gcloud privateca roots create

NAME: gcloud privateca roots create - create a new root certificate authority
SYNOPSIS: gcloud privateca roots create(CERTIFICATE_AUTHORITY :--location=LOCATION--pool=POOL)[--auto-enable][--bucket=BUCKET][--custom-aia-urls=[CUSTOM_AIA_URLS,…]][--custom-cdp-urls=[CUSTOM_CDP_URLS,…]][--dns-san=[DNS_SAN,…]][--email-san=[EMAIL_SAN,…]][--from-ca=FROM_CA][--ip-san=[IP_SAN,…]][--labels=[KEY=VALUE,…]][--subject=[SUBJECT,…]][--subject-key-id=SUBJECT_KEY_ID][--uri-san=[URI_SAN,…]][--validity=VALIDITY; default="P10Y"][--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256" | [--kms-key-version=KMS_KEY_VERSION :--kms-key=KMS_KEY--kms-keyring=KMS_KEYRING--kms-location=KMS_LOCATION--kms-project=KMS_PROJECT]][--use-preset-profile=USE_PRESET_PROFILE |--extended-key-usages=[EXTENDED_KEY_USAGES,…]--key-usages=[KEY_USAGES,…]--max-chain-length=MAX_CHAIN_LENGTH |--unconstrained-chain-length--no-name-constraints-critical--name-excluded-dns=[NAME_EXCLUDED_DNS,…]--name-excluded-email=[NAME_EXCLUDED_EMAIL,…]--name-excluded-ip=[NAME_EXCLUDED_IP,…]--name-excluded-uri=[NAME_EXCLUDED_URI,…]--name-permitted-dns=[NAME_PERMITTED_DNS,…]--name-permitted-email=[NAME_PERMITTED_EMAIL,…]--name-permitted-ip=[NAME_PERMITTED_IP,…]--name-permitted-uri=[NAME_PERMITTED_URI,…]][GCLOUD_WIDE_FLAG …]
DESCRIPTION: TIP: Consider setting aprojectlien on the project to prevent it from accidental deletion.
EXAMPLES: To create a root CA that supports one layer of subordinates:
gcloudprivatecarootscreateprod-root--location=us-west1--pool=my-pool--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1"--subject="CN=Example Production Root CA, O=Google"--max-chain-length=1
To create a root CA that is based on an existing CA:
gcloudprivatecarootscreateprod-root--location=us-west1--pool=my-pool--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1"--from-ca=source-root
POSITIONAL ARGUMENTS: Certificate Authority resource - The name of the root CA to create. Thearguments in this group can be used to specify the attributes of this resource.(NOTE) Some attributes are not given arguments in this group but can be set inother ways.
To set theproject attribute:
provide the argumentCERTIFICATE_AUTHORITY on the command line witha fully specified name;
provide the argument--project on the command line;
set the propertycore/project.
This must be specified.
CERTIFICATE_AUTHORITY
ID of the Certificate Authority or fully qualified identifier for theCertificate Authority.
To set thecertificate_authority attribute:
provide the argumentCERTIFICATE_AUTHORITY on the command line.
This positional argument must be specified if any of the other arguments in thisgroup are specified.
--location=LOCATION
The location of the Certificate Authority.
To set thelocation attribute:
provide the argumentCERTIFICATE_AUTHORITY on the command line witha fully specified name;
provide the argument--location on the command line;
set the propertyprivateca/location.
--pool=POOL
The parent CA Pool of the Certificate Authority.
To set thepool attribute:
provide the argumentCERTIFICATE_AUTHORITY on the command line witha fully specified name;
provide the argument--pool on the command line.
FLAGS: --auto-enable
If this flag is set, the Certificate Authority will be automatically enabledupon creation.
--bucket=BUCKET
The name of an existing storage bucket to use for storing the CA certificatesand CRLs for CAs in this pool. If omitted, a new bucket will be created andmanaged by the service on your behalf.
--custom-aia-urls=[CUSTOM_AIA_URLS,…]
One or more comma-separated URLs that will be added to the Authority InformationAccess extension in the issued certificate. These URLs are where the issuer CAcertificate is located.
