This page shows you how to resolve common issues with Certificate Authority Service.
API request returns HTTP 403 Forbidden
If an API request returns HTTP 403 Forbidden with the message
Read access to project PROJECT_NAME was denied, then use the following resolution.
- Check the IAM permissions of the requester.
- Check the location for the request. Unsupported regions can return a permission denied error. For more information about supported locations, see Locations.
Deleting a CA returns HTTP 412 Failed Precondition
If you see the following failed precondition errors when deleting a CA, use the resolution in this section.
Cannot perform Certificate Authority deletion, Certificate Authority is in state ENABLED.
A CA needs to be in
STAGED state for it to be deleted. Ensure the state of your CA before scheduling it for deletion. For more information about CA states, see Certificate authority states.
Certificate issuance failure
CA Service provides several policy controls that you can use to manage certificate issuance. For more information about the policy controls, see Policy controls.
Certificate issuance can fail because of several reasons. Some of these reasons are as follows.
Conflict between CA pool's certificate issuance policy and certificate template.
For example, consider that the issuance policy defines an extension
fooand assigns it the value
barand the certificate template defines extension
fooand assigns it the value
bat. Assigning two different values to the same extension creates a conflict.
Review the CA pool's certificate issuance policy against the certificate template, and identify and resolve the conflicts.
For more information about issuance policies, see Using an issuance policy.
Subject and/or Subject Alternate Names (SANs) fail the CEL expression evaluation in either the certificate template or the CA pool's certificate issuance policy.
Review the CA pool's certificate issuance policy and certificate template, and ensure that the subject and/or SAN satisfy the conditions set by Common Expression Language (CEL) expressions. For more information about CEL expressions, see Using Common Expression Language.
Incorrect IAM role being granted for a use case. For example, assigning the
roles/privateca.certificateRequesterrole for reflected identity or assigning the
roles/privateca.workloadCertificateRequesterrole for default identity mode.
Confirm that you have assigned the
roles/privateca.certificateRequesterrole for default identity mode and the
roles/privateca.workloadCertificateRequesterrole for reflected identity. For more information about using identity reflection, see Using identity reflection.
Attempting to use the reflected identity mode in an unsupported scenario, such as without Hub workload identity. An unsupported scenario for identity reflection returns the following error message:
Could not use the REFLECTED_SPIFFE subject mode because the caller does not have a SPIFFE identity. Please visit the CA Service documentation to ensure that this is a supported use-case.
Determine which type of identity you need to use: default identity or reflected identity. If you need to use reflected identity, make sure that you are using it in one of the supported scenarios. For more information about identity reflection, see Using identity reflection.