File: //snap/google-cloud-cli/current/help/man/man1/gcloud_privateca_certificates_create.1
.TH "GCLOUD_PRIVATECA_CERTIFICATES_CREATE" 1
.SH "NAME"
.HP
gcloud privateca certificates create \- create a new certificate
.SH "SYNOPSIS"
.HP
\f5gcloud privateca certificates create\fR [[\fICERTIFICATE\fR]\ \fB\-\-issuer\-location\fR=\fIISSUER_LOCATION\fR\ \fB\-\-issuer\-pool\fR=\fIISSUER_POOL\fR] (\fB\-\-cert\-output\-file\fR=\fICERT_OUTPUT_FILE\fR\ |\ \fB\-\-validate\-only\fR) (\fB\-\-csr\fR=\fICSR\fR\ |\ [(\fB\-\-dns\-san\fR=[\fIDNS_SAN\fR,...]\ \fB\-\-email\-san\fR=[\fIEMAIL_SAN\fR,...]\ \fB\-\-ip\-san\fR=[\fIIP_SAN\fR,...]\ \fB\-\-subject\fR=[\fISUBJECT\fR,...]\ \fB\-\-uri\-san\fR=[\fIURI_SAN\fR,...])\ (\fB\-\-generate\-key\fR\ \fB\-\-key\-output\-file\fR=\fIKEY_OUTPUT_FILE\fR\ |\ [\fB\-\-kms\-key\-version\fR=\fIKMS_KEY_VERSION\fR\ :\ \fB\-\-kms\-key\fR=\fIKMS_KEY\fR\ \fB\-\-kms\-keyring\fR=\fIKMS_KEYRING\fR\ \fB\-\-kms\-location\fR=\fIKMS_LOCATION\fR\ \fB\-\-kms\-project\fR=\fIKMS_PROJECT\fR])\ :\ \fB\-\-use\-preset\-profile\fR=\fIUSE_PRESET_PROFILE\fR\ |\ \fB\-\-extended\-key\-usages\fR=[\fIEXTENDED_KEY_USAGES\fR,...]\ \fB\-\-is\-ca\-cert\fR\ \fB\-\-key\-usages\fR=[\fIKEY_USAGES\fR,...]\ \fB\-\-max\-chain\-length\fR=\fIMAX_CHAIN_LENGTH\fR\ |\ \fB\-\-unconstrained\-chain\-length\fR\ \fB\-\-no\-name\-constraints\-critical\fR\ \fB\-\-name\-excluded\-dns\fR=[\fINAME_EXCLUDED_DNS\fR,...]\ \fB\-\-name\-excluded\-email\fR=[\fINAME_EXCLUDED_EMAIL\fR,...]\ \fB\-\-name\-excluded\-ip\fR=[\fINAME_EXCLUDED_IP\fR,...]\ \fB\-\-name\-excluded\-uri\fR=[\fINAME_EXCLUDED_URI\fR,...]\ \fB\-\-name\-permitted\-dns\fR=[\fINAME_PERMITTED_DNS\fR,...]\ \fB\-\-name\-permitted\-email\fR=[\fINAME_PERMITTED_EMAIL\fR,...]\ \fB\-\-name\-permitted\-ip\fR=[\fINAME_PERMITTED_IP\fR,...]\ \fB\-\-name\-permitted\-uri\fR=[\fINAME_PERMITTED_URI\fR,...]]) [\fB\-\-ca\fR=\fICA\fR] [\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-subject\-key\-id\fR=\fISUBJECT_KEY_ID\fR] [\fB\-\-validity\fR=\fIVALIDITY\fR;\ default="P30D"] [\fB\-\-template\fR=\fITEMPLATE\fR\ :\ \fB\-\-template\-location\fR=\fITEMPLATE_LOCATION\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "EXAMPLES"
To create a certificate using a CSR:
.RS 2m
$ gcloud privateca certificates create frontend\-server\-tls \e
\-\-issuer\-pool=my\-pool \-\-issuer\-location=us\-west1 \e
\-\-csr=./csr.pem \-\-cert\-output\-file=./cert.pem \-\-validity=P30D
.RE
To create a certificate using a client\-generated key:
.RS 2m
$ gcloud privateca certificates create frontend\-server\-tls \e
\-\-issuer\-pool=my\-pool \-\-issuer\-location=us\-west1 \e
\-\-generate\-key \-\-key\-output\-file=./key \e
\-\-cert\-output\-file=./cert.pem \-\-dns\-san=www.example.com \e
\-\-use\-preset\-profile=leaf_server_tls
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
CERTIFICATE resource \- The name of the certificate to issue. If the certificate
ID is omitted, a random identifier will be generated according to the following
format: {YYYYMMDD}\-{3 random alphanumeric characters}\-{3 random alphanumeric
characters}. The certificate ID is not required when the issuing CA pool is in
the DevOps tier. The arguments in this group can be used to specify the
attributes of this resource. (NOTE) Some attributes are not given arguments in
this group but can be set in other ways.
