https://github.com/ericnorris/google-kms-x509
Generate certificates with Google Cloud's KMS product.
https://github.com/ericnorris/google-kms-x509
certificate-authority certificates cloudkms csr google x509
Last synced: 3 months ago
JSON representation
Generate certificates with Google Cloud's KMS product.
- Host: GitHub
- URL: https://github.com/ericnorris/google-kms-x509
- Owner: ericnorris
- Created: 2020-02-01T21:44:09.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2021-08-17T09:17:22.000Z (about 4 years ago)
- Last Synced: 2025-05-31T17:42:11.346Z (4 months ago)
- Topics: certificate-authority, certificates, cloudkms, csr, google, x509
- Language: Go
- Homepage:
- Size: 59.6 KB
- Stars: 9
- Watchers: 3
- Forks: 8
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# google-kms-x509
Kind of like `openssl x509`, but with [Google Cloud KMS](https://cloud.google.com/kms) as the backend.
- [Features](#features)
- [Authentication](#authentication)
- [Supported KMS algorithms](#supported-kms-algorithms)
- [Usage](#usage)
- [Generate a root CA](#generate-a-root-ca)
- [Generate a CSR](#generate-a-csr)
- [Sign an intermediate CA](#sign-an-intermediate-ca)
- [Sign a leaf certificate](#sign-a-leaf-certificate)
## Features
- generate self-signed root certificate authorities (CAs)
- generate certificate signing requests (CSRs)
- sign intermediate CAs with [x509 name constraints](https://tools.ietf.org/html/rfc5280#section-4.2.1.10)
- sign leaf certificates
- no private keys, all operations are backed by Cloud KMS
## Authentication
Calls to Cloud KMS are authenticated using [Application Default Credentials](https://cloud.google.com/docs/authentication/production).
## Supported KMS algorithms
Elliptic Curve signing algorithms:
- EC_SIGN_P256_SHA256
- EC_SIGN_P384_SHA384
RSA signing algorithms:
- RSA_SIGN_PKCS1_2048_SHA256
- RSA_SIGN_PKCS1_3072_SHA256
- RSA_SIGN_PKCS1_4096_SHA256
- RSA_SIGN_PKCS1_4096_SHA512
- RSA_SIGN_PSS_2048_SHA256
- RSA_SIGN_PSS_3072_SHA256
- RSA_SIGN_PSS_4096_SHA256
- RSA_SIGN_PSS_4096_SHA512
## Usage
All of the commands take a `--kms-key` argument in the form of a [Key version resource ID](https://cloud.google.com/kms/docs/object-hierarchy#key_version_resource_id), which is the fully qualified path to the _version_ of the KMS key.
### Generate a root CA
```
Usage:
google-kms-x509 generate root-ca [flags]
Flags:
--common-name string x509 Distinguished Name (DN) field
--country string x509 Distinguished Name (DN) field
--days int days until expiration
--emailAddress string x509 Distinguished Name (DN) field
--generate-comment generate an x509 comment showing the Google KMS key resource ID used (default true)
-h, --help help for root-ca
-k, --kms-key string Google KMS key resource ID
--locality string x509 Distinguished Name (DN) field
--organization string x509 Distinguished Name (DN) field
--organizationalUnit string x509 Distinguished Name (DN) field
-o, --out string output file path, '-' for stdout (default "-")
--province string x509 Distinguished Name (DN) field
```
### Generate a CSR
```
Usage:
google-kms-x509 generate csr [flags]
Flags:
--common-name string x509 Distinguished Name (DN) field
--country string x509 Distinguished Name (DN) field
--emailAddress string x509 Distinguished Name (DN) field
--generate-comment generate an x509 comment showing the Google KMS key resource ID used (default true)
-h, --help help for csr
-k, --kms-key string Google KMS key resource ID
--locality string x509 Distinguished Name (DN) field
--organization string x509 Distinguished Name (DN) field
--organizationalUnit string x509 Distinguished Name (DN) field
-o, --out string output file path, '-' for stdout (default "-")
--province string x509 Distinguished Name (DN) field
```
### Sign an intermediate CA
Note: You must first generate a CSR. Distinguished Name fields are taken from the command line, not the CSR.
```
Usage:
google-kms-x509 sign intermediate-ca [flags]
Flags:
--child-csr string child CSR path
--common-name string x509 Distinguished Name (DN) field
--country string x509 Distinguished Name (DN) field
--days int days until expiration
--emailAddress string x509 Distinguished Name (DN) field
--generate-comment generate an x509 comment showing the Google KMS key resource ID used (default true)
-h, --help help for intermediate-ca
-k, --kms-key string Google KMS key resource ID
--locality string x509 Distinguished Name (DN) field
--organization string x509 Distinguished Name (DN) field
--organizationalUnit string x509 Distinguished Name (DN) field
-o, --out string output file path, '-' for stdout (default "-")
--parent-cert string parent certificate path
--path-len int number of intermediate CAs allowed under this CA
--permitted-dns-domains strings permitted DNS names for x509 Name Constraints extension
--province string x509 Distinguished Name (DN) field
```
### Sign a leaf certificate
Note: You must first generate a CSR. Distinguished Name fields are taken from the command line, not the CSR.
```
Usage:
google-kms-x509 sign leaf [flags]
Flags:
--child-csr string child CSR path
--client sign as a client certificate
--common-name string x509 Distinguished Name (DN) field
--country string x509 Distinguished Name (DN) field
--days int days until expiration
--dns-names strings DNS names for x509 Subject Alternative Names extension
--emailAddress string x509 Distinguished Name (DN) field
--generate-comment generate an x509 comment showing the Google KMS key resource ID used (default true)
-h, --help help for leaf
--ip-addresses ipSlice IP addresses for x509 Subject Alternative Names extension (default [])
-k, --kms-key string Google KMS key resource ID
--locality string x509 Distinguished Name (DN) field
--organization string x509 Distinguished Name (DN) field
--organizationalUnit string x509 Distinguished Name (DN) field
-o, --out string output file path, '-' for stdout (default "-")
--parent-cert string parent certificate path
--province string x509 Distinguished Name (DN) field
--server sign as a server cert
```