認証局の有効化、無効化、復元
このトピックでは、認証局(CA)の状態を管理する方法について説明します。
CA を有効にする
下位 CA はすべて AWAITING_USER_ACTIVATION
状態に作成され、有効化後に STAGED
状態に設定されます。すべてのルート CA は、デフォルトで STAGED
状態に作成されます。CA プールの証明書発行ローテーションに CA の状態を含めるには、CA の状態を ENABLED
に変更する必要があります。CA の運用状態の詳細については、認証局の状態をご覧ください。
STAGED
または DISABLED
状態の CA を有効にするには、次の手順に従います。
コンソール
Google Cloud コンソールで、[Certificate Authority Service] ページに移動します。
[認証局] で、ターゲット CA を選択します。
[有効にする] をクリックします。
表示されたダイアログで [登録解除] をクリックします。
gcloud
ルート CA を有効にするには、次のコマンドを使用します。
gcloud privateca roots enable CA_ID --pool POOL_ID
ここで
- CA_ID は、CA の一意の識別子です。
- POOL_ID は、CA が属する CA プールの一意の識別子です。
gcloud privateca roots enable
コマンドの詳細については、gcloud privateca roots enable をご覧ください。
Go
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)
// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The id of the CA pool under which the CA is present.
// caId := "ca-id" // The id of the CA to be enabled.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
projectId, location, caPoolId, caId)
// Create the EnableCertificateAuthorityRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.
req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}
op, err := caClient.EnableCertificateAuthority(ctx, req)
if err != nil {
return fmt.Errorf("EnableCertificateAuthority failed: %w", err)
}
var caResp *privatecapb.CertificateAuthority
if caResp, err = op.Wait(ctx); err != nil {
return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)
}
if caResp.State != privatecapb.CertificateAuthority_ENABLED {
return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())
}
fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)
return nil
}
Java
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class EnableCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: The id of the CA pool under which the CA is present.
// certificateAuthorityName: The name of the CA to be enabled.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
enableCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
public static void enableCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws IOException, ExecutionException, InterruptedException {
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// Create the Certificate Authority Name.
CertificateAuthorityName certificateAuthorityParent =
CertificateAuthorityName.newBuilder()
.setProject(project)
.setLocation(location)
.setCaPool(poolId)
.setCertificateAuthority(certificateAuthorityName)
.build();
// Create the Enable Certificate Authority Request.
EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
EnableCertificateAuthorityRequest.newBuilder()
.setName(certificateAuthorityParent.toString())
.build();
// Enable the Certificate Authority.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.enableCertificateAuthorityCallable()
.futureCall(enableCertificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while enabling Certificate Authority !" + response.getError());
return;
}
// Get the current CA state.
State caState =
certificateAuthorityServiceClient
.getCertificateAuthority(certificateAuthorityParent)
.getState();
// Check if the CA is enabled.
if (caState == State.ENABLED) {
System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
} else {
System.out.println(
"Cannot enable the Certificate Authority ! Current CA State: " + caState);
}
}
}
}
Python
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import google.cloud.security.privateca_v1 as privateca_v1
def enable_certificate_authority(
project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
"""
Enable the Certificate Authority present in the given ca pool.
CA cannot be enabled if it has been already deleted.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the CA is present.
ca_name: the name of the CA to be enabled.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_path = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name
)
# Create the Enable Certificate Authority Request.
request = privateca_v1.EnableCertificateAuthorityRequest(
name=ca_path,
)
# Enable the Certificate Authority.
operation = caServiceClient.enable_certificate_authority(request=request)
operation.result()
# Get the current CA state.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
# Check if the CA is enabled.
if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
print("Enabled Certificate Authority:", ca_name)
else:
print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)
CA を無効にする
CA を無効にすると、CA は証明書を発行できなくなります。無効になっている CA へのすべての証明書リクエストは拒否されます。証明書の取り消し、証明書失効リスト(CRL)の公開、CA メタデータの更新など、その他の機能は引き続き使用できます。
CA を無効にするには、次の手順に従います。
コンソール
Google Cloud コンソールで、[Certificate Authority Service] ページに移動します。
[認証局] で、ターゲット CA を選択します。
[無効にする] をクリックします。
表示されたダイアログで [登録解除] をクリックします。
gcloud
ルート CA を無効にするには、次のコマンドを使用します。
gcloud privateca roots disable CA_ID --pool POOL_ID
次のように置き換えます。
- CA_ID は、無効にするルート CA の一意の識別子です。
- POOL_ID は、ルート CA が属する CA プールの一意の識別子です。
gcloud privateca roots disable
コマンドの詳細については、gcloud privateca roots disable をご覧ください。
Go
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)
// Disable a Certificate Authority from the specified CA pool.
func disableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The id of the CA pool under which the CA is present.
