激活已创建的从属证书授权机构。
代码示例
Java
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.ActivateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.SubordinateConfig;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
public class ActivateSubordinateCa {
public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// poolId: Set a unique id for the CA pool.
// subordinateCaName: The CA to be activated.
// pemCaCertificate: The signed certificate, obtained by signing the CSR.
String project = "your-project-id";
String location = "ca-location";
String poolId = "ca-pool-id";
String subordinateCaName = "subordinate-certificate-authority-name";
String pemCaCertificate =
"-----BEGIN CERTIFICATE-----\n" + "sample-pem-certificate\n" + "-----END CERTIFICATE-----";
// certificateAuthorityName: The name of the certificate authority which signed the CSR.
// If an external CA (CA not present in Google Cloud) was used for signing,
// then use the CA's issuerCertificateChain.
String certificateAuthorityName = "certificate-authority-name";
activateSubordinateCa(
project, location, poolId, certificateAuthorityName, subordinateCaName, pemCaCertificate);
}
// Activate a subordinate CA.
// *Prerequisite*: Get the CSR of the subordinate CA signed by another CA. Pass in the signed
// certificate and (issuer CA's name or the issuer CA's Certificate chain).
// *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
public static void activateSubordinateCa(
String project,
String location,
String poolId,
String certificateAuthorityName,
String subordinateCaName,
String pemCaCertificate)
throws ExecutionException, InterruptedException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// Subordinate CA parent.
String subordinateCaParent =
CertificateAuthorityName.of(project, location, poolId, subordinateCaName).toString();
// Construct the "Activate CA Request".
ActivateCertificateAuthorityRequest activateCertificateAuthorityRequest =
ActivateCertificateAuthorityRequest.newBuilder()
.setName(subordinateCaParent)
// The signed certificate.
.setPemCaCertificate(pemCaCertificate)
.setSubordinateConfig(
SubordinateConfig.newBuilder()
// Follow one of the below methods:
// Method 1: If issuer CA is in Google Cloud, set the Certificate Authority
// Name.
.setCertificateAuthority(
CertificateAuthorityName.of(
project, location, poolId, certificateAuthorityName)
.toString())
// Method 2: If issuer CA is external to Google Cloud, set the issuer's
// certificate chain.
// The certificate chain of the CA (which signed the CSR) from leaf to root.
// .setPemIssuerChain(
// SubordinateConfigChain.newBuilder()
// .addAllPemCertificates(issuerCertificateChain)
// .build())
.build())
.build();
// Activate the CA.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.activateCertificateAuthorityCallable()
.futureCall(activateCertificateAuthorityRequest);
Operation response = futureCall.get();
if (response.hasError()) {
System.out.println("Error while activating the subordinate CA! " + response.getError());
return;
}
System.out.println(
"Subordinate Certificate Authority activated successfully ! !" + subordinateCaName);
TimeUnit.SECONDS.sleep(3);
// The current state will be STAGED.
// The Subordinate CA has to be ENABLED before issuing certificates.
System.out.println(
"Current State: "
+ certificateAuthorityServiceClient
.getCertificateAuthority(subordinateCaParent)
.getState());
}
}
}
Python
如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import google.cloud.security.privateca_v1 as privateca_v1
def activate_subordinate_ca(
project_id: str,
location: str,
ca_pool_name: str,
subordinate_ca_name: str,
pem_ca_certificate: str,
ca_name: str,
) -> None:
"""
Activate a subordinate Certificate Authority (CA).
*Prerequisite*: Get the Certificate Signing Resource (CSR) of the subordinate CA signed by another CA. Pass in the signed
certificate and (issuer CA's name or the issuer CA's Certificate chain).
*Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
Args:
project_id: project ID or project number of the Cloud project you want to use.
location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
ca_pool_name: set it to the CA Pool under which the CA should be created.
pem_ca_certificate: the signed certificate, obtained by signing the CSR.
subordinate_ca_name: the CA to be activated.
ca_name: The name of the certificate authority which signed the CSR.
If an external CA (CA not present in Google Cloud) was used for signing,
then use the CA's issuerCertificateChain.
"""
ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
subordinate_ca_path = ca_service_client.certificate_authority_path(
project_id, location, ca_pool_name, subordinate_ca_name
)
ca_path = ca_service_client.certificate_authority_path(
project_id, location, ca_pool_name, ca_name
)
# Set CA subordinate config.
subordinate_config = privateca_v1.SubordinateConfig(
# Follow one of the below methods:
# Method 1: If issuer CA is in Google Cloud, set the Certificate Authority Name.
certificate_authority=ca_path,
# Method 2: If issuer CA is external to Google Cloud, set the issuer's certificate chain.
# The certificate chain of the CA (which signed the CSR) from leaf to root.
# pem_issuer_chain=privateca_v1.SubordinateConfig.SubordinateConfigChain(
# pem_certificates=issuer_certificate_chain,
# )
)
# Construct the "Activate CA Request".
request = privateca_v1.ActivateCertificateAuthorityRequest(
name=subordinate_ca_path,
# The signed certificate.
pem_ca_certificate=pem_ca_certificate,
subordinate_config=subordinate_config,
)
# Activate the CA
operation = ca_service_client.activate_certificate_authority(request=request)
result = operation.result()
print("Operation result:", result)
# The current state will be STAGED.
# The Subordinate CA has to be ENABLED before issuing certificates.
print(
f"Current state: {ca_service_client.get_certificate_authority(name=subordinate_ca_path).state}"
)
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。