Stay organized with collections Save and categorize content based on your preferences.

Updating and deleting a CA pool

This page explains how to perform the following operations:

  • Enable and disable CA certificate and CRL publication on Cloud Storage buckets.
  • Update labels for a CA pool.
  • Delete a CA pool.

Enabling CA certificate and CRL publication for CAs in a CA pool

CA Service enables CA certificate and CRL publication to Cloud Storage buckets by default when you create a new CA pool. If you disabled CA certificate and CRL publishing while creating the CA pool and want to enable them now, you can follow the instructions in this section.

To enable CA certificate publication and CRL publication for all CAs in a CA pool, do the following:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Under the CA pool manager tab, click the name of the CA pool you want to edit.

  3. On the CA pool page, click Edit.

    Edit an existing CA pool using the Cloud console.

  4. Under Configure allowed key algorithms and sizes, click Next.

  5. Under Configure accepted certificate request methods, click Next.

  6. Under Configure publishing options, click the toggle for Publish CA certificate to Cloud Storage bucket for CAs in this pool.

  7. Click the toggle for Publish CRL to Cloud Storage bucket for CAs in this pool.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --publish-crl --publish-ca-cert

Replace POOL_ID with the name of the CA pool.

If you enable --publish-ca-cert, CA Service writes each CA's CA certificate to a Cloud Storage bucket, whose path is specified in the CA resource. The AIA extension in all the issued certificates points to the Cloud Storage object URL that contains the CA certificate. The CRL Distribution Point (CDP) extension in all the issued certificates point to the Cloud Storage object URL that contains the CRL.

To learn more about enabling CRL publication for revoking certificates, see Revoking certificates.

For more information about the gcloud privateca pools update command, see gcloud privateca pools update.

Disabling CA certificate and CRL publication for CAs in a CA pool

To disable CA certificate publication or CRL publication for all CAs in a CA pool, do the following:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Under the CA pool manager tab, click the name of the CA pool you want to edit.

  3. On the CA pool page, click Edit.

  4. Under Configure allowed key algorithms and sizes, click Next.

  5. Under Configure accepted certificate request methods, click Next.

  6. Under Configure publishing options, click the toggle for Publish CA certificate to Cloud Storage bucket for CAs in this pool.

  7. Click the toggle for Publish CRL to Cloud Storage bucket for CAs in this pool.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --no-publish-crl --no-publish-ca-cert

Replace POOL_ID with the name of the CA pool.

Disabling distribution points doesn't delete the Cloud Storage bucket or its permissions, and doesn't remove any CA certificates or CRLs that are already hosted there. It does, however, mean that future CRLs will no longer be published to the Cloud Storage bucket, and future certificates won't have the AIA and CDP extensions.

Adding or updating labels on a CA pool

A label is a key-value pair that helps you organize your CA Service resources. You can filter your resources based on their labels.

To add or update labels on a CA pool, do the following:

Console

To add a label, do the following:

  1. Go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the CA pool manager tab, select the CA pool.

  3. Click Labels.

  4. Click Add label.

  5. Add a key-value pair.

  6. Click Save.

    Add a label to an existing CA pool.

To edit an existing label, do the following:

  1. Go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the CA pool manager tab, select the CA pool.

  3. Click Labels.

  4. Edit the value of the label.

  5. Click Save.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --update-labels foo=bar

Replace POOL_ID with the name of the CA pool.

Deleting a CA pool

You can delete a CA pool only after you have permanently deleted all CAs within that CA pool. CA Service permanently deletes a CA after a 30-day grace period from when the deletion process is initiated. For more information, see Deleting CAs.

To delete a CA pool, use the following instructions.

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.
  2. Go to Certificate Authority Service

  3. Click the CA pool manager tab.
  4. In the list of CA pools, select the CA pool you want to delete.
  5. Click Delete.
  6. Permanently delete a CA pool.
  7. In the dialog box that opens, click Confirm.

gcloud

Run the following command:

gcloud privateca pools delete POOL_ID

Replace POOL_ID with the name of the CA pool that you want to delete.

For more information about the gcloud privateca pools delete command, see gcloud privateca pools delete.

Code samples

Java


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DeleteCaPoolRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;

public class DeleteCaPool {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException, TimeoutException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // pool_Id: The id of the CA pool to be deleted.
    String project = "your-project-id";
    String location = "ca-location";
    String pool_Id = "ca-pool-id";
    deleteCaPool(project, location, pool_Id);
  }

  // Delete the CA pool as mentioned by the pool_Id.
  // Before deleting the pool, all CAs in the pool MUST BE deleted.
  public static void deleteCaPool(String project, String location, String pool_Id)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Set the project, location and pool_Id to delete.
      CaPoolName caPool =
          CaPoolName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(pool_Id)
              .build();

      // Create the Delete request.
      DeleteCaPoolRequest deleteCaPoolRequest =
          DeleteCaPoolRequest.newBuilder().setName(caPool.toString()).build();

      // Delete the CA Pool.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient.deleteCaPoolCallable().futureCall(deleteCaPoolRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while deleting CA pool !" + response.getError());
        return;
      }

      System.out.println("Deleted CA Pool: " + pool_Id);
    }
  }
}

Python

import google.cloud.security.privateca_v1 as privateca_v1


def delete_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
    """
    Delete the CA pool as mentioned by the ca_pool_name.
    Before deleting the pool, all CAs in the pool MUST BE deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool to be deleted.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)

    # Create the Delete request.
    request = privateca_v1.DeleteCaPoolRequest(name=ca_pool_path)

    # Delete the CA Pool.
    caServiceClient.delete_ca_pool(request=request)

    print("Deleted CA Pool:", ca_pool_name)

What's next