// caId := "ca-id" // The id of the CA to be disabled.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
projectId, location, caPoolId, caId)
// Create the DisableCertificateAuthorityRequest.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#DisableCertificateAuthorityRequest.
req := &privatecapb.DisableCertificateAuthorityRequest{Name: fullCaName}
op, err := caClient.DisableCertificateAuthority(ctx, req)
if err != nil {
return fmt.Errorf("DisableCertificateAuthority failed: %w", err)
}
var caResp *privatecapb.CertificateAuthority
if caResp, err = op.Wait(ctx); err != nil {
return fmt.Errorf("DisableCertificateAuthority failed during wait: %w", err)
}
if caResp.State != privatecapb.CertificateAuthority_DISABLED {
return fmt.Errorf("unable to disabled Certificate Authority. Current state: %s", caResp.State.String())
}
fmt.Fprintf(w, "Successfully disabled Certificate Authority: %s.", caId)
return nil
}
Java
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DisableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
public class DisableCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: The id of the CA pool under which the CA is present.
// certificateAuthorityName: The name of the CA to be disabled.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
disableCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Disable a Certificate Authority which is present in the given CA pool.
public static void disableCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws IOException, ExecutionException, InterruptedException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// Create the Certificate Authority Name.
CertificateAuthorityName certificateAuthorityNameParent =
CertificateAuthorityName.newBuilder()
.setProject(project)
.setLocation(location)
.setCaPool(poolId)
.setCertificateAuthority(certificateAuthorityName)
.build();
// Create the Disable Certificate Authority Request.
DisableCertificateAuthorityRequest disableCertificateAuthorityRequest =
DisableCertificateAuthorityRequest.newBuilder()
.setName(certificateAuthorityNameParent.toString())
.build();
// Disable the Certificate Authority.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.disableCertificateAuthorityCallable()
.futureCall(disableCertificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while disabling Certificate Authority !" + response.getError());
return;
}
// Get the current CA state.
State caState =
certificateAuthorityServiceClient
.getCertificateAuthority(certificateAuthorityNameParent)
.getState();
// Check if the Certificate Authority is disabled.
if (caState == State.DISABLED) {
System.out.println("Disabled Certificate Authority : " + certificateAuthorityName);
} else {
System.out.println(
"Cannot disable the Certificate Authority ! Current CA State: " + caState);
}
}
}
}
Python
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import google.cloud.security.privateca_v1 as privateca_v1
def disable_certificate_authority(
project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
"""
Disable a Certificate Authority which is present in the given CA pool.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the CA is present.
ca_name: the name of the CA to be disabled.
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_path = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name
)
# Create the Disable Certificate Authority Request.
request = privateca_v1.DisableCertificateAuthorityRequest(name=ca_path)
# Disable the Certificate Authority.
operation = caServiceClient.disable_certificate_authority(request=request)
operation.result()
# Get the current CA state.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
# Check if the CA is disabled.
if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
print("Disabled Certificate Authority:", ca_name)
else:
print("Cannot disable the Certificate Authority ! Current CA State:", ca_state)
CA を復元する
CA が削除されるようにスケジュールされている場合、削除される前に 30 日間の猶予期間があります。猶予期間中は、CA Service オペレーション マネージャー(roles/privateca.caManager
)または CA Service 管理者(roles/privateca.admin
)が削除プロセスを停止できます。CA は猶予期間中にのみ復元できます。
削除されるようスケジュール設定された CA を復元するには、次の手順に従います。
コンソール
Google Cloud コンソールで、[Certificate Authority Service] ページに移動します。
[認証局] タブで、復元する CA を選択します。
[復元] をクリックします。
表示されたダイアログで [登録解除] をクリックします。
CA が
DISABLED
状態になっていることを確認します。
gcloud
CA が
DELETED
状態であることを確認します。gcloud privateca roots describe CA_ID \ --pool POOL_ID \ --format="value(state)"
ここで
- CA_ID は、CA の一意の識別子です。
- POOL_ID は、CA が属する CA プールの一意の識別子です。
--format
フラグを使用すると、コマンド出力リソースの印刷をフォーマットできます。
このコマンドからは、
DELETED
が返されます。CA を復元します。
gcloud privateca roots undelete CA_ID --pool POOL_ID
ここで
- CA_ID は、CA の一意の識別子です。
- POOL_ID は、CA が属する CA プールの一意の識別子です。
gcloud privateca roots undelete
コマンドの詳細については、gcloud privateca roots undelete をご覧ください。CA の状態が
DISABLED
になったことを確認します。gcloud privateca roots describe CA_ID \ --pool POOL_ID \ --format="value(state)"
ここで
- CA_ID は、CA の一意の識別子です。
- POOL_ID は、CA が属する CA プールの一意の識別子です。
--format
フラグを使用すると、コマンド出力リソースの印刷をフォーマットできます。
このコマンドからは、
DISABLED
が返されます。
Go
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import (
"context"
"fmt"
"io"
privateca "cloud.google.com/go/security/privateca/apiv1"
"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)
// Undelete a Certificate Authority from the specified CA pool.
func unDeleteCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
// projectId := "your_project_id"
// location := "us-central1" // For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
// caPoolId := "ca-pool-id" // The id of the CA pool under which the CA is present.
