man-page

GCLOUD_PRIVATECA_SUBORDINATES_CREATE(1)
GCLOUD_PRIVATECA_SUBORDINATES_CREATE(1)

NAME

gcloud privateca subordinates create - create a new subordinate certificate authority

gcloud privateca subordinates create (CERTIFICATE_AUTHORITY : --location=LOCATION --pool=POOL) (--create-csr --csr-output-file=CSR_OUTPUT_FILE | --issuer-ca=ISSUER_CA [--issuer-pool=ISSUER_POOL : --issuer-location=ISSUER_LOCATION]) --from-ca=FROM_CA [--auto-enable] [--bucket=BUCKET] [--dns-san=[DNS_SAN,...]] [--email-san=[EMAIL_SAN,...]] [--ip-san=[IP_SAN,...]] [--labels=[KEY=VALUE,...]] [--subject=[SUBJECT,...]] [--uri-san=[URI_SAN,...]] [--validity=VALIDITY; default="P3Y"] [--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-2048-sha256" | [--kms-key-version=KMS_KEY_VERSION : --kms-key=KMS_KEY --kms-keyring=KMS_KEYRING --kms-location=KMS_LOCATION --kms-project=KMS_PROJECT]] [--use-preset-profile=USE_PRESET_PROFILE | --extended-key-usages=[EXTENDED_KEY_USAGES,...] --key-usages=[KEY_USAGES,...] --max-chain-length=MAX_CHAIN_LENGTH | --unconstrained-chain-length] [GCLOUD_WIDE_FLAG ...]

EXAMPLES

To create a subordinate CA named 'server-tls-1' whose issuer is on Private CA:

$ gcloud privateca subordinates create server-tls-1 \ --location=us-west1 --pool=my-pool \ --subject="CN=Example TLS CA, O=Google" \ --issuer-pool=other-pool --issuer-location=us-west1 \ --kms-key-version="projects/my-project-pki/locations/us-west1/ke\ yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"

To create a subordinate CA named 'server-tls-1' whose issuer is located elsewhere:

$ gcloud privateca subordinates create server-tls-1 \ --location=us-west1 --pool=my-pool \ --subject="CN=Example TLS CA, O=Google" --create-csr \ --csr-output-file=./csr.pem \ --kms-key-version="projects/my-project-pki/locations/us-west1/ke\ yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"

To create a subordinate CA named 'server-tls-1' chaining up to a root CA named 'prod-root' based on an existing CA:

$ gcloud privateca subordinates create server-tls-1 \ --location=us-west1 --pool=my-pool --issuer-pool=other-pool \ --issuer-location=us-west1 --from-ca=source-ca \ --kms-key-version="projects/my-project-pki/locations/us-west1/ke\ yRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"

POSITIONAL ARGUMENTS

Certificate Authority resource - The name of the subordinate CA to create. The

arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:

—

provide the argument CERTIFICATE_AUTHORITY on the command line with a fully specified name;

—

provide the argument --project on the command line;

—

set the property core/project.

This must be specified.

CERTIFICATE_AUTHORITY

ID of the Certificate Authority or fully qualified identifier for the Certificate Authority. To set the certificate_authority attribute:

provide the argument CERTIFICATE_AUTHORITY on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--location=LOCATION

The location of the Certificate Authority. To set the location attribute:

provide the argument CERTIFICATE_AUTHORITY on the command line with a fully specified name;

provide the argument --location on the command line;

set the property privateca/location.

--pool=POOL

The parent CA Pool of the Certificate Authority. To set the pool attribute:

provide the argument CERTIFICATE_AUTHORITY on the command line with a fully specified name;

provide the argument --pool on the command line.

REQUIRED FLAGS

The issuer configuration used for this CA certificate.

Exactly one of these must be specified:

If the issuing CA is not hosted on Private CA, you must provide these settings:

--create-csr

Indicates that a CSR should be generated which can be signed by the issuing CA. This must be set if --issuer is not provided.

This flag argument must be specified if any of the other arguments in this group are specified.

--csr-output-file=CSR_OUTPUT_FILE

The path where the resulting PEM-encoded CSR file should be written.

This flag argument must be specified if any of the other arguments in this group are specified.

The issuing resource used for this CA certificate.

--issuer-ca=ISSUER_CA

The Certificate Authority ID of the CA to issue the subordinate CA certificate from. This ID is optional. If ommitted, any available ENABLED CA in the issuing CA pool will be chosen.

Issuer resource - The issuing CA Pool to use, if it is on Private CA. The

arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:

—

provide the argument --issuer-pool on the command line with a fully specified name;

—

provide the argument --project on the command line;

—

set the property core/project.

--issuer-pool=ISSUER_POOL

ID of the Issuer or fully qualified identifier for the Issuer. To set the pool attribute:

provide the argument --issuer-pool on the command line.

This flag argument must be specified if any of the other arguments in this group are specified.

--issuer-location=ISSUER_LOCATION

The location of the Issuer. To set the location attribute:

provide the argument --issuer-pool on the command line with a fully specified name;

provide the argument --issuer-location on the command line;

set the property privateca/location.