--custom-cdp-urls=[CUSTOM_CDP_URLS,…]
One or more comma-separated URLs that will be added to the CRL DistributionPoints (CDP) extension in the issued certificate. These URLs are where CRLinformation is located.
--dns-san=[DNS_SAN,…]
One or more comma-separated DNS Subject Alternative Names.
--email-san=[EMAIL_SAN,…]
One or more comma-separated email Subject Alternative Names.
Source CA resource - An existing CA from which to copy configuration values forthe new CA. You can still override any of those values by explicitly providingthe appropriate flags. The specified existing CA must be part of the same poolas the one being created. This represents a Cloud resource. (NOTE) Someattributes are not given arguments in this group but can be set in other ways.
To set theproject attribute:
provide the argument--from-ca on the command line with a fullyspecified name;
provide the argument--project on the command line;
set the propertycore/project.
To set thelocation attribute:
provide the argument--from-ca on the command line with a fullyspecified name;
provide the argument--location on the command line;
set the propertyprivateca/location.
To set thepool attribute:
provide the argument--from-ca on the command line with a fullyspecified name;
provide the argument--pool on the command line.
--from-ca=FROM_CA
ID of the source CA or fully qualified identifier for the source CA.
To set thecertificate_authority attribute:
provide the argument--from-ca on the command line.
--ip-san=[IP_SAN,…]
One or more comma-separated IP Subject Alternative Names.
--labels=[KEY=VALUE,…]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.
--subject=[SUBJECT,…]
X.501 name of the certificate subject. Example: --subject"C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
--subject-key-id=SUBJECT_KEY_ID
Optional field to specify subject key ID for certificate. DO NOT USE except tomaintain a previously established identifier for a public key, whose SKI was notgenerated using method (1) described in RFC 5280 section 4.2.1.2.
--uri-san=[URI_SAN,…]
One or more comma-separated URI Subject Alternative Names.
--validity=VALIDITY; default="P10Y"
The validity of this CA, as an ISO8601 duration. Defaults to 10 years.
The key configuration used for the CA certificate. Defaults to a managed key ifnot specified.
At most one of these can be specified:
--key-algorithm=KEY_ALGORITHM; default="rsa-pkcs1-4096-sha256"
The crypto algorithm to use for creating a managed KMS key for the CertificateAuthority. The default isrsa-pkcs1-4096-sha256.KEY_ALGORITHM must be one of:ec-p256-sha256,ec-p384-sha384,rsa-pkcs1-2048-sha256,rsa-pkcs1-3072-sha256,rsa-pkcs1-4096-sha256,rsa-pss-2048-sha256,rsa-pss-3072-sha256,rsa-pss-4096-sha256.
Or at least one of these can be specified:
Key version resource - An existing KMS key version to back this CA. Thearguments in this group can be used to specify the attributes of this resource.
--kms-key-version=KMS_KEY_VERSION
ID of the key version or fully qualified identifier for the key version.
To set thekms-key-version attribute:
provide the argument--kms-key-version on the command line.
This flag argument must be specified if any of the other arguments in this groupare specified.
--kms-key=KMS_KEY
The KMS key of the key version.
To set thekms-key attribute:
provide the argument--kms-key-version on the command line with afully specified name;
provide the argument--kms-key on the command line.
--kms-keyring=KMS_KEYRING
The KMS keyring of the key version.
To set thekms-keyring attribute:
provide the argument--kms-key-version on the command line with afully specified name;
provide the argument--kms-keyring on the command line.
--kms-location=KMS_LOCATION
The location of the key version.
To set thekms-location attribute:
provide the argument--kms-key-version on the command line with afully specified name;
provide the argument--kms-location on the command line;
provide the argumentlocation on the command line;
set the propertyprivateca/location.
--kms-project=KMS_PROJECT
The project containing the key version.
To set thekms-project attribute:
provide the argument--kms-key-version on the command line with afully specified name;
provide the argument--kms-project on the command line;
provide the argumentproject on the command line;
set the propertycore/project.
The X.509 configuration used for the CA certificate.
At most one of these can be specified:
--use-preset-profile=USE_PRESET_PROFILE
The name of an existing preset profile used to encapsulate X.509 parametervalues. USE_PRESET_PROFILE must be one of: leaf_client_tls, leaf_code_signing,leaf_mtls, leaf_server_tls, leaf_smime, root_unconstrained,subordinate_client_tls_pathlen_0, subordinate_code_signing_pathlen_0,subordinate_mtls_pathlen_0, subordinate_server_tls_pathlen_0,subordinate_smime_pathlen_0, subordinate_unconstrained_pathlen_0.
