撤消证书

本页面介绍了如何撤消证书。

Certificate Authority Service 通过定期发布来支持证书撤消 证书吊销列表 (CRL)。您只能撤消由以下提供方颁发的证书 Enterprise 层级中的 CA 池。

准备工作

确保您拥有 Certificate Authority Service Operation Manager (roles/privateca.caManager) 或 CA Service Admin (roles/privateca.admin) Identity and Access Management (IAM) 角色。如需详细了解 CA 服务的预定义 IAM 角色,请参阅使用 IAM 进行访问权限控制

如需了解如何授予 IAM 角色,请参阅授予单个 角色

启用 CRL 发布

如需撤消 CA 池颁发的证书,您必须启用 CRL 发布 共享存储空间您可以在创建 CA 池时启用 CRL 发布。如果 最初处于停用状态,您可以稍后启用 CRL 发布。

启用 CRL 发布后,系统会每天发布一个新的 CRL, 有效期为 7 天。新的 CRL 还会在发布任何 新证书吊销。

如需在 CA 池上启用 CRL 发布,请执行以下操作:

控制台

  1. 转到 Google Cloud 控制台中的 Certificate Authority Service 页面。

    证书授权机构服务

  2. 点击 CA Pool Manager 标签页。

  3. 点击要修改的 CA 池,或点击具有该 CA 的 CA 池 进行修改

  4. CA 池页面上,点击 修改

  5. 点击下一步,直到您看到配置发布选项部分。

  6. 点击将 CRL 发布到此池中 CA 专用的 GCS 存储桶切换开关。

gcloud

运行以下命令:

gcloud privateca pools update POOL_ID \
  --publish-crl

POOL_ID 替换为 CA 池的名称。

如需详细了解 gcloud privateca pools update 命令,请参阅 gcloud privateca pool update

CA Service 强制执行未过期但已撤消的数量上限(50 万个) 证书数量。

撤消证书

CA Service 允许按序列号或资源撤消证书 名称,同时还接受可选原因。证书吊销后,其序列号 编号和撤消原因会显示在以后的所有 CRL 中,直到 到期。带外 CRL 也会在 撤消时间为 15 分钟。

如需撤消证书,请按以下步骤操作:

控制台

  1. 转到 Certificate Authority Service 页面 Google Cloud 控制台。

    转到 Certificate Authority Service

  2. 点击专用证书管理器标签页。
  3. 在证书列表中,点击 查看更多 要删除的证书。
  4. 点击撤消
  5. 在随即打开的对话框中,点击确认

gcloud

  • 如需使用证书的资源名称撤消证书,请运行以下命令:

    gcloud privateca certificates revoke \
  --certificate CERT_ID \
  --issuer-pool POOL_ID \
  --reason REVOCATION_REASON

    替换以下内容:

    • CERT_ID:您要撤消的证书的唯一标识符。
    • POOL_ID:颁发证书的 CA 池的名称。
    • REVOCATION_REASON:撤消证书的原因。

    --reason 标志是可选的。如需详细了解此标志,请参阅 --reason,或将以下 gcloud 命令与 --help 标志搭配使用:

    gcloud privateca certificates revoke --help

    如需详细了解 gcloud privateca certificates revoke 命令,请参阅 gcloud privateca certificate 欺诈

  • 如需使用证书的序列号撤消证书,请运行以下命令:

    gcloud privateca certificates revoke \
  --serial-number SERIAL_NUMBER \
  --issuer-pool POOL_ID \
  --reason REVOCATION_REASON

    替换以下内容:

    • SERIAL_NUMBER:证书的序列号。
    • POOL_ID:颁发证书的 CA 池的名称。
    • REVOCATION_REASON:撤消证书的原因。

    如需详细了解 gcloud privateca certificates revoke 命令,请参阅 gcloud privateca certificates revoke

    当系统提示您确认时,您可以输入“Y”来确认:

    You are about to revoke Certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID]

Do you want to continue? (Y/n) Y
Revoked certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] at DATE_TIME.

Go

如需向 CA 服务进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Revoke an issued certificate. Once revoked, the certificate will become invalid
// and will expire post its lifetime.
func revokeCertificate(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	certId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate exists.
	// certId := "certificate"			// A unique name for the certificate.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCertName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificates/%s", projectId, location,
		caPoolId, certId)

	// Create the RevokeCertificateRequest and specify the appropriate revocation reason.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#RevokeCertificateRequest.
	req := &privatecapb.RevokeCertificateRequest{
		Name:   fullCertName,
		Reason: privatecapb.RevocationReason_PRIVILEGE_WITHDRAWN,
	}

	_, err = caClient.RevokeCertificate(ctx, req)
	if err != nil {
		return fmt.Errorf("RevokeCertificate failed: %w", err)
	}

	fmt.Fprintf(w, "Certificate %s revoked", certId)

	return nil
}

Java

如需向 CA 服务进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateName;
import com.google.cloud.security.privateca.v1.RevocationReason;
import com.google.cloud.security.privateca.v1.RevokeCertificateRequest;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class RevokeCertificate {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Id for the CA pool which contains the certificate.
    // certificateName: Name of the certificate to be revoked.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateName = "certificate-name";
    revokeCertificate(project, location, poolId, certificateName);
  }

  // Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire
  // post its lifetime.
  public static void revokeCertificate(
      String project, String location, String poolId, String certificateName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create Certificate Name.
      CertificateName certificateNameParent =
          CertificateName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificate(certificateName)
              .build();

      // Create Revoke Certificate Request and specify the appropriate revocation reason.
      RevokeCertificateRequest revokeCertificateRequest =
          RevokeCertificateRequest.newBuilder()
              .setName(certificateNameParent.toString())
              .setReason(RevocationReason.PRIVILEGE_WITHDRAWN)
              .build();

      // Revoke certificate.
      ApiFuture<Certificate> response =
          certificateAuthorityServiceClient
              .revokeCertificateCallable()
              .futureCall(revokeCertificateRequest);
      Certificate certificateResponse = response.get();

      System.out.println("Certificate Revoked: " + certificateResponse.getName());
    }
  }
}

Python

如需向 CA 服务进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import google.cloud.security.privateca_v1 as privateca_v1


def revoke_certificate(
    project_id: str,
    location: str,
    ca_pool_name: str,
    certificate_name: str,
) -> None:
    """
    Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: name for the CA pool which contains the certificate.
        certificate_name: name of the certificate to be revoked.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Create Certificate Path.
    certificate_path = caServiceClient.certificate_path(
        project_id, location, ca_pool_name, certificate_name
    )

    # Create Revoke Certificate Request and specify the appropriate revocation reason.
    request = privateca_v1.RevokeCertificateRequest(
        name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN
    )
    result = caServiceClient.revoke_certificate(request=request)

    print("Certificate revoke result:", result)

后续步骤