google-kms-x509

Kind of like openssl x509, but with Google Cloud KMS as the backend.

• Features
• Authentication
• Supported KMS algorithms
• Usage
  • Generate a root CA
  • Generate a CSR
  • Sign an intermediate CA
  • Sign a leaf certificate

Features

• generate self-signed root certificate authorities (CAs)
• generate certificate signing requests (CSRs)
• sign intermediate CAs with x509 name constraints
• sign leaf certificates
• no private keys, all operations are backed by Cloud KMS

Authentication

Calls to Cloud KMS are authenticated using Application Default Credentials.

Supported KMS algorithms

Elliptic Curve signing algorithms:

• EC_SIGN_P256_SHA256
• EC_SIGN_P384_SHA384

RSA signing algorithms:

• RSA_SIGN_PKCS1_2048_SHA256
• RSA_SIGN_PKCS1_3072_SHA256
• RSA_SIGN_PKCS1_4096_SHA256
• RSA_SIGN_PKCS1_4096_SHA512
• RSA_SIGN_PSS_2048_SHA256
• RSA_SIGN_PSS_3072_SHA256
• RSA_SIGN_PSS_4096_SHA256
• RSA_SIGN_PSS_4096_SHA512

Usage

All of the commands take a --kms-key argument in the form of a Key version resource ID, which is the fully qualified path to the version of the KMS key.

Generate a root CA

Usage:
  google-kms-x509 generate root-ca [flags]

Flags:
      --common-name string          x509 Distinguished Name (DN) field
      --country string              x509 Distinguished Name (DN) field
      --days int                    days until expiration
      --emailAddress string         x509 Distinguished Name (DN) field
      --generate-comment            generate an x509 comment showing the Google KMS key resource ID used (default true)
  -h, --help                        help for root-ca
  -k, --kms-key string              Google KMS key resource ID
      --locality string             x509 Distinguished Name (DN) field
      --organization string         x509 Distinguished Name (DN) field
      --organizationalUnit string   x509 Distinguished Name (DN) field
  -o, --out string                  output file path, '-' for stdout (default "-")
      --province string             x509 Distinguished Name (DN) field

Generate a CSR

Usage:
  google-kms-x509 generate csr [flags]

Flags:
      --common-name string          x509 Distinguished Name (DN) field
      --country string              x509 Distinguished Name (DN) field
      --emailAddress string         x509 Distinguished Name (DN) field
      --generate-comment            generate an x509 comment showing the Google KMS key resource ID used (default true)
  -h, --help                        help for csr
  -k, --kms-key string              Google KMS key resource ID
      --locality string             x509 Distinguished Name (DN) field
      --organization string         x509 Distinguished Name (DN) field
      --organizationalUnit string   x509 Distinguished Name (DN) field
  -o, --out string                  output file path, '-' for stdout (default "-")
      --province string             x509 Distinguished Name (DN) field

Sign an intermediate CA

Note: You must first generate a CSR. Distinguished Name fields are taken from the command line, not the CSR.

Usage:
  google-kms-x509 sign intermediate-ca [flags]

Flags:
      --child-csr string                child CSR path
      --common-name string              x509 Distinguished Name (DN) field
      --country string                  x509 Distinguished Name (DN) field
      --days int                        days until expiration
      --emailAddress string             x509 Distinguished Name (DN) field
      --generate-comment                generate an x509 comment showing the Google KMS key resource ID used (default true)
  -h, --help                            help for intermediate-ca
  -k, --kms-key string                  Google KMS key resource ID
      --locality string                 x509 Distinguished Name (DN) field
      --organization string             x509 Distinguished Name (DN) field
      --organizationalUnit string       x509 Distinguished Name (DN) field
  -o, --out string                      output file path, '-' for stdout (default "-")
      --parent-cert string              parent certificate path
      --path-len int                    number of intermediate CAs allowed under this CA
      --permitted-dns-domains strings   permitted DNS names for x509 Name Constraints extension
      --province string                 x509 Distinguished Name (DN) field

Sign a leaf certificate

Note: You must first generate a CSR. Distinguished Name fields are taken from the command line, not the CSR.

Usage:
  google-kms-x509 sign leaf [flags]

Flags:
      --child-csr string            child CSR path
      --client                      sign as a client certificate
      --common-name string          x509 Distinguished Name (DN) field
      --country string              x509 Distinguished Name (DN) field
      --days int                    days until expiration
      --dns-names strings           DNS names for x509 Subject Alternative Names extension
      --emailAddress string         x509 Distinguished Name (DN) field
      --generate-comment            generate an x509 comment showing the Google KMS key resource ID used (default true)
  -h, --help                        help for leaf
      --ip-addresses ipSlice        IP addresses for x509 Subject Alternative Names extension (default [])
  -k, --kms-key string              Google KMS key resource ID
      --locality string             x509 Distinguished Name (DN) field
      --organization string         x509 Distinguished Name (DN) field
      --organizationalUnit string   x509 Distinguished Name (DN) field
  -o, --out string                  output file path, '-' for stdout (default "-")
      --parent-cert string          parent certificate path
      --province string             x509 Distinguished Name (DN) field
      --server                      sign as a server cert