Enable, disable, and restore certificate authorities
This topic explains how you can manage the state of your certificate authority (CA).
Enable a CA
All subordinate CAs are created in the AWAITING_USER_ACTIVATION
state, and they are set to the STAGED
state after activation. All root CAs are created in the STAGED
state by default. You must change the CA state to ENABLED
to include it in a CA pool's certificate issuance rotation. For more information about the operational states of a CA, see Certificate authority states.
To enable a CA that is in the STAGED
or DISABLED
state, use the following instructions:
Console
In the Google Cloud console, go to the Certificate authorities page.
Under Certificate authorities, select your target CA.
Click Enable.
In the dialog that opens, click Confirm.
gcloud
To enable a root CA, use the following command:
gcloud privateca roots enable CA_ID --pool POOL_ID
Where:
- CA_ID is the unique identifier of the CA.
- POOL_ID is the unique identifier of the CA pool to which the CA belongs.
For more information about the gcloud privateca roots enable
command, see gcloud privateca roots enable.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
Disable a CA
Disabling a CA prevents it from issuing certificates. All certificate requests to a disabled CA are rejected. Other functionalities, such as revoking certificates, publishing Certificate Revocation Lists (CRLs), and updating the CA metadata can still take place.
To disable a CA, use the following instructions:
Console
In the Google Cloud console, go to the Certificate authorities page.
Under Certificate authorities, select your target CA.
Click Disable.
In the dialog that opens, click Confirm.
gcloud
To disable a root CA, use the following command.
gcloud privateca roots disable CA_ID --pool POOL_ID
Replace the following:
- CA_ID is the unique identifier of the root CA that you want to disable.
- POOL_ID is the unique identifier of the CA pool to which the root CA belongs.
For more information about the gcloud privateca roots disable
command, see gcloud privateca roots disable.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Restore a CA
When a CA is scheduled for deletion, there is a 30-day grace
period before it is deleted. During the grace period, a CA Service Operation Manager (roles/privateca.caManager
) or CA Service
Admin (roles/privateca.admin
) can stop the deletion process. You can restore a CA only during the grace period.
To restore a CA that is scheduled to be deleted to the disabled state, use the following instructions:
Console
In the Google Cloud console, go to the Certificate authorities page.
Under Certificate authorities, select the CA that you want to restore.
Click Restore.
In the dialog that opens, click Confirm.
Check that the CA is now in the
DISABLED
state.
gcloud
Confirm that the CA is in the
DELETED
state.gcloud privateca roots describe CA_ID \ --pool POOL_ID \ --format="value(state)"
Where:
- CA_ID is the unique identifier of the CA.
- POOL_ID is the unique identifier of the CA pool to which the CA belongs.
--format
flag is used to set the format for printing command output resources.
The command returns
DELETED
.Restore the CA.
gcloud privateca roots undelete CA_ID --pool POOL_ID
Where:
- CA_ID is the unique identifier of the CA.
- POOL_ID is the unique identifier of the CA pool to which the CA belongs.
For more information about the
gcloud privateca roots undelete
command, see gcloud privateca roots undelete.Confirm the state of the CA is now
DISABLED
.gcloud privateca roots describe CA_ID \ --pool POOL_ID \ --format="value(state)"
Where:
- CA_ID is the unique identifier of the CA.
- POOL_ID is the unique identifier of the CA pool to which the CA belongs.
--format
flag is used to set the format for printing command output resources.
The command returns
DISABLED
.
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
What's next
- Learn about CA states.
- Learn how to delete CAs.