This page shows you how to resolve common issues with Certificate Authority Service.

API request returns HTTP 403 Forbidden

If an API request returns HTTP 403 Forbidden with the message Read access to project PROJECT_NAME was denied, then use the following resolution.


  1. Check the IAM permissions of the requester.
  2. Check the location for the request. Unsupported regions can return a permission denied error. For more information about supported locations, see Locations.

Deleting a CA returns HTTP 412 Failed Precondition

If you see the following failed precondition errors when deleting a CA, use the resolution in this section.

  • Cannot perform Certificate Authority deletion, Certificate Authority is in state ENABLED.


A CA needs to be in DISABLED or STAGED state for it to be deleted. Ensure the state of your CA before scheduling it for deletion. For more information about CA states, see Certificate authority states.

Certificate issuance failure

CA Service provides several policy controls that you can use to manage certificate issuance. For more information about the policy controls, see Policy controls.

Certificate issuance can fail because of several reasons. Some of these reasons are as follows.

  • Conflict between CA pool's certificate issuance policy and certificate template.

    For example, consider that the issuance policy defines an extension foo and assigns it the value bar and the certificate template defines extension foo and assigns it the value bat. Assigning two different values to the same extension creates a conflict.


    Review the CA pool's certificate issuance policy against the certificate template, and identify and resolve the conflicts.

    For more information about issuance policies, see Using an issuance policy.

  • Subject and/or Subject Alternate Names (SANs) fail the CEL expression evaluation in either the certificate template or the CA pool's certificate issuance policy.


    Review the CA pool's certificate issuance policy and certificate template, and ensure that the subject and/or SAN satisfy the conditions set by Common Expression Language (CEL) expressions. For more information about CEL expressions, see Using Common Expression Language.

  • Incorrect IAM role being granted for a use case. For example, assigning the roles/privateca.certificateRequester role for reflected identity or assigning the roles/privateca.workloadCertificateRequester role for default identity mode.


    Confirm that you have assigned the roles/privateca.certificateRequester role for default identity mode and the roles/privateca.workloadCertificateRequester role for reflected identity. For more information about using identity reflection, see Using identity reflection.

  • Attempting to use the reflected identity mode in an unsupported scenario, such as without Hub workload identity. An unsupported scenario for identity reflection returns the following error message:

    Could not use the REFLECTED_SPIFFE subject mode because the caller does not have a SPIFFE identity. Please visit the CA Service documentation to ensure that this is a supported use-case.


    Determine which type of identity you need to use: default identity or reflected identity. If you need to use reflected identity, make sure that you are using it in one of the supported scenarios. For more information about identity reflection, see Using identity reflection.

  • The default key size restriction rejects RSA keys with modulus size less than 2048 bits.

    Industry best practices recommend using an RSA key of at least 2048 bits. By default, CA Service prevents issuing certificates using an RSA key whose modulus size is less than 2048 bits.


    If you want to use a RSA key with modulus size less than 2048 bits, you must explicitly allow it using the certificate issuance policy. Use the following YAML example to allow such RSA keys:

    - rsa:
      minModulusSize: 1024

What's next