Activate an already created Subordinate Certificate Authority.
Code sample
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.ActivateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.SubordinateConfig;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
public class ActivateSubordinateCa {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set a unique id for the CA pool.
// subordinateCaName: The CA to be activated.
// pemCaCertificate: The signed certificate, obtained by signing the CSR.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String subordinateCaName = "subordinate-certificate-authority-name";
String pemCaCertificate =
"-----BEGIN CERTIFICATE-----\n" + "sample-pem-certificate\n" + "-----END CERTIFICATE-----";
// certificateAuthorityName: The name of the certificate authority which signed the CSR.
// If an external CA (CA not present in Google Cloud) was used for signing,
// then use the CA's issuerCertificateChain.
String certificateAuthorityName = "certificate-authority-name";
activateSubordinateCa(
project, location, poolId, certificateAuthorityName, subordinateCaName, pemCaCertificate);
}
// Activate a subordinate CA.
// *Prerequisite*: Get the CSR of the subordinate CA signed by another CA. Pass in the signed
// certificate and (issuer CA's name or the issuer CA's Certificate chain).
// *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
public static void activateSubordinateCa(
String project,
String location,
String poolId,
String certificateAuthorityName,
String subordinateCaName,
String pemCaCertificate)
throws ExecutionException, InterruptedException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// Subordinate CA parent.
String subordinateCaParent =
CertificateAuthorityName.of(project, location, poolId, subordinateCaName).toString();
// Construct the "Activate CA Request".
ActivateCertificateAuthorityRequest activateCertificateAuthorityRequest =
ActivateCertificateAuthorityRequest.newBuilder()
.setName(subordinateCaParent)
// The signed certificate.
.setPemCaCertificate(pemCaCertificate)
.setSubordinateConfig(
SubordinateConfig.newBuilder()
// Follow one of the below methods:
// Method 1: If issuer CA is in Google Cloud, set the Certificate Authority
// Name.
.setCertificateAuthority(
CertificateAuthorityName.of(
project, location, poolId, certificateAuthorityName)
.toString())
// Method 2: If issuer CA is external to Google Cloud, set the issuer's
// certificate chain.
// The certificate chain of the CA (which signed the CSR) from leaf to root.
// .setPemIssuerChain(
// SubordinateConfigChain.newBuilder()
// .addAllPemCertificates(issuerCertificateChain)
// .build())
.build())
.build();
// Activate the CA.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.activateCertificateAuthorityCallable()
.futureCall(activateCertificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while activating the subordinate CA! " + response.getError());
return;
}
System.out.println(
"Subordinate Certificate Authority activated successfully ! !" + subordinateCaName);
TimeUnit.SECONDS.sleep(3);
// The current state will be STAGED.
// The Subordinate CA has to be ENABLED before issuing certificates.
System.out.println(
"Current State: "
+ certificateAuthorityServiceClient
.getCertificateAuthority(subordinateCaParent)
.getState());
}
}
}Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
import google.cloud.security.privateca_v1 as privateca_v1
def activate_subordinate_ca(
project_id: str,
location: str,
ca_pool_name: str,
subordinate_ca_name: str,
pem_ca_certificate: str,
ca_name: str,
) -> None:
"""
Activate a subordinate Certificate Authority (CA).
*Prerequisite*: Get the Certificate Signing Resource (CSR) of the subordinate CA signed by another CA. Pass in the signed
certificate and (issuer CA's name or the issuer CA's Certificate chain).
*Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
pem_ca_certificate: the signed certificate, obtained by signing the CSR.
subordinate_ca_name: the CA to be activated.
ca_name: The name of the certificate authority which signed the CSR.
If an external CA (CA not present in Google Cloud) was used for signing,
then use the CA's issuerCertificateChain.
"""
ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
subordinate_ca_path = ca_service_client.certificate_authority_path(
project_id, location, ca_pool_name, subordinate_ca_name
)
ca_path = ca_service_client.certificate_authority_path(
project_id, location, ca_pool_name, ca_name
)
# Set CA subordinate config.
subordinate_config = privateca_v1.SubordinateConfig(
# Follow one of the below methods:
# Method 1: If issuer CA is in Google Cloud, set the Certificate Authority Name.
certificate_authority=ca_path,
# Method 2: If issuer CA is external to Google Cloud, set the issuer's certificate chain.
# The certificate chain of the CA (which signed the CSR) from leaf to root.
# pem_issuer_chain=privateca_v1.SubordinateConfig.SubordinateConfigChain(
# pem_certificates=issuer_certificate_chain,
# )
)
# Construct the "Activate CA Request".
request = privateca_v1.ActivateCertificateAuthorityRequest(
name=subordinate_ca_path,
# The signed certificate.
pem_ca_certificate=pem_ca_certificate,
subordinate_config=subordinate_config,
)
# Activate the CA
operation = ca_service_client.activate_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
# The current state will be STAGED.
# The Subordinate CA has to be ENABLED before issuing certificates.
print(
f"Current state: {ca_service_client.get_certificate_authority(name=subordinate_ca_path).state}"
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.