Managing CA state

This topic explains how you can manage the state of your certificate authority (CA).

Enabling a CA

All subordinate CAs are created in the AWAITING_USER_ACTIVATION state, and they are set to the STAGED state after activation. All root CAs are created in the STAGED state by default. You must change the CA state to ENABLED to include it in a CA pool's certificate issuance rotation. For more information about the operational states of a CA, see Certificate authority states.

To enable a CA that is in the STAGED or DISABLED state, use the following instructions:

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under Certificate authorities, select your target CA.

  3. Click Enable.

  4. In the dialog that opens, click Confirm.

gcloud

To enable a root CA, use the following gcloud command.

gcloud privateca roots enable CA_ID --pool POOL_ID

Where:

  • CA_ID is the unique identifier of the CA.
  • POOL_ID is the unique identifier of the CA pool to which the CA belongs.

For more information about the gcloud privateca roots enable command, see gcloud privateca roots enable.

Code samples

Java


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class EnableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // pool_Id: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be enabled.
    String project = "your-project-id";
    String location = "ca-location";
    String pool_Id = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    enableCertificateAuthority(project, location, pool_Id, certificateAuthorityName);
  }

  // Enable the Certificate Authority present in the given ca pool.
  // CA cannot be enabled if it has been already deleted.
  public static void enableCertificateAuthority(
      String project, String location, String pool_Id, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {
      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(pool_Id)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Enable Certificate Authority Request.
      EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
          EnableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent.toString())
              .build();

      // Enable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .enableCertificateAuthorityCallable()
              .futureCall(enableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while enabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityParent)
              .getState();

      // Check if the CA is enabled.
      if (caState == State.ENABLED) {
        System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot enable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

import google.cloud.security.privateca_v1 as privateca_v1


def enable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Enable the Certificate Authority present in the given ca pool.
    CA cannot be enabled if it has been already deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be enabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Enable Certificate Authority Request.
    request = privateca_v1.EnableCertificateAuthorityRequest(
        name=ca_path,
    )

    # Enable the Certificate Authority.
    operation = caServiceClient.enable_certificate_authority(request=request)
    result = operation.result()

    print("Operation result:", result)

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is enabled.
    if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
        print("Enabled Certificate Authority:", ca_name)
    else:
        print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

Disabling a CA

Disabling a CA prevents it from issuing certificates. All certificate requests to a disabled CA are rejected. Other functionalities, such as revoking certificates, publishing Certificate Revocation Lists (CRLs), and updating the CA metadata can still take place.

To disable a CA, use the following instructions:

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under Certificate authorities, select your target CA.

  3. Click Disable.

  4. In the dialog that opens, click Confirm.

gcloud

To disable a root CA, use the following command.

gcloud privateca roots disable CA_ID --pool POOL_ID

Replace the following:

  • CA_ID is the unique identifier of the root CA that you want to disable.
  • POOL_ID is the unique identifier of the CA pool to which the root CA belongs.

For more information about the gcloud privateca roots disable command, see gcloud privateca roots disable.

Code samples

Java


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DisableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class DisableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // pool_Id: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be disabled.
    String project = "your-project-id";
    String location = "ca-location";
    String pool_Id = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    disableCertificateAuthority(project, location, pool_Id, certificateAuthorityName);
  }

  // Disable a Certificate Authority which is present in the given CA pool.
  public static void disableCertificateAuthority(
      String project, String location, String pool_Id, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityNameParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(pool_Id)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Disable Certificate Authority Request.
      DisableCertificateAuthorityRequest disableCertificateAuthorityRequest =
          DisableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityNameParent.toString())
              .build();

      // Disable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .disableCertificateAuthorityCallable()
              .futureCall(disableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while disabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityNameParent)
              .getState();

      // Check if the Certificate Authority is disabled.
      if (caState == State.DISABLED) {
        System.out.println("Disabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot disable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

import google.cloud.security.privateca_v1 as privateca_v1


def disable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Disable a Certificate Authority which is present in the given CA pool.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be disabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Disable Certificate Authority Request.
    request = privateca_v1.DisableCertificateAuthorityRequest(name=ca_path)

    # Disable the Certificate Authority.
    operation = caServiceClient.disable_certificate_authority(request=request)
    result = operation.result()

    print("Operation result:", result)

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is disabled.
    if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
        print("Disabled Certificate Authority:", ca_name)
    else:
        print("Cannot disable the Certificate Authority ! Current CA State:", ca_state)

Restoring a CA

When a CA is scheduled for deletion, there is a 30-day grace period before it is deleted. During the grace period, a CA Service Operation Manager (roles/privateca.caManager) or CA Service Admin (roles/privateca.admin) can stop the deletion process. You can restore a CA only during the grace period.

To restore a CA that is scheduled to be deleted to the disabled state, use the following instructions:

  1. Confirm that the CA is in the DELETED state.

    gcloud privateca roots describe CA_ID \
      --pool POOL_ID \
      --format="value(state)"
    

    Where:

    • CA_ID is the unique identifier of the CA.
    • POOL_ID is the unique identifier of the CA pool to which the CA belongs.
    • --format flag is used to set the format for printing command output resources.

    The command returns DELETED.

  2. Restore the CA.

    gcloud privateca roots undelete CA_ID --pool POOL_ID
    

    Where:

    • CA_ID is the unique identifier of the CA.
    • POOL_ID is the unique identifier of the CA pool to which the CA belongs.

    For more information about the gcloud privateca roots undelete command, see gcloud privateca roots undelete.

  3. Confirm the state of the CA is now DISABLED.

    gcloud privateca roots describe CA_ID \
      --pool POOL_ID \
      --format="value(state)"
    

    Where:

    • CA_ID is the unique identifier of the CA.
    • POOL_ID is the unique identifier of the CA pool to which the CA belongs.
    • --format flag is used to set the format for printing command output resources.

    The command returns DISABLED.

What's next