x509 | use TypeScript/Javascript library | TLS library

Inject the GoogleCredentials and set it on the storage object

To access the Directory API using a service account, you have to use domain-wide delegation. See Perform Google Workspace Domain-Wide Delegation of Authority for details.

The command is for bash so obviously it can't run in PowerShell. There are many changes necessary

• PowerShell currently doesn't support process substitution (which is that <(command) part) so you must save the output into file
• The escape character in PowerShell is ` and not \ so you must replace all those escape characters to the correct one

So the result would be something like this

Currently there is no public api for updating a public key, but Tapkey is able to use a Firebase oidc discovery document url instead of public keys. If configured, Tapkey would automatically handle such key rollovers.

Firebase discovery document urls usually looks like https://securetoken.google.com/[firebase-project-id]/.well-known/openid-configuration.

However, this feature is not publicly available at this time. Send a request for activating the feature to Tapkey Support and they will enable it for you.

You may use jq to extract or manipulate data from your logfile.

Note, you can also generate syslog messages by setting

The field client_x509_cert_url contains a URL which contains multiple certificates. Each certificate contains a public key. Select the correct certificate based on the private_key_id. Then extract the public key.

I wrote the following code in 2018 to demonstrate how to create a Signed JWT using a service account and then verify the Signed JWT using Google public certificates. This example supports the Python OpenSSL and Cryptography libraries.

Once you have created a Signed JWT, you must exchange that for an Access Token. My website has articles that detail that step also.

The problem is that your intermediate CA ica.crt is no CA at all. It is missing basicConstraints=critical,CA:TRUE as extension. This means ica.crt is only a leaf certificate which should not be used to sign other certificates.

While openssl does not complain when using a certificate without such extension for signing, it will not be able to build the trust chain because ica.crt is not a valid issuer of server.crt due to the missing CA:TRUE constraint.

Adding the constraints make everything work, i.e.

You can use self-signed certificates for backend services. You cannot use self-signed certificates for frontend services.

Google Cloud HTTP Load Balancers only accept SSL certificates that are Domain Validated or higher.

Do not confuse Self Managed and Self Signed certificates.

Self-managed and Google-managed SSL certificates

The error message in your question means you are importing the wrong private key. You also have another error VALIDITY=3650. Public facing SSL certificates cannot be longer than 825 days (I think the practice is 398 days now), almost all vendors will not issue one longer than 365 days. For certificates valid longer than 365 days require even more details attached to the certificate.

You don't really need regex to find the string, you can try: