Managing certificate authorities

This page describes how to manage Certificate Authorities (CAs) in the Certificate Authority Service, including how to enable, disable, delete, restore, and update them. Details about creating a new CA are in the quickstart.

Disabling a CA

Disabling a CA prevents it from issuing certificates; any certificate requests to a disabled CA will be rejected. Other functionality, such as revoking certificates, publishing Certificate Revocation Lists (CRLs), and updating the CA metadata can still take place.

A disabled CA will continue to be billed at its usual billing tier.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under CAs, pick your target CA.

  3. Navigate to Actions. You may need to click on Hide info panel or click on the right arrow until Actions is visible.

  4. Click on Disable CA.

  5. In the dialog that opens, click on Confirm.

gcloud

gcloud beta privateca roots disable CA_NAME

Enabling a CA

To undo this action, you can enable the CA.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under CAs, pick your target CA.

  3. Navigate to Actions.

  4. Click on Enable CA.

  5. In the dialog that opens, click on Confirm.

gcloud

gcloud beta privateca roots enable CA_NAME

Deleting a CA

Deleting a CA will initiate the deletion process for the certificate authority. Once initiated, the CA will be scheduled for deletion in 30 days. After the grace period, the CA and all nested artifacts will be permanently deleted. This includes certificates and certificate revocation lists. Note that Google Cloud resources being used with a CA (for example, user-provided Cloud Storage buckets or Cloud KMS keys) that are not Google-managed will not be deleted.

If the CA is successfully deleted, you will be credited for the thirty days that the CA was billed for during the grace period. However, if the CA is restored, you are charged at the CA's billing tier for the time that the CA existed in the PENDING_DELETION state.

As suggested above, the Cloud KMS key backing the certificate authority and the Cloud Storage bucket will not be deleted if they were specified by the customer.

The following preconditions must be met before a CA can be deleted:

  • The CA must be in the DISABLED state.
  • The CA must not contain active certificates. Only revoked or expired certificates may exist. Alternatively, the CA certificate should be revoked.

To initiate CA deletion, use the following steps:

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under CAs, pick your target CA.

  3. Navigate to Actions.

  4. Click on Delete CA.

  5. In the dialog that opens, click on Confirm.

gcloud

  1. Check the CA state to ensure it is DISABLED. Only DISABLED CAs can be deleted.

    gcloud beta privateca roots describe CA_NAME \
        --format="value(state)"
    
  2. If the CA is not disabled, disable it with the gcloud disable command.

    gcloud beta privateca roots disable CA_NAME
    
  3. Revoke any active certificates. The following script will iterate through and revoke all active certificates that exist under this CA. The length of the operation will depend on the number of certificates you have under the CA.

    CERTS_TO_REVOKE="$(gcloud beta privateca certificates list  \
      --issuer "CA_NAME"  \
      --format="table(name, revocation_details)"  \
      | grep -Po "([^\s]+)(?=\s+ACTIVE)")"
    
    for CERT in $CERTS_TO_REVOKE; do
      gcloud beta privateca certificates revoke --certificate "$CERT" \
      --issuer "CA_NAME" --quiet
    done
    
  4. Delete the CA.

    gcloud beta privateca roots delete CA_NAME
    
  5. When you are prompted, confirm that you want to delete the CA.

    After confirming, the CA is scheduled for deletion and the 30-day grace period begins. The command outputs the expected date and time when the CA will be deleted.

    Scheduled Root CA [projects/joonix-pki/locations/us-west1/certificateAuthorities/CA_NAME] for deletion at 2020-08-14T19:28:39Z.
    
  6. To check the expected deletion time for a CA, use the describe command.

    gcloud beta privateca roots describe CA_NAME \
      --format="value(deletionTime.date())"
    

    The command returns the expected date and time when the CA will be deleted.

    2020-08-14T19:28:39
    
  7. To verify that the CA has been permanently deleted, use the describe command.

    gcloud beta privateca roots describe CA_NAME
    

    If the CA was successfully deleted, the command returns an error.

