Delete a CA pool

This page explains how to delete a CA pool.

You can delete a CA pool only after you have permanently deleted all CAs within that CA pool. CA Service permanently deletes a CA after a 30-day grace period from when the deletion process is initiated. For more information, see Delete CAs.

To delete a CA pool, use the following instructions.

Console

  1. Go to the Certificate Authority Service page in the Google Cloud console.
  2. Go to Certificate Authority Service

  3. Click the CA pool manager tab.
  4. In the list of CA pools, select the CA pool you want to delete.
  5. Click Delete.
  6. Permanently delete a CA pool.
  7. In the dialog box that opens, click Confirm.

gcloud

Run the following command:

gcloud privateca pools delete POOL_ID

Replace POOL_ID with the name of the CA pool that you want to delete.

For more information about the gcloud privateca pools delete command, see gcloud privateca pools delete.

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Delete the CA pool as mentioned by the ca_pool_name.
// Before deleting the pool, all CAs in the pool MUST BE deleted.
func deleteCaPool(w io.Writer, projectId string, location string, caPoolId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// A unique id/name for the ca pool.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaPoolName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s", projectId, location, caPoolId)

	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#DeleteCaPoolRequest.
	req := &privatecapb.DeleteCaPoolRequest{
		Name: fullCaPoolName,
	}

	op, err := caClient.DeleteCaPool(ctx, req)
	if err != nil {
		return fmt.Errorf("DeleteCaPool failed: %w", err)
	}

	if err = op.Wait(ctx); err != nil {
		return fmt.Errorf("DeleteCaPool failed during wait: %w", err)
	}

	fmt.Fprintf(w, "CA Pool deleted")

	return nil
}

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPoolName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DeleteCaPoolRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;

public class DeleteCaPool {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException, TimeoutException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool to be deleted.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    deleteCaPool(project, location, poolId);
  }

  // Delete the CA pool as mentioned by the poolId.
  // Before deleting the pool, all CAs in the pool MUST BE deleted.
  public static void deleteCaPool(String project, String location, String poolId)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Set the project, location and poolId to delete.
      CaPoolName caPool =
          CaPoolName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .build();

      // Create the Delete request.
      DeleteCaPoolRequest deleteCaPoolRequest =
          DeleteCaPoolRequest.newBuilder().setName(caPool.toString()).build();

      // Delete the CA Pool.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient.deleteCaPoolCallable().futureCall(deleteCaPoolRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while deleting CA pool !" + response.getError());
        return;
      }

      System.out.println("Deleted CA Pool: " + poolId);
    }
  }
}

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import google.cloud.security.privateca_v1 as privateca_v1


def delete_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
    """
    Delete the CA pool as mentioned by the ca_pool_name.
    Before deleting the pool, all CAs in the pool MUST BE deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool to be deleted.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name)

    # Create the Delete request.
    request = privateca_v1.DeleteCaPoolRequest(name=ca_pool_path)

    # Delete the CA Pool.
    caServiceClient.delete_ca_pool(request=request)

    print("Deleted CA Pool:", ca_pool_name)

What's next