.TH "GCLOUD_BETA_TOPIC_CLIENT\-CERTIFICATE" 1



.SH "NAME"
.HP
gcloud beta topic client\-certificate \- client certificate authorization supplementary help



.SH "DESCRIPTION"

\fB(BETA)\fR Client certificate authorization supplementary help.

Device Certificate Authorization (DCA) enables Context\-aware access to identify
devices by their X.509 certificates. DCA for Google Cloud APIs is the second in
a series of releases that provides administrators the capability to protect
access to their Google Cloud resources with device certificates. This feature
builds on top of the existing Context\-aware access suite (Endpoint
Verification, Access Context Manager, and VPC Service Controls) and ensures that
only users on trusted devices with a Google\-generated certificate are able to
access Google Cloud APIs. This provides a stronger signal of device identity
(device certificate verification), and protects users from credential theft to
accidental loss by only granting access when credentials and the original device
certificate are presented.

To use this feature, organizations can follow the instructions below to install
an endpoint verification agent to devices:

.RS 2m
.IP "\(bu" 2m
Automatically deploy endpoint verification
(https://support.google.com/a/answer/9007320#)
.RS 2m
.IP "\(em" 2m
Via Chrome Policy for the extension
.IP "\(em" 2m
3rd party image/software distribution tools for the Native Helper on macOS and
Windows
.RE
.sp
.IP "\(bu" 2m
Let users install endpoint verification themselves from the Chrome Webstore
(https://support.google.com/a/users/answer/9018161#install)
.RS 2m
.IP "\(em" 2m
Users would also be prompted to install the Native Helper as well
.RE
.sp

.RE
.sp
For a greater level of security, operating system key stores can be used to
store client certificate objects. This feature is enabled by using
enterprise\-certificate\-proxy
(https://github.com/googleapis/enterprise\-certificate\-proxy).

enterprise\-certificate\-proxy can be installed by running \f5$ gcloud
components install enterprise\-certificate\-proxy\fR.

In order to use enterprise\-certificate\-proxy it must first be configured. By
default the configuration should be written to
\f5~/.config/gcloud/certificate_config.json\fR.

The enterprise\-certificate\-proxy schema is documented on the GitHub project
page
(https://github.com/googleapis/enterprise\-certificate\-proxy#certificate\-configuration).
Each operating system that gcloud supports uses a different key store. The
certificate_config may contain multiple OS configurations.

Provisioning the key stores is not in scope for this document.

Run \f5\fI$ gcloud config set context_aware/use_client_certificate True\fR\fR so
that the gcloud CLI will load the certificate and send it to services.

See https://cloud.google.com/sdk/gcloud/reference/topic/client\-certificate for
the support list for the latest version of the gcloud CLI. Please upgrade the
gcloud command\-line tool if necessary.

Note: iap_tunnel is a special service gcloud CLI uses to create the IAP tunnel.
For example, \f5\fIgcloud compute start\-iap\-tunnel\fR\fR can start a tunnel to
Cloud Identity\-Aware Proxy through which another process can create a
connection (e.g. SSH, RDP) to a Google Compute Engine instance. Client
certificate authorization is supported in tunnel creation.



.SH "NOTES"

This command is currently in beta and might change without notice. These
variants are also available:

.RS 2m
$ gcloud topic client\-certificate
.RE

.RS 2m
$ gcloud alpha topic client\-certificate
.RE