Reputation: 625
How to store a CloudSQL client SSL certificate in GCP Keychain
I am not sure what options to use when storing a CloudSQL ssl certificate in the Google Cloud key chain, my import job fails. Which are the correct encryption options for a client SSL certificate?
# Get the private key
gcloud sql ssl client-certs create devDb-prv-key ~/client-key.pem --instance=devDb
# Store the private key in the KeyChain
gcloud kms import-jobs create postges-prv-key-import \
--location $GPC_REGION \
--keyring $KMS_RING \
--import-method rsa-oaep-3072-sha1-aes-256 \
--protection-level software
# Create an empty version first
gcloud kms keys create private-postgres-ssl-key \
--location $GPC_REGION \
--keyring $KMS_RING \
--purpose asymmetric-encryption \
--default-algorithm=rsa-decrypt-oaep-3072-sha256 \
--skip-initial-version-creation
# Now you can import the file
gcloud kms keys versions import \
--import-job postges-prv-key-import \
--location $GPC_REGION \
--keyring $KMS_RING \
--key private-postgres-ssl-key \
--algorithm rsa-decrypt-oaep-3072-sha256 \
--target-key-file ~/client-key.pem
The result is these errors
Upvotes: 1
Views: 640
Answers (2)
Reputation: 702
I tested this in my environment, and I was able to import the key successfully. Find the attached screenshots.
Algorithm rsa-decrypt-oaep-3072-sha256 is not matching with the length of the actual key to be imported. So replace it with the algorithm rsa-decrypt-oaep-2048-sha256 in command “gcloud kms keys versions import.
Example: gcloud kms keys versions import --import-job job-name --location us-central1 --keyring key-ring-name --key key-name --algorithm rsa-decrypt-oaep-2048-sha256 --target-key-file client-key.der
Use the command below to list key versions and their state.
gcloud kms keys versions list --keyring key-ring-name --location us-central1 --key key-name
Note: Convert the private key to der format and use that file to import the key. To convert the file to der format you can also use the command below.
openssl pkey -in <~/client-key.pem> -outform DER -out <~/client-key.der>
Upvotes: 1
Reputation: 89
You should check the official documentation to manage your keys in CloudSQL.
Also review if your keys are supported.
Upvotes: 0
Related Questions
- GCP KMS Importing Ethereum Wallet private key
- How to use the Google Managed Certificate for GKE Kubernetes
- Google Managed SSL Certificate use SSL v3
- How do I store a private key using Google Cloud's Cloud KMS?
- Connecting to CloudSQL from Kubernetes: cannot validate certificate
- How to create CloudSQL Proxy credentials as secrets on GKE
- How to set SSL certificate from gcloud?
- How to configure a SSL certificate to be used by Kubernetes with Google Cloud?
- Terraform | Retrieve the (client-key) certificate from Cloud SQL
- SSL certificates on Google Cloud Platform