To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5CERTIFICATE\fR on the command line with a fully
specified name;
.IP "\(em" 2m
certificate id will default to an automatically generated id with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
.RS 2m
.TP 2m
[\fICERTIFICATE\fR]
ID of the CERTIFICATE or fully qualified identifier for the CERTIFICATE.
To set the \f5certificate\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE\fR on the command line;
.IP "\(bu" 2m
certificate id will default to an automatically generated id.
.RE
.sp
.TP 2m
\fB\-\-issuer\-location\fR=\fIISSUER_LOCATION\fR
The location of the CERTIFICATE.
To set the \f5issuer\-location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
certificate id will default to an automatically generated id with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp
.TP 2m
\fB\-\-issuer\-pool\fR=\fIISSUER_POOL\fR
The parent CA Pool of the CERTIFICATE.
To set the \f5issuer\-pool\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5CERTIFICATE\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
certificate id will default to an automatically generated id with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-pool\fR on the command line.
.RE
.sp
.RE
.RE
.sp
.SH "REQUIRED FLAGS"
.RS 2m
.TP 2m
Certificate persistence options.
Exactly one of these must be specified:
.RS 2m
.TP 2m
\fB\-\-cert\-output\-file\fR=\fICERT_OUTPUT_FILE\fR
The path where the resulting PEM\-encoded certificate chain file should be
written (ordered from leaf to root).
.TP 2m
\fB\-\-validate\-only\fR
If this flag is set, the certificate resource will not be persisted and the
returned certificate will not contain the pem_certificate field.
.RE
.sp
.TP 2m
Certificate generation method.
Exactly one of these must be specified:
.RS 2m
.TP 2m
To issue a certificate from a CSR use the following:
.RS 2m
.TP 2m
\fB\-\-csr\fR=\fICSR\fR
A PEM\-encoded certificate signing request file path.
.RE
.sp
.TP 2m
Alternatively, you may describe the certificate and key to use.
.RS 2m
.TP 2m
The subject names for the certificate.
At least one of these must be specified:
.RS 2m
.TP 2m
\fB\-\-dns\-san\fR=[\fIDNS_SAN\fR,...]
One or more comma\-separated DNS Subject Alternative Names.
.TP 2m
\fB\-\-email\-san\fR=[\fIEMAIL_SAN\fR,...]
One or more comma\-separated email Subject Alternative Names.
.TP 2m
\fB\-\-ip\-san\fR=[\fIIP_SAN\fR,...]
One or more comma\-separated IP Subject Alternative Names.
.TP 2m
\fB\-\-subject\fR=[\fISUBJECT\fR,...]
X.501 name of the certificate subject. Example: \-\-subject
"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
.TP 2m
\fB\-\-uri\-san\fR=[\fIURI_SAN\fR,...]
One or more comma\-separated URI Subject Alternative Names.
.RE
.sp
.TP 2m
To describe the key that will be used for this certificate, use one of the
following options.
Exactly one of these must be specified:
.RS 2m
.TP 2m
To generate a new key pair, use the following:
.RS 2m
.TP 2m
\fB\-\-generate\-key\fR
Use this flag to have a new RSA\-2048 private key securely generated on your
machine.
This flag argument must be specified if any of the other arguments in this group
are specified.
.TP 2m
\fB\-\-key\-output\-file\fR=\fIKEY_OUTPUT_FILE\fR
The path where the generated private key file should be written (in PEM format).
Note: possession of this key file could allow anybody to act as this
certificate's subject. Please make sure that you store this key file in a secure
location at all times, and ensure that only authorized users have access to it.
This flag argument must be specified if any of the other arguments in this group
are specified.
.RE
.sp
.TP 2m
Key version resource \- An existing KMS key version backing this certificate.
The arguments in this group can be used to specify the attributes of this
resource.
.RS 2m
.TP 2m
\fB\-\-kms\-key\-version\fR=\fIKMS_KEY_VERSION\fR
ID of the key version or fully qualified identifier for the key version.
To set the \f5kms\-key\-version\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line.
.RE
.sp
This flag argument must be specified if any of the other arguments in this group
are specified.
.TP 2m
\fB\-\-kms\-key\fR=\fIKMS_KEY\fR
The KMS key of the key version.
To set the \f5kms\-key\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\fR on the command line.
