Habilitar, inhabilitar y restablecer autoridades certificadoras

En este tema, se explica cómo puedes administrar el estado de tu autoridad certificadora (AC).

Habilita una AC

Todas las AC subordinadas se crean en el estado AWAITING_USER_ACTIVATION y se establecen en el estado STAGED después de la activación. Todas las AC raíz se crean en el estado STAGED de forma predeterminada. Debes cambiar el estado de la AC a ENABLED para incluirlo en la rotación de la emisión de certificados de un grupo de AC. Para obtener más información sobre los estados operativos de una AC, consulta Estados de la autoridad certificadora.

Para habilitar una AC que tiene el estado STAGED o DISABLED, sigue estas instrucciones:

Console

  1. En la consola de Google Cloud, ve a la página Certificate Authority Service.

    Ir a Certificate Authority Service

  2. En Autoridades de certificación, selecciona tu CA de destino.

  3. Haz clic en Habilitar.

  4. En el cuadro de diálogo que se abre, haz clic en Confirmar.

gcloud

Para habilitar una AC raíz, usa el siguiente comando:

gcloud privateca roots enable CA_ID --pool POOL_ID

Aquí:

  • CA_ID es el identificador único de la AC.
  • POOL_ID es el identificador único del grupo de AC al que pertenece la AC.

Para obtener más información sobre el comando gcloud privateca roots enable, consulta gcloud privateca roots enable.

Go

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be enabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the EnableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.
	req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.EnableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_ENABLED {
		return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)
	return nil
}

Java

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class EnableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be enabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    enableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Enable the Certificate Authority present in the given ca pool.
  // CA cannot be enabled if it has been already deleted.
  public static void enableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {
      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Enable Certificate Authority Request.
      EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
          EnableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent.toString())
              .build();

      // Enable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .enableCertificateAuthorityCallable()
              .futureCall(enableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while enabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityParent)
              .getState();

      // Check if the CA is enabled.
      if (caState == State.ENABLED) {
        System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot enable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import google.cloud.security.privateca_v1 as privateca_v1

def enable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Enable the Certificate Authority present in the given ca pool.
    CA cannot be enabled if it has been already deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be enabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Enable Certificate Authority Request.
    request = privateca_v1.EnableCertificateAuthorityRequest(
        name=ca_path,
    )

    # Enable the Certificate Authority.
    operation = caServiceClient.enable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is enabled.
    if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
        print("Enabled Certificate Authority:", ca_name)
    else:
        print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

Inhabilitar una AC

Cuando se inhabilita una AC, se evita que emita certificados. Se rechazan todas las solicitudes de certificados de una AC inhabilitada. Aún se pueden realizar otras funcionalidades, como la revocación de certificados, la publicación de listas de revocación de certificados (CRL) y la actualización de los metadatos de la AC.

Para inhabilitar una AC, sigue estas instrucciones:

Console

  1. En la consola de Google Cloud, ve a la página Certificate Authority Service.

    Ir a Certificate Authority Service

  2. En Autoridades de certificación, selecciona tu CA de destino.

  3. Haga clic en Inhabilitar.

  4. En el cuadro de diálogo que se abre, haz clic en Confirmar.

gcloud

Para inhabilitar una AC raíz, usa el siguiente comando.

gcloud privateca roots disable CA_ID --pool POOL_ID

Reemplaza lo siguiente:

  • CA_ID es el identificador único de la AC raíz que deseas inhabilitar.
  • POOL_ID es el identificador único del grupo de AC al que pertenece la AC raíz.

Para obtener más información sobre el comando gcloud privateca roots disable, consulta gcloud privateca roots disabled.

Go

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Disable a Certificate Authority from the specified CA pool.
func disableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be disabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the DisableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#DisableCertificateAuthorityRequest.
	req := &privatecapb.DisableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.DisableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("DisableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("DisableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_DISABLED {
		return fmt.Errorf("unable to disabled Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully disabled Certificate Authority: %s.", caId)
	return nil
}

Java

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DisableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class DisableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be disabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    disableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Disable a Certificate Authority which is present in the given CA pool.
  public static void disableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityNameParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Disable Certificate Authority Request.
      DisableCertificateAuthorityRequest disableCertificateAuthorityRequest =
          DisableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityNameParent.toString())
              .build();

      // Disable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .disableCertificateAuthorityCallable()
              .futureCall(disableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while disabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityNameParent)
              .getState();

      // Check if the Certificate Authority is disabled.
      if (caState == State.DISABLED) {
        System.out.println("Disabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot disable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import google.cloud.security.privateca_v1 as privateca_v1

def disable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Disable a Certificate Authority which is present in the given CA pool.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be disabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Disable Certificate Authority Request.
    request = privateca_v1.DisableCertificateAuthorityRequest(name=ca_path)

    # Disable the Certificate Authority.
    operation = caServiceClient.disable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is disabled.
    if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
        print("Disabled Certificate Authority:", ca_name)
    else:
        print("Cannot disable the Certificate Authority ! Current CA State:", ca_state)

Restablece una AC

Cuando se programa la eliminación de una AC, hay un período de gracia de 30 días antes de que se borre. Durante el período de gracia, un administrador de operaciones de CA Service (roles/privateca.caManager) o un administrador de CA Service (roles/privateca.admin) pueden detener el proceso de eliminación. Puedes restablecer una AC solo durante el período de gracia.

