this
|
|
newly issued CA certificate. This can only be provided if neither
|
|
--use-preset-profile nor --max-chain-length are provided.
|
|
|
|
The x509 name constraints configurations
|
|
|
|
--name-constraints-critical
|
|
Indicates whether or not name constraints are marked as critical.
|
|
Name constraints are considered critical unless explicitly set to
|
|
false. Enabled by default, use --no-name-constraints-critical to
|
|
disable.
|
|
|
|
--name-excluded-dns=[NAME_EXCLUDED_DNS,...]
|
|
One or more comma-separated DNS names which are excluded from being
|
|
issued certificates. Any DNS name that can be constructed by simply
|
|
adding zero or more labels to the left-hand side of the name
|
|
satisfies the name constraint. For example, example.com,
|
|
www.example.com, www.sub.example.com would satisfy example.com,
|
|
while example1.com does not.
|
|
|
|
--name-excluded-email=[NAME_EXCLUDED_EMAIL,...]
|
|
One or more comma-separated emails which are excluded from being
|
|
issued certificates. The value can be a particular email address, a
|
|
hostname to indicate all email addresses on that host or a domain
|
|
with a leading period (e.g. .example.com) to indicate all email
|
|
addresses in that domain.
|
|
|
|
--name-excluded-ip=[NAME_EXCLUDED_IP,...]
|
|
One or more comma-separated IP ranges which are excluded from being
|
|
issued certificates. For IPv4 addresses, the ranges are expressed
|
|
using CIDR notation as specified in RFC 4632. For IPv6 addresses,
|
|
the ranges are expressed in similar encoding as IPv4
|
|
|
|
--name-excluded-uri=[NAME_EXCLUDED_URI,...]
|
|
One or more comma-separated URIs which are excluded from being
|
|
issued certificates. The value can be a hostname or a domain with a
|
|
leading period (like .example.com)
|
|
|
|
--name-permitted-dns=[NAME_PERMITTED_DNS,...]
|
|
One or more comma-separated DNS names which are permitted to be
|
|
issued certificates. Any DNS name that can be constructed by simply
|
|
adding zero or more labels to the left-hand side of the name
|
|
satisfies the name constraint. For example, example.com,
|
|
www.example.com, www.sub.example.com would satisfy example.com,
|
|
while example1.com does not.
|
|
|
|
--name-permitted-email=[NAME_PERMITTED_EMAIL,...]
|
|
One or more comma-separated email addresses which are permitted to
|
|
be issued certificates. The value can be a particular email
|
|
address, a hostname to indicate all email addresses on that host or
|
|
a domain with a leading period (e.g. .example.com) to indicate all
|
|
email addresses in that domain.
|
|
|
|
--name-permitted-ip=[NAME_PERMITTED_IP,...]
|
|
One or more comma-separated IP ranges which are permitted to be
|
|
issued certificates. For IPv4 addresses, the ranges are expressed
|
|
using CIDR notation as specified in RFC 4632. For IPv6 addresses,
|
|
the ranges are expressed in similar encoding as IPv4
|
|
|
|
--name-permitted-uri=[NAME_PERMITTED_URI,...]
|
|
One or more comma-separated URIs which are permitted to be issued
|
|
certificates. The value can be a hostname or a domain with a
|
|
leading period (like .example.com)
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|