Knowledge Base
How to obtain an attestation file and CSR from Google Cloud HSM
Overview
By the end of this guide, you will have created a signing key in a Google Cloud Hardware Security Module (HSM), exported its attestation file, generated a Certificate Signing Request (CSR), and submitted both to a Certificate Authority (CA). It covers the prerequisites and Identity and Access Management (IAM) roles, setting up the environment with the Google Cloud command-line interface (CLI), creating a key ring and key through the Cloud Key Management Service (KMS), obtaining the attestation file, generating the CSR, and submitting the files.
Prerequisites
-
A Google Cloud project with a Hardware Security Module (HSM) set up
-
The Cloud HSM Admin and Cloud KMS CryptoKey Encrypter/Decrypter Identity and Access Management (IAM) roles
-
The Google Cloud command-line interface (CLI) installed
-
OpenSSL installed, for creating the CSR if needed
Step 1: Set up your environment
-
Log in to Google Cloud:
gcloud auth login
-
Set your project (replace [PROJECT_ID] with your project ID):
gcloud config set project [PROJECT_ID]
-
Enable the Cloud Key Management Service (KMS) API:
gcloud services enable cloudkms.googleapis.com
Step 2: Create a key ring and key
-
Create a key ring (replace the placeholders with your values):
gcloud kms keyrings create [KEY_RING_NAME] --location [LOCATION]
-
Create an asymmetric signing key protected by the HSM:
gcloud kms keys create [KEY_NAME] \
--keyring [KEY_RING_NAME] --location [LOCATION] \
--purpose asymmetric-signing \
--default-algorithm rsa-sign-pkcs1-2048-sha256 \
--protection-level hsm
Step 3: Obtain the attestation file
Export the attestation file from the Google Cloud Console (preferred):
-
Go to the Key Management page and select the key ring and key.
-
For the desired key version, click More (three dots) and select "Verify attestation."
-
Click "Download attestation bundle" to obtain a ZIP file containing the attestation and certificate chains.
Alternatively, use the CLI and decode the output:
gcloud kms keys versions describe [KEY_VERSION] \
--key [KEY_NAME] --keyring [KEY_RING_NAME] --location [LOCATION] \
--format 'value(attestation.format,attestation.content)' > attestation.txt
cat attestation.txt | base64 --decode > attestation.bin
The attestation file proves the key resides in a hardware security module.
Step 4: Generate a CSR
Create a configuration file named csr_config.txt, replacing the placeholders with your details:
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
C = [COUNTRY]
ST = [STATE]
L = [CITY]
O = [ORGANIZATION]
OU = [ORGANIZATIONAL_UNIT]
CN = [COMMON_NAME]
Export the public certificate and generate the CSR:
gcloud kms keys versions describe [KEY_VERSION] \
--key [KEY_NAME] --keyring [KEY_RING_NAME] --location [LOCATION] \
--format 'value(attestation.certificate)' | base64 --decode > public_cert.pem
openssl req -new -key public_cert.pem -out request.csr -config csr_config.txt
Step 5: Submit the files to the Certificate Authority (CA)
-
Submit request.csr and attestation.bin to your chosen Certificate Authority.
-
Complete the CA's submission process. Some CAs charge a fee for attestation services. Wait for the CA to issue your code-signing certificate.
Troubleshooting
-
Permission errors: verify your Identity and Access Management (IAM) roles and ensure the required APIs are enabled.
-
Invalid attestation: ensure the attestation file is correctly exported and decoded.
-
CSR issues: confirm the CSR configuration file is accurate and matches the required format.
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