.RE
.sp
.TP 2m
\fB\-\-kms\-keyring\fR=\fIKMS_KEYRING\fR
The KMS keyring of the key version.
To set the \f5kms\-keyring\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-keyring\fR on the command line.
.RE
.sp
.TP 2m
\fB\-\-kms\-location\fR=\fIKMS_LOCATION\fR
The location of the key version.
To set the \f5kms\-location\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-location\fR on the command line;
.IP "\(em" 2m
provide the argument \f5location\fR on the command line;
.IP "\(em" 2m
set the property \f5privateca/location\fR.
.RE
.sp
.TP 2m
\fB\-\-kms\-project\fR=\fIKMS_PROJECT\fR
The project containing the key version.
To set the \f5kms\-project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-kms\-key\-version\fR on the command line with a
fully specified name;
.IP "\(em" 2m
provide the argument \f5\-\-kms\-project\fR on the command line;
.IP "\(em" 2m
provide the argument \f5project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
.RE
.RE
.sp
.TP 2m
The x509 configuration used for this certificate.
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-use\-preset\-profile\fR=\fIUSE_PRESET_PROFILE\fR
The name of an existing preset profile used to encapsulate X.509 parameter
values. USE_PRESET_PROFILE must be one of: leaf_client_tls, leaf_code_signing,
leaf_mtls, leaf_server_tls, leaf_smime, root_unconstrained,
subordinate_client_tls_pathlen_0, subordinate_code_signing_pathlen_0,
subordinate_mtls_pathlen_0, subordinate_server_tls_pathlen_0,
subordinate_smime_pathlen_0, subordinate_unconstrained_pathlen_0.
For more information, see
https://cloud.google.com/certificate\-authority\-service/docs/certificate\-profile.
.TP 2m
\fB\-\-extended\-key\-usages\fR=[\fIEXTENDED_KEY_USAGES\fR,...]
The list of extended key usages for this certificate. This can only be provided
if \f5\-\-use\-preset\-profile\fR is not provided. \fIEXTENDED_KEY_USAGES\fR
must be one of: \fBserver_auth\fR, \fBclient_auth\fR, \fBcode_signing\fR,
\fBemail_protection\fR, \fBtime_stamping\fR, \fBocsp_signing\fR.
.TP 2m
\fB\-\-is\-ca\-cert\fR
Whether this certificate is for a CertificateAuthority or not. Indicates the
Certificate Authority field in the x509 basic constraints extension.
.TP 2m
\fB\-\-key\-usages\fR=[\fIKEY_USAGES\fR,...]
The list of key usages for this certificate. This can only be provided if
\f5\-\-use\-preset\-profile\fR is not provided. \fIKEY_USAGES\fR must be one of:
\fBdigital_signature\fR, \fBcontent_commitment\fR, \fBkey_encipherment\fR,
\fBdata_encipherment\fR, \fBkey_agreement\fR, \fBcert_sign\fR, \fBcrl_sign\fR,
\fBencipher_only\fR, \fBdecipher_only\fR.
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-max\-chain\-length\fR=\fIMAX_CHAIN_LENGTH\fR
Maximum depth of subordinate CAs allowed under this CA for a CA certificate.
This can only be provided if neither \f5\-\-use\-preset\-profile\fR nor
\f5\-\-unconstrained\-chain\-length\fR are provided.
.TP 2m
\fB\-\-unconstrained\-chain\-length\fR
If set, allows an unbounded number of subordinate CAs under this newly issued CA
certificate. This can only be provided if neither \f5\-\-use\-preset\-profile\fR
nor \f5\-\-max\-chain\-length\fR are provided.
.RE
.sp
.TP 2m
The x509 name constraints configurations
.RS 2m
.TP 2m
\fB\-\-name\-constraints\-critical\fR
Indicates whether or not name constraints are marked as critical. Name
constraints are considered critical unless explicitly set to false. Enabled by
default, use \fB\-\-no\-name\-constraints\-critical\fR to disable.
.TP 2m
\fB\-\-name\-excluded\-dns\fR=[\fINAME_EXCLUDED_DNS\fR,...]
One or more comma\-separated DNS names which are excluded from being issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left\-hand side of the name satisfies the name constraint. For
example, \f5example.com\fR, \f5www.example.com\fR, \f5www.sub.example.com\fR
would satisfy \f5example.com\fR, while \f5example1.com\fR does not.
.TP 2m
\fB\-\-name\-excluded\-email\fR=[\fINAME_EXCLUDED_EMAIL\fR,...]
One or more comma\-separated emails which are excluded from being issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g. \f5.example.com\fR) to indicate all email addresses in that domain.
.TP 2m
\fB\-\-name\-excluded\-ip\fR=[\fINAME_EXCLUDED_IP\fR,...]
