Skip to main content

Google Cloud KMS Certificate Signing Request (CSR) Generation Tool

Project description

Google Cloud KMS Certificate Signing Request (CSR) Generation Tool

Features

  • List KMS key resource names within a specified region ID and/or project ID.
  • Get PEM-encoded public key for a given KMS key.
  • Generate CSR and sign it using KMS key.
    • Supports RSA (2048-4096, SHA256/SHA512), ECDSA (P-256, P-384, Secp256k1) and Ed25519 keys.
    • Automatically warns about possible compliance issues if the specified key is not HSM-protected or was imported (can be bypassed).
    • Subject X.509 name in the CSR is customized using RFC4514 string provided by the user.

Classic usage

Installation

Package available on PyPi:

pip3 install pykmstool

GCP Authentication

  1. Install the gcloud CLI
  2. Create application default credentials:
    gcloud auth application-default login
    

Tip: Alternatively, you can manually specify a service account JSON key file by appending --service-account-file path/to/credentials.json to every pykmstool command invocation in the further section.

Tip: If you need to specify quota project to use, please append --quota-project-id <...> on every invocation of pykmstool commands listed in the further section.

Tool usage

Generating a CSR

Generate and sign a CSR using a crypto key version specified by --key-version-name parameter. The name specified in the --x509-name parameter must be compliant with the RFC4514 format and will be embedded within the resulting CSR.

pykmstool sign-csr \
    --key-version-name projects/example-project/locations/europe-west6/keyRings/ExampleKeyRing/cryptoKeys/ExampleRSAKey1/cryptoKeyVersions/1 \
    --x509-name "C=US,O=Example Corp,CN=example.com"

Replace "US" with your two-letter country code, "Example Corp" with your organization name (company's name) and "example.com" with your company's domain.

See --help for all other available parameters.

Note: Required GCP IAM permissions:

cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.cryptoKeyVersions.useToSign

Note: IAM Condition to scope those permissions to a single key (optional):

(
  resource.type == "cloudkms.googleapis.com/CryptoKey" &&
  resource.name == "projects/{projectName}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{keyName}"
) || (
  resource.type == "cloudkms.googleapis.com/CryptoKeyVersion" &&
  resource.name.startsWith("projects/{projectName}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{keyName}/cryptoKeyVersions/"
)

Substitute {...} placeholders with appropriate names.

Tip: EV Code Signing Certificate Authorities would usually not be very strict about the X.509 Name embedded inside the Certificate Signing Request. If there were no special instructions about that provided by the CA, it should be fully sufficient to just set "C" (Country), "O" (Company name), "CN" (Company's domain) keys, just as in the example command provided above.

Getting a PEM public key for given key version

pykmstool get-public-key \
    --key-version-name projects/example-project/locations/europe-west6/keyRings/ExampleKeyRing/cryptoKeys/ExampleRSAKey1/cryptoKeyVersions/1

Note: Required GCP IAM permissions:

cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.viewPublicKey

Listing all enabled key versions globally or for a given location/project ID:

Resources will be listed only if the account has sufficient permissions to list resources.

# Only search within a specified project and location ID
pykmstool list-key-versions --project-id example-project --location-id europe-west6
# Search within a given location throughout all available projects
pykmstool list-key-versions --location-id europe-west6
# Search within a project throughout all possible locations (slow)
pykmstool list-key-versions --project-id example-project
# Search globally (slow)
pykmstool list-key-versions

Note: Required GCP IAM permissions (assuming that both --location-id and --project-id are provided):

cloudkms.keyRings.list
cloudkms.cryptoKeys.list	
cloudkms.cryptoKeyVersions.list	

Library usage

See src/pykmstool/kms_funcs.py for available functions.

Docker usage

Tip: With the Docker flow, you don't need to perform "Installation" and "GCP Authentication" steps listed above. The Docker version will automatically lead you through those processes.

Executing commands

docker run \
   -v ./gcloud-config:/root/.config/gcloud \
   -it ghcr.io/icedevml/pykmstool:v2.1.0 \
   -- \
   sign-csr \
   --key-version-name projects/example-project/locations/europe-west6/keyRings/ExampleKeyRing/cryptoKeys/ExampleRSAKey1/cryptoKeyVersions/1 \
   --x509-name "C=US,O=Example Corp,CN=example.com"

On the first run, this command will automatically lead you through the GCP sign in process.

See "Tool usage" section above for more information about supported commands.

Revoking authentication

Remember to invalidate your credentials after finishing work with the tool, which could be done using:

docker run \
   -v ./gcloud-config:/root/.config/gcloud \
   -it ghcr.io/icedevml/pykmstool:v2.1.0 \
   docker-revoke-credentials

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pykmstool-2.1.1.tar.gz (11.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pykmstool-2.1.1-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file pykmstool-2.1.1.tar.gz.

File metadata

  • Download URL: pykmstool-2.1.1.tar.gz
  • Upload date:
  • Size: 11.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pykmstool-2.1.1.tar.gz
Algorithm Hash digest
SHA256 42bdb1ce55d4cbe423118fce2edbedc7687a6c0191ebb65c6a86bdd42b77b93d
MD5 f61b6a14ed445d44b501b9d9a081dd9a
BLAKE2b-256 e492ba73259e57cd5544c3c291891d8bab0a9cfe86c83301d3f6a116d29409fe

See more details on using hashes here.

Provenance

The following attestation bundles were made for pykmstool-2.1.1.tar.gz:

Publisher: pypi-publish.yml on icedevml/pykmstool

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pykmstool-2.1.1-py3-none-any.whl.

File metadata

  • Download URL: pykmstool-2.1.1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pykmstool-2.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 243eaf1858eb8cc99f5ef6811d426e2cf5c3cf59e6598a07d8551b8a84e84d8e
MD5 c50de85bf12756e187b78af9ca636df5
BLAKE2b-256 1621d12fffc6190e52cba78406ebd4802dca7c322d45bdcd3bdfb44b6f7bd2f4

See more details on using hashes here.

Provenance

The following attestation bundles were made for pykmstool-2.1.1-py3-none-any.whl:

Publisher: pypi-publish.yml on icedevml/pykmstool

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page