https://github.com/mattes/google-cloud-kms-csr
Create CSR request with Google Cloud KMS or HSM
https://github.com/mattes/google-cloud-kms-csr
certificate-signing-request csr google-cloud-hsm google-cloud-kms openssl
Last synced: 5 months ago
JSON representation
Create CSR request with Google Cloud KMS or HSM
- Host: GitHub
- URL: https://github.com/mattes/google-cloud-kms-csr
- Owner: mattes
- License: unlicense
- Created: 2018-09-26T05:39:26.000Z (about 7 years ago)
- Default Branch: master
- Last Pushed: 2021-10-08T05:10:08.000Z (almost 4 years ago)
- Last Synced: 2025-04-19T07:47:08.022Z (6 months ago)
- Topics: certificate-signing-request, csr, google-cloud-hsm, google-cloud-kms, openssl
- Language: Go
- Homepage: https://cloud.google.com/hsm/
- Size: 284 KB
- Stars: 41
- Watchers: 1
- Forks: 24
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# CSR with Google Cloud KMS
Quick utility tool that creates a CSR cert and signs it with a private key coming from Google Cloud KMS or HSM.
The private key never leaves Google, everyone is happy. The CSR can then be used to get cert from CA.
I would've done it with `openssl`, but there is no Google Cloud KMS engine available. (Sept. 2018)
## Usage
```
go build -o csr
./csr -key -out my.csr --common-name MyOrg
```
Get the key-resource-id by running the following command:
```
gcloud kms keys versions list --key --keyring --location=
```
Key Resource Id Version has the following format:
```
projects/xxx/locations/xxx/keyRings/xxx/cryptoKeys/xxx/cryptoKeyVersions/xxx
```
Make sure to use an asymmetric key.
You can verify `my.csr` with:
```
openssl req -text -noout -verify -in my.csr
```
Google's application credentials are used for authenticating with the Google API.
If you haven't done so already, you can set the application default credentials locally with:
```
gcloud auth application-default login
```
## Docs
* https://cloud.google.com/kms/docs/how-tos
* https://en.wikipedia.org/wiki/Certificate_signing_request