One or more comma\-separated IP ranges which are excluded from being issued
certificates. For IPv4 addresses, the ranges are expressed using CIDR notation
as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in
similar encoding as IPv4
.TP 2m
\fB\-\-name\-excluded\-uri\fR=[\fINAME_EXCLUDED_URI\fR,...]
One or more comma\-separated URIs which are excluded from being issued
certificates. The value can be a hostname or a domain with a leading period
(like \f5.example.com\fR)
.TP 2m
\fB\-\-name\-permitted\-dns\fR=[\fINAME_PERMITTED_DNS\fR,...]
One or more comma\-separated DNS names which are permitted to be issued
certificates. Any DNS name that can be constructed by simply adding zero or more
labels to the left\-hand side of the name satisfies the name constraint. For
example, \f5example.com\fR, \f5www.example.com\fR, \f5www.sub.example.com\fR
would satisfy \f5example.com\fR, while \f5example1.com\fR does not.
.TP 2m
\fB\-\-name\-permitted\-email\fR=[\fINAME_PERMITTED_EMAIL\fR,...]
One or more comma\-separated email addresses which are permitted to be issued
certificates. The value can be a particular email address, a hostname to
indicate all email addresses on that host or a domain with a leading period
(e.g. \f5.example.com\fR) to indicate all email addresses in that domain.
.TP 2m
\fB\-\-name\-permitted\-ip\fR=[\fINAME_PERMITTED_IP\fR,...]
One or more comma\-separated IP ranges which are permitted to be issued
certificates. For IPv4 addresses, the ranges are expressed using CIDR notation
as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in
similar encoding as IPv4
.TP 2m
\fB\-\-name\-permitted\-uri\fR=[\fINAME_PERMITTED_URI\fR,...]
One or more comma\-separated URIs which are permitted to be issued certificates.
The value can be a hostname or a domain with a leading period (like
\f5.example.com\fR)
.RE
.RE
.RE
.RE
.RE
.sp
.SH "OPTIONAL FLAGS"
.RS 2m
.TP 2m
\fB\-\-ca\fR=\fICA\fR
The name of an existing certificate authority to use for issuing the
certificate. If omitted, a certificate authority will be will be chosen from the
CA pool by the service on your behalf.
.TP 2m
\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens (\f5\-\fR),
underscores (\f5_\fR), lowercase characters, and numbers. Values must contain
only hyphens (\f5\-\fR), underscores (\f5_\fR), lowercase characters, and
numbers.
.TP 2m
\fB\-\-subject\-key\-id\fR=\fISUBJECT_KEY_ID\fR
Optional field to specify subject key ID for certificate. DO NOT USE except to
maintain a previously established identifier for a public key, whose SKI was not
generated using method (1) described in RFC 5280 section 4.2.1.2.
.TP 2m
\fB\-\-validity\fR=\fIVALIDITY\fR; default="P30D"
The validity of this certificate, as an ISO8601 duration. Defaults to 30 days.
.TP 2m
Certificate template resource \- The name of a certificate template to use for
issuing this certificate, if desired. A template may overwrite parts of the
certificate request, and the use of certificate templates may be required and/or
regulated by the issuing CA Pool's CA Manager. The specified template must be in
the same location as the issuing CA Pool. The arguments in this group can be
used to specify the attributes of this resource. (NOTE) Some attributes are not
given arguments in this group but can be set in other ways.
To set the \f5project\fR attribute:
.RS 2m
.IP "\(em" 2m
provide the argument \f5\-\-template\fR on the command line with a fully
specified name;
.IP "\(em" 2m
provide the argument \f5\-\-project\fR on the command line;
.IP "\(em" 2m
set the property \f5core/project\fR.
.RE
.sp
.RS 2m
.TP 2m
\fB\-\-template\fR=\fITEMPLATE\fR
ID of the certificate_template or fully qualified identifier for the
certificate_template.
To set the \f5certificate template\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5\-\-template\fR on the command line.
.RE
.sp
This flag argument must be specified if any of the other arguments in this group
are specified.
.TP 2m
\fB\-\-template\-location\fR=\fITEMPLATE_LOCATION\fR
The location of the certificate_template.
To set the \f5location\fR attribute:
.RS 2m
.IP "\(bu" 2m
provide the argument \f5\-\-template\fR on the command line with a fully
specified name;
.IP "\(bu" 2m
provide the argument \f5\-\-template\-location\fR on the command line;
.IP "\(bu" 2m
provide the argument \f5\-\-issuer\-location\fR on the command line;
.IP "\(bu" 2m
set the property \f5privateca/location\fR.
.RE
.sp
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.