For more information, seehttps://cloud.google.com/certificate-authority-service/docs/certificate-profile.
Or at least one of these can be specified:
--extended-key-usages=[EXTENDED_KEY_USAGES,…]
The list of extended key usages for this CA. This can only be provided if--use-preset-profile is not provided.EXTENDED_KEY_USAGES must be one of:server_auth,client_auth,code_signing,email_protection,time_stamping,ocsp_signing.
--key-usages=[KEY_USAGES,…]
The list of key usages for this CA. This can only be provided if--use-preset-profile is not provided.KEY_USAGES must be one of:digital_signature,content_commitment,key_encipherment,data_encipherment,key_agreement,cert_sign,crl_sign,encipher_only,decipher_only.
At most one of these can be specified:
--max-chain-length=MAX_CHAIN_LENGTH
Maximum depth of subordinate CAs allowed under this CA for a CA certificate.This can only be provided if neither--use-preset-profile nor--unconstrained-chain-length are provided.
--unconstrained-chain-length
If set, allows an unbounded number of subordinate CAs under this newly issued CAcertificate. This can only be provided if neither--use-preset-profile nor--max-chain-length areprovided.
The x509 name constraints configurations
--name-constraints-critical
Indicates whether or not name constraints are marked as critical. Nameconstraints are considered critical unless explicitly set to false. Enabled bydefault, use--no-name-constraints-critical to disable.
--name-excluded-dns=[NAME_EXCLUDED_DNS,…]
One or more comma-separated DNS names which are excluded from being issuedcertificates. Any DNS name that can be constructed by simply adding zero or morelabels to the left-hand side of the name satisfies the name constraint. Forexample,example.com,www.example.com,www.sub.example.com would satisfyexample.com, whileexample1.com does not.
--name-excluded-email=[NAME_EXCLUDED_EMAIL,…]
One or more comma-separated emails which are excluded from being issuedcertificates. The value can be a particular email address, a hostname toindicate all email addresses on that host or a domain with a leading period(e.g..example.com) to indicate all email addresses in that domain.
--name-excluded-ip=[NAME_EXCLUDED_IP,…]
One or more comma-separated IP ranges which are excluded from being issuedcertificates. For IPv4 addresses, the ranges are expressed using CIDR notationas specified in RFC 4632. For IPv6 addresses, the ranges are expressed insimilar encoding as IPv4
--name-excluded-uri=[NAME_EXCLUDED_URI,…]
One or more comma-separated URIs which are excluded from being issuedcertificates. The value can be a hostname or a domain with a leading period(like.example.com)
--name-permitted-dns=[NAME_PERMITTED_DNS,…]
One or more comma-separated DNS names which are permitted to be issuedcertificates. Any DNS name that can be constructed by simply adding zero or morelabels to the left-hand side of the name satisfies the name constraint. Forexample,example.com,www.example.com,www.sub.example.com would satisfyexample.com, whileexample1.com does not.
--name-permitted-email=[NAME_PERMITTED_EMAIL,…]
One or more comma-separated email addresses which are permitted to be issuedcertificates. The value can be a particular email address, a hostname toindicate all email addresses on that host or a domain with a leading period(e.g..example.com) to indicate all email addresses in that domain.
--name-permitted-ip=[NAME_PERMITTED_IP,…]
One or more comma-separated IP ranges which are permitted to be issuedcertificates. For IPv4 addresses, the ranges are expressed using CIDR notationas specified in RFC 4632. For IPv6 addresses, the ranges are expressed insimilar encoding as IPv4
--name-permitted-uri=[NAME_PERMITTED_URI,…]
One or more comma-separated URIs which are permitted to be issued certificates.The value can be a hostname or a domain with a leading period (like.example.com)
GCLOUD WIDE FLAGS: These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.
Run$gcloud help for details.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-21 UTC.

Movatterモバイル変換

gcloud privateca roots create Stay organized with collections Save and categorize content based on your preferences.

gcloud privateca roots create