just a generic example of creating a private key and saving it to secret manager
the alternative is to create a csr and get gcp private ca to sign it
export PROJECT_ID=`gcloud config get-value core/project`
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`
export GCLOUD_USER=`gcloud config get-value core/account`
# create private key and csr
openssl req -out csr.pem -new -noenc -newkey rsa:2048 -keyout privatekey.key
openssl req -x509 -newkey rsa:4096 -keyout privatekey.pem \
-out cert.pem -sha256 -days 3650 -nodes \
-subj "/C=US/ST=California/L=Mountain View/O=Collaborator 1 LLC/CN=collaborator-1.com"
gcloud secrets create tls-ca-crt --replication-policy=automatic --data-file=cert.pem
gcloud secrets create tls-ca-key --replication-policy=automatic --data-file=privatekey.pem
gcloud secrets add-iam-policy-binding tls-ca-crt \
--member=user:$GCLOUD_USER \
--role=roles/secretmanager.secretAccessor
gcloud secrets add-iam-policy-binding tls-ca-key \
--member=user:$GCLOUD_USER \
--role=roles/secretmanager.secretAccessor
gcloud secrets versions access 1 --secret=tls-ca-key
gcloud privateca pools create my-pool-1 --location=us-central1
gcloud privateca roots create ca-1 --location=us-central1 \
--pool my-pool-1 --auto-enable \
--subject "C=US,ST=California,L=Mountain View,O=Collaborator 1 LLC,CN=collaborator-1.com"
gcloud privateca certificates create cert1 --issuer-pool my-pool-1 \
--csr csr.pem \
--cert-output-file mycert.pem \
--validity "P30D" --issuer-location=us-central1