    ERROR: (gcloud.beta.privateca.roots.describe) NOT_FOUND: Resource 'projects/joonix-pki/locations/LOCATION/certificateAuthorities/CA_NAME' was not found
    

Restoring a CA

When a Certificate Authority is scheduled for deletion, there is a 30-day grace period before the CA is deleted. During the grace period, a CA Manager or CA Admin can stop the process.

A CA can be restored only during the grace period. To restore a CA that is scheduled to be deleted to the disabled state, use the following steps:

Console

Restoring a CA through the Cloud Console is not currently supported. Please use gcloud to restore a CA.

gcloud

  1. Confirm that the CA is in the PENDING_DELETION state.

    gcloud beta privateca roots describe CA_NAME \
    --format="value(state)"
    

    The command should output PENDING_DELETION.

  2. Restore the CA.

    gcloud beta privateca roots restore CA_NAME
    
  3. Confirm the state of the CA is now DISABLED

    gcloud beta privateca roots describe CA_NAME \
      --format="value(state)"
    

    The command should output DISABLED.

Because the CA is restored in a DISABLED state, the CA cannot issue certificates until you enable it.

Updating a CA

Use the following commands to update the configuration for a CA in Certificate Authority Service.

Disabling distribution points will not delete the Cloud Storage bucket or its permissions, and will not remove any CA certificates or CRLs that are already hosted there. It will, however, mean that future CRLs will no longer be published to the Cloud Storage bucket, and future certificates will be missing the AIA and CDP extensions.

Console

Updating a CA through the Cloud Console is not currently supported. Please use gcloud to update a CA.

gcloud

To disable the AIA and CDP extensions in a CA:

gcloud beta privateca roots update CA_NAME \
    --no-publish-crl \
    --no-publish-ca-cert

To enable the AIA and CDPs extensions in a CA:

gcloud beta privateca roots update CA_NAME \
    --publish-crl \
    --publish-ca-cert

To update labels on a CA:

gcloud beta privateca roots update CA_NAME \
    --update-labels foo=bar

To update a CA's issuance policy:

gcloud beta privateca roots update CA_NAME \
    --issuance-policy new_policy.yaml

To learn more about distribution points, see Revoking certificates. To learn more about issuance policies, see Using an issuance policy.

Cloning a CA

If you have an existing CA that you'd like to clone (for example, as a way of renewing the CA, or to create a new instance with the same configuration), you can do so using the following command.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Under CAs, pick your target CA.

  3. Navigate to Actions.

  4. Click on Create copy.

  5. On Select CA Type, overwrite existing values as desired.

    1. If you want to copy a CA to another region, change Location.
  6. Click on Next.

  7. If the CA is in the same location, change Resource ID. Otherwise, overwrite existing values as desired.

  8. Click on Next.

  9. For steps 3-5, overwrite existing values as desired, and then click on Next.

  10. On Review, click on Create.

gcloud

gcloud beta privateca roots create NEW-CA-NAME \
  --from-ca EXISTING-CA-NAME \
  --from-ca-location EXISTING-CA-LOCATION

Where:

  • The --from-ca flag is supported for root and subordinate CA creation. If the existing CA is in a different project, you can signify this by adding the --from-ca-project flag.
  • This flag will copy all CA configuration from the existing CA (except for the KMS key version and Cloud Storage bucket). However, you can still override any of the configuration values in the new CA by explicitly providing the appropriate flag. For example, you can still specify --subject SUBJECT to use a new subject.

Enumerating root CAs

Follow these steps to enumerate root certificate authorities.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the Filter table box, set Type to Root.

  3. All root CAs are listed under CAs with Type set as Root.

gcloud

gcloud beta privateca roots list --location LOCATION

Enumerating subordinate CAs

Follow these steps to enumerate subordinate certificate authorities.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the Filter table box, set Type to Subordinate.

  3. All root CAs are listed under CAs with Type set as Subordinate.

gcloud

gcloud beta privateca subordinates list --location LOCATION