Si deseas restablecer una AC que está programada para borrarse al estado inhabilitado, sigue estas instrucciones:

Console

  1. En la consola de Google Cloud, ve a la página Certificate Authority Service.

    Ir a Certificate Authority Service

  2. En la pestaña Autoridades de certificación, selecciona la AC que deseas restablecer.

  3. Haz clic en Restore.

  4. En el cuadro de diálogo que se abre, haz clic en Confirmar.

  5. Comprueba que la AC ahora esté en el estado DISABLED.

gcloud

  1. Confirma que la AC esté en el estado DELETED.

    gcloud privateca roots describe CA_ID \
  --pool POOL_ID \
  --format="value(state)"

    Aquí:

    • CA_ID es el identificador único de la AC.
    • POOL_ID es el identificador único del grupo de AC al que pertenece la AC.
    • La marca --format se usa para establecer el formato de los recursos de resultado del comando de impresión.

    El comando muestra DELETED.

  2. Restablece la AC.

    gcloud privateca roots undelete CA_ID --pool POOL_ID

    Aquí:

    • CA_ID es el identificador único de la AC.
    • POOL_ID es el identificador único del grupo de AC al que pertenece la AC.

    Para obtener más información sobre el comando gcloud privateca roots undelete, consulta gcloud privateca roots undelete.

  3. Confirma que el estado de la CA ahora sea DISABLED.

    gcloud privateca roots describe CA_ID \
  --pool POOL_ID \
  --format="value(state)"

    Aquí:

    • CA_ID es el identificador único de la AC.
    • POOL_ID es el identificador único del grupo de AC al que pertenece la AC.
    • La marca --format se usa para establecer el formato de los recursos de resultado del comando de impresión.

    El comando muestra DISABLED.

Go

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Undelete a Certificate Authority from the specified CA pool.
func unDeleteCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be undeleted.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Check if the CA is deleted.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#GetCertificateAuthorityRequest.
	caReq := &privatecapb.GetCertificateAuthorityRequest{Name: fullCaName}
	caResp, err := caClient.GetCertificateAuthority(ctx, caReq)
	if err != nil {
		return fmt.Errorf("GetCertificateAuthority failed: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_DELETED {
		return fmt.Errorf("you can only undelete deleted Certificate Authorities. %s is not deleted", caId)
	}

	// Create the UndeleteCertificateAuthority.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#UndeleteCertificateAuthorityRequest.
	req := &privatecapb.UndeleteCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.UndeleteCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("UndeleteCertificateAuthority failed: %w", err)
	}

	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("UndeleteCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State == privatecapb.CertificateAuthority_DELETED {
		return fmt.Errorf("unable to undelete Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully undeleted Certificate Authority: %s.", caId)
	return nil
}

Java

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.UndeleteCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class UndeleteCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, TimeoutException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the deleted CA is present.
    // certificateAuthorityName: The name of the CA to be restored (undeleted).
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";

    undeleteCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Restore a deleted CA, if still within the grace period of 30 days.
  public static void undeleteCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      String certificateAuthorityParent =
          CertificateAuthorityName.of(project, location, poolId, certificateAuthorityName)
              .toString();

      // Confirm if the CA is in DELETED stage.
      if (getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
          != State.DELETED) {
        System.out.println("CA is not deleted !");
        return;
      }

      // Create the Request.
      UndeleteCertificateAuthorityRequest undeleteCertificateAuthorityRequest =
          UndeleteCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent)
              .build();

      // Undelete the CA.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .undeleteCertificateAuthorityCallable()
              .futureCall(undeleteCertificateAuthorityRequest);

      Operation response = futureCall.get(5, TimeUnit.SECONDS);

      // CA state changes from DELETED to DISABLED if successfully restored.
      // Confirm if the CA is DISABLED.
      if (response.hasError()
          || getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
          != State.DISABLED) {
        System.out.println(
            "Unable to restore the Certificate Authority! Please try again !"
                + response.getError());
        return;
      }

      // The CA will be in the DISABLED state. Enable before use.
      System.out.println(
          "Successfully restored the Certificate Authority ! " + certificateAuthorityName);
    }
  }

  // Get the current state of CA.
  private static State getCurrentState(
      CertificateAuthorityServiceClient client, String certificateAuthorityParent) {
    return client.getCertificateAuthority(certificateAuthorityParent).getState();
  }
}

Python

Para autenticarte en CA Service, configura las credenciales predeterminadas de la aplicación. Si deseas obtener más información, consulta Configura la autenticación para un entorno de desarrollo local. 

import google.cloud.security.privateca_v1 as privateca_v1

def undelete_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Restore a deleted CA, if still within the grace period of 30 days.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the deleted CA is present.
        ca_name: the name of the CA to be restored (undeleted).
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Confirm if the CA is in DELETED stage.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
    if ca_state != privateca_v1.CertificateAuthority.State.DELETED:
        print("CA is not deleted !")
        return

    # Create the Request.
    request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path)

    # Undelete the CA.
    operation = caServiceClient.undelete_certificate_authority(request=request)
    result = operation.result()

    print("Operation result", result)

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # CA state changes from DELETED to DISABLED if successfully restored.
    # Confirm if the CA is DISABLED.
    if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
        print("Successfully undeleted Certificate Authority:", ca_name)
    else:
        print(
            "Unable to restore the Certificate Authority! Please try again! Current state:",
            ca_state,
        )

¿Qué sigue?