Delete certificate authorities
Certificate Authority Service lets you delete an existing certificate authority (CA). The CA is permanently deleted after a 30-day grace period from when the deletion process is initiated. After the grace period, CA Service permanently deletes the CA and all the nested artifacts, such as certificates and certificate revocation lists (CRLs).
Any customer-managed Google Cloud resources that were being used by the deleted CA, such as Cloud Storage buckets or Cloud Key Management Service keys aren't deleted. For more information about Google-managed and customer-managed resources, see Manage resources.
A deleted CA isn't billed during the grace period. However, if you
restore the CA,
you are charged at the CA's billing tier for the time that the CA existed in
the DELETED
state.
Before you begin
Make sure you have the CA Service Operation Manager (
roles/privateca.caManager
) or the CA Service Admin (roles/privateca.admin
) Identity and Access Management (IAM) role. For more information about the predefined IAM roles for CA Service, see Access control with IAM.For information about granting an IAM role, see Granting a single role.
Make sure the CA meets the following conditions:
- The CA must be in the
AWAITING_USER_ACTIVATION
,DISABLED
, orSTAGED
state. For more information, see Certificate authority states.
The CA must not contain active certificates. A certificate is considered active when it meets the following conditions:
- The certificate has a valid 'from' and 'to' date.
- The certificate hasn't been revoked.
- The device or system using the certificate trusts the certificate authority (CA) that issued the certificate.
Before deleting the CA, ensure that all active certificates that the CA has issued are revoked. You can't revoke certificates from a deleted CA.
- The CA must be in the
Delete a CA
To initiate CA deletion, do the following:
Console
- Go to the Certificate authorities page in the Google Cloud console.
- In the list of CAs, select the CA you want to delete.
- Click Delete. The Delete Certificate Authority dialog appears.
-
Optional: Select one or both the following checkboxes if the conditions apply
to you:
-
Delete this CA, even if there are active certificates
This option lets you delete a CA with active certificates. Deleting a CA with active certificates might cause websites, applications, or systems relying on those certificates to fail. We recommend that you revoke all active certificates issued by a CA before you delete the CA.
-
Skip the 30 day grace period and delete this CA immediately
The 30-day grace period allows you time to revoke all certificates issued by this CA and verify that no systems depend on this CA. We recommend that use this option only in non-production or test environments to prevent potential outages and data loss.
-
- Click Confirm.
gcloud
Check the CA state to ensure it is disabled. You can only delete the CAs that are in the
DISABLED
state.gcloud privateca roots describe CA_ID --pool=POOL_ID \ --format="value(state)"
Replace the following:
- CA_ID: The unique identifier of the CA.
- POOL_ID: The name of the CA pool that contains the CA.
For more information about the
gcloud privateca roots describe
command, see gcloud privateca roots describe.If the CA isn't disabled, run the following command to disable the CA.
gcloud privateca roots disable CA_ID --pool=POOL_ID
For more information about the
gcloud privateca roots disable
command, see gcloud privateca roots disable.Delete the CA.
gcloud privateca roots delete CA_ID --pool=POOL_ID
You can delete the CA even if the CA has active certificates by including the
--ignore-active-certificates
flag in yourgcloud
command.For more information about the
gcloud privateca roots delete
command, see gcloud privateca roots delete.When you are prompted, confirm that you want to delete the CA.
After confirming, the CA is scheduled for deletion and the 30-day grace period begins. The command outputs the expected date and time when the CA will be deleted.
Deleted Root CA [projects/PROJECT_ID/locations/us-west1/caPools/POOL_ID/certificateAuthorities/CA_ID] can be undeleted until 2020-08-14T19:28:39Z.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Check the expiration date of a deleted CA
To see when a CA will be permanently deleted, do the following:
Console
- Click the CA pool manager tab.
- Click the name of the CA pool that contained the CA you deleted.
You can see the expiration date of the CA in the table on the CA pool page.
gcloud
To check the expected deletion time for a CA, run the following command:
gcloud privateca roots describe CA_ID \
--pool=POOL_ID \
--format="value(expireTime.date())"
Replace the following:
- CA_ID: The name of the CA.
- POOL_ID: The name of the CA pool that contained the CA.
The command returns the expected date and time when CA Service deletes the CA.
2020-08-14T19:28:39
To verify that the CA has been permanently deleted, run the following command:
gcloud privateca roots describe CA_ID --pool=POOL_ID
If the CA is successfully deleted, the command returns the following error.
ERROR: (gcloud.privateca.roots.describe) NOT_FOUND: Resource 'projects/PROJECT_ID/locations/LOCATION/caPools/POOL_ID/certificateAuthorities/CA_ID' was not found
What's next
- Learn how to restore CAs.
- Learn about CA states.