// caId := "ca-id" // The id of the CA to be undeleted.
ctx := context.Background()
caClient, err := privateca.NewCertificateAuthorityClient(ctx)
if err != nil {
return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
}
defer caClient.Close()
fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
projectId, location, caPoolId, caId)
// Check if the CA is deleted.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#GetCertificateAuthorityRequest.
caReq := &privatecapb.GetCertificateAuthorityRequest{Name: fullCaName}
caResp, err := caClient.GetCertificateAuthority(ctx, caReq)
if err != nil {
return fmt.Errorf("GetCertificateAuthority failed: %w", err)
}
if caResp.State != privatecapb.CertificateAuthority_DELETED {
return fmt.Errorf("you can only undelete deleted Certificate Authorities. %s is not deleted", caId)
}
// Create the UndeleteCertificateAuthority.
// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#UndeleteCertificateAuthorityRequest.
req := &privatecapb.UndeleteCertificateAuthorityRequest{Name: fullCaName}
op, err := caClient.UndeleteCertificateAuthority(ctx, req)
if err != nil {
return fmt.Errorf("UndeleteCertificateAuthority failed: %w", err)
}
if caResp, err = op.Wait(ctx); err != nil {
return fmt.Errorf("UndeleteCertificateAuthority failed during wait: %w", err)
}
if caResp.State == privatecapb.CertificateAuthority_DELETED {
return fmt.Errorf("unable to undelete Certificate Authority. Current state: %s", caResp.State.String())
}
fmt.Fprintf(w, "Successfully undeleted Certificate Authority: %s.", caId)
return nil
}
Java
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.UndeleteCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
public class UndeleteCertificateAuthority {
public static void main(String[] args)
throws InterruptedException, ExecutionException, TimeoutException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: The id of the CA pool under which the deleted CA is present.
// certificateAuthorityName: The name of the CA to be restored (undeleted).
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";
undeleteCertificateAuthority(project, location, poolId, certificateAuthorityName);
}
// Restore a deleted CA, if still within the grace period of 30 days.
public static void undeleteCertificateAuthority(
String project, String location, String poolId, String certificateAuthorityName)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
String certificateAuthorityParent =
CertificateAuthorityName.of(project, location, poolId, certificateAuthorityName)
.toString();
// Confirm if the CA is in DELETED stage.
if (getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
!= State.DELETED) {
System.out.println("CA is not deleted !");
return;
}
// Create the Request.
UndeleteCertificateAuthorityRequest undeleteCertificateAuthorityRequest =
UndeleteCertificateAuthorityRequest.newBuilder()
.setName(certificateAuthorityParent)
.build();
// Undelete the CA.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.undeleteCertificateAuthorityCallable()
.futureCall(undeleteCertificateAuthorityRequest);
Operation response = futureCall.get(5, TimeUnit.SECONDS);
// CA state changes from DELETED to DISABLED if successfully restored.
// Confirm if the CA is DISABLED.
if (response.hasError()
|| getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
!= State.DISABLED) {
System.out.println(
"Unable to restore the Certificate Authority! Please try again !"
+ response.getError());
return;
}
// The CA will be in the DISABLED state. Enable before use.
System.out.println(
"Successfully restored the Certificate Authority ! " + certificateAuthorityName);
}
}
// Get the current state of CA.
private static State getCurrentState(
CertificateAuthorityServiceClient client, String certificateAuthorityParent) {
return client.getCertificateAuthority(certificateAuthorityParent).getState();
}
}
Python
CA Service への認証を行うには、アプリケーションのデフォルト認証情報を設定します。 詳細については、ローカル開発環境の認証の設定をご覧ください。
import google.cloud.security.privateca_v1 as privateca_v1
def undelete_certificate_authority(
project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
"""
Restore a deleted CA, if still within the grace period of 30 days.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: the name of the CA pool under which the deleted CA is present.
ca_name: the name of the CA to be restored (undeleted).
"""
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
ca_path = caServiceClient.certificate_authority_path(
project_id, location, ca_pool_name, ca_name
)
# Confirm if the CA is in DELETED stage.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
if ca_state != privateca_v1.CertificateAuthority.State.DELETED:
print("CA is not deleted !")
return
# Create the Request.
request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path)
# Undelete the CA.
operation = caServiceClient.undelete_certificate_authority(request=request)
result = operation.result()
print("Operation result", result)
# Get the current CA state.
ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
# CA state changes from DELETED to DISABLED if successfully restored.
# Confirm if the CA is DISABLED.
if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
print("Successfully undeleted Certificate Authority:", ca_name)
else:
print(
"Unable to restore the Certificate Authority! Please try again! Current state:",
ca_state,
)