OPTIONAL FLAGS

Source CA resource - An existing CA from which to copy configuration values for

the new CA. You can still override any of those values by explicitly providing the appropriate flags. The specified existing CA must be part of the same pool as the one being created. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways. To set the project attribute:

—

provide the argument --from-ca on the command line with a fully specified name;

—

provide the argument --project on the command line;

—

set the property core/project. To set the location attribute:

—

provide the argument --from-ca on the command line with a fully specified name;

—

provide the argument --location on the command line;

—

set the property privateca/location. To set the pool attribute:

—

provide the argument --from-ca on the command line with a fully specified name;

—

provide the argument --pool on the command line.

--from-ca=FROM_CA

ID of the source CA or fully qualified identifier for the source CA. To set the certificate_authority attribute:

provide the argument --from-ca on the command line.

--auto-enable

If this flag is set, the Certificate Authority will be automatically enabled upon creation.

--bucket=BUCKET

The name of an existing storage bucket to use for storing the CA certificates and CRLs for CAs in this pool. If omitted, a new bucket will be created and managed by the service on your behalf.

--dns-san=[DNS_SAN,...]

One or more comma-separated DNS Subject Alternative Names.

--email-san=[EMAIL_SAN,...]

One or more comma-separated email Subject Alternative Names.

--ip-san=[IP_SAN,...]

One or more comma-separated IP Subject Alternative Names.

--labels=[KEY=VALUE,...]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens (-), underscores (_), lowercase characters, and numbers. Values must contain only hyphens (-), underscores (_), lowercase characters, and numbers.

--subject=[SUBJECT,...]

X.501 name of the certificate subject. Example: --subject "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"

--uri-san=[URI_SAN,...]

One or more comma-separated URI Subject Alternative Names.

--validity=VALIDITY; default="P3Y"

The validity of this CA, as an ISO8601 duration. Defaults to 3 years.

The key configuration used for the CA certificate. Defaults to a managed key if

not specified.

At most one of these can be specified:

--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-2048-sha256"

The crypto algorithm to use for creating a managed KMS key for the Certificate Authority. The default is rsa-pkcs1-2048-sha256. KEY_ALGORITHM must be one of: ec-p256-sha256, ec-p384-sha384, rsa-pkcs1-2048-sha256, rsa-pkcs1-3072-sha256, rsa-pkcs1-4096-sha256, rsa-pss-2048-sha256, rsa-pss-3072-sha256, rsa-pss-4096-sha256.

Key version resource - The KMS key version backing this CA. The arguments in

this group can be used to specify the attributes of this resource.

--kms-key-version=KMS_KEY_VERSION

ID of the key version or fully qualified identifier for the key version. To set the kms-key-version attribute:

—

provide the argument --kms-key-version on the command line.

This flag argument must be specified if any of the other arguments in this group are specified.

--kms-key=KMS_KEY

The KMS key of the key version. To set the kms-key attribute:

—

provide the argument --kms-key-version on the command line with a fully specified name;

—

provide the argument --kms-key on the command line.

--kms-keyring=KMS_KEYRING

The KMS keyring of the key version. To set the kms-keyring attribute:

—

provide the argument --kms-key-version on the command line with a fully specified name;

—

provide the argument --kms-keyring on the command line.

--kms-location=KMS_LOCATION

The location of the key version. To set the kms-location attribute:

—

provide the argument --kms-key-version on the command line with a fully specified name;

—

provide the argument --kms-location on the command line;

—

provide the argument location on the command line;

—

set the property privateca/location.

--kms-project=KMS_PROJECT

The project containing the key version. To set the kms-project attribute:

—

provide the argument --kms-key-version on the command line with a fully specified name;

—

provide the argument --kms-project on the command line;

—

provide the argument project on the command line;

—

set the property core/project.

The X.509 configuration used for the CA certificate.

At most one of these can be specified:

--use-preset-profile=USE_PRESET_PROFILE

The name of an existing preset profile used to encapsulate X.509 parameter values. USE_PRESET_PROFILE must be one of: leaf_client_tls, leaf_code_signing, leaf_mtls, leaf_server_tls, leaf_smime, root_unconstrained, subordinate_client_tls_pathlen_0, subordinate_code_signing_pathlen_0, subordinate_mtls_pathlen_0, subordinate_server_tls_pathlen_0, subordinate_smime_pathlen_0, subordinate_unconstrained_pathlen_0.

For more information, see https://cloud.google.com/certificate-authority-service/docs/certificate-profile.

--extended-key-usages=[EXTENDED_KEY_USAGES,...]

The list of extended key usages for this CA. This can only be provided if --use-preset-profile is not provided. EXTENDED_KEY_USAGES must be one of: server_auth, client_auth, code_signing, email_protection, time_stamping, ocsp_signing.

--key-usages=[KEY_USAGES,...]

The list of key usages for this CA. This can only be provided if --use-preset-profile is not provided. KEY_USAGES must be one of: digital_signature, content_commitment, key_encipherment, data_encipherment, key_agreement, cert_sign, crl_sign, encipher_only, decipher_only.

At most one of these can be specified:

--max-chain-length=MAX_CHAIN_LENGTH

Maximum depth of subordinate CAs allowed under this CA for a CA certificate. This can only be provided if neither --use-preset-profile nor --unconstrained-chain-length are provided.

--unconstrained-chain-length

If set, allows an unbounded number of subordinate CAs under this newly issued CA certificate. This can only be provided if neither --use-preset-profile nor --max-chain-length are provided.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

This variant is also available:

$ gcloud beta privateca subordinates create