Manage certificate issuance configuration resources

This page describes how to create and manage a certificate issuance configuration resource.

For more information about certificate issuance configuration resources, see How Certificate Manager works.

Create a certificate issuance configuration resource

Before you create the issuance configuration resource, configure CA Service integration with Certificate Manager.

To create a certificate issuance configuration resource, specify the certificate's lifetime, rotation window percentage, key algorithm, and the CA pool to use.

Even though you use a regional CA pool to issue a Google-managed TLS certificate, the certificate can be used globally.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Issuance Configs tab, click Create.

  3. In the Name field, enter a unique name for the certificate issuance configuration resource.

  4. Optional: In the Description field, enter a description for the issuance configuration.

  5. For Location, select Global or Regional. If you selected Regional, select the same Region as your certificate and CA pool.

  6. In the Lifetime field, specify the lifetime of issued certificate in days. The value must be between 21 to 30 days (inclusive).

  7. For Rotation window percentage, specify the percentage of the certificate's lifetime when its renewal process begins. To find the range of valid values, see Lifetime and Rotation window percentage.

  8. From the Key algorithm list, select the key algorithm to use when generating the private key.

  9. From the CA pool list, select the name of the CA pool to assign to this certificate issuance configuration resource.

  10. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.

  11. Click Create.

gcloud

To create a certificate issuance configuration resource, use the certificate-manager issuance-configs create command:

gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \
    --ca-pool=CA_POOL \
    --lifetime=CERTIFICATE_LIFETIME \
    --rotation-window-percentage=ROTATION_WINDOW_PERCENTAGE \
    --key-algorithm=KEY_ALGORITHM
    [--location=LOCATION]

Replace the following:

  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • CA_POOL: the full resource path and name of the CA pool that you want to assign to the certificate issuance configuration resource.
  • CERTIFICATE_LIFETIME: the certificate lifetime in days. Valid values are from 21 to 30 days in the absolute duration format. The default value is 30 days (30D). This flag is optional.
  • ROTATION_WINDOW_PERCENTAGE: the percentage of the certificate's remaining lifetime before renewal. The default value is 66%. To find the range of valid values, see [Lifetime and Rotation window percentage](#lifetime-rotation-percentage). This flag is optional.
  • KEY_ALGORITHM: the encryption algorithm that is used to generate the private key. Valid values are ecdsa-p256 or rsa-2048. The default value is rsa-2048. This flag is optional.
  • LOCATION: the target Google Cloud location.

API

Create the certificate issuance configuration resource by making a POST request to the certificateIssuanceConfigs.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificateIssuanceConfigs?issuanceConfig_id=ISSUANCE_CONFIG_NAME
 {
  "name": "ISSUANCE_CONFIG_NAME",
  "description": "DESCRIPTION",
  "certificateAuthorityConfig": {
    "certificateAuthorityServiceConfig" {
          "caPool": "CA_POOL"
    },
  },
  "lifetime": "CERTIFICATE_LIFETIME",
  "rotationWindowPercentage": "ROTATION_WINDOW_PERCENTAGE",
  "keyAlgorithm": "KEY_ALGORITHM",
  }

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • DESCRIPTION: a meaningful description for the certificate issuance configuration resource.
  • CA_POOL: the full resource path and name of the CA pool that you want to assign to the certificate issuance configuration resource.
  • CERTIFICATE_LIFETIME: the certificate lifetime in days. Valid values are from 21 to 30 days in the absolute duration format. The default value is 30 days (30D). This flag is optional.
  • ROTATION_WINDOW_PERCENTAGE: the percentage of the certificate's remaining lifetime before renewal. The default value is 66%. To find the range of valid values, see [Lifetime and Rotation window percentage](#lifetime-rotation-percentage). This flag is optional.
  • KEY_ALGORITHM: the encryption algorithm that is used to generate the private key. Valid values are ecdsa-p256 or rsa-2048. The default value is rsa-2048. This flag is optional.

Lifetime and Rotation window percentage

When you create a certificate issuance configuration resource, you also define the certificate's lifetime in the Lifetime field, and when the certificate's renewal process begins before it expires in the Rotation window percentage field.

To make sure that the certificate renews at least seven days before its expiry and seven days after its issuance, set the rotation window percentage relative to the certificate's lifetime. To calculate the allowed range for the rotation window percentage, use the following formulas:

  • Minimum value: Rotation window percentage ≥ (7 / Lifetime) * 100
  • Maximum value: Rotation window percentage ≤ ( (Lifetime - 7) / Lifetime) * 100

In the previous formulas, 7 is seven days.

If the minimum value is a decimal value, round it up to the nearest whole number. If the maximum value is a decimal value, round it down to the nearest whole number.

List certificate issuance configurations

You can see all certificate issuance configuration resources of your project and their details.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. Click the Issuance Configs tab. The tab lists all of the certificate issuance configuration resources managed by Certificate Manager in the selected project.

gcloud

To list certificate issuance configuration resources, use the certificate-manager issuance-configs list command:

gcloud certificate-manager issuance-configs list \
    --filter="FILTER" \
    --page-size="PAGE_SIZE" \
    --limit="LIMIT" \
    --sort-by="SORT_BY" \
    [--location=LOCATION]

Replace the following:

  • FILTER: an expression that constrains the returned results to specific values.

    For example, to filter results by the labels and creation time, you can specify: --filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.

  • PAGE_SIZE: the number of results to return per page.

  • LIMIT: the maximum number of results to return.

  • SORT_BY: a comma-delimited list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

  • LOCATION: the target Google Cloud location.

API

List configured certificate issuance configuration resources by making a LIST request to the certificateIssuanceConfigs.list method as follows:

GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.

  • FILTER: an expression that constrains the returned results to specific values.

    For example, to filter results by the labels and creation time, you can specify: --filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.

  • PAGE_SIZE: the number of results to return per page.

  • SORT_BY: a comma-delimited list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

View the state of a certificate issuance configuration resource

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. Click the Issuance Configs tab.

  3. Click the name of the certificate issuance configuration resource that you want to view. The Google Cloud console displays the certificate issuance configuration resource details.

gcloud

To view the state of a certificate issuance configuration resource, use the certificate-manager issuance-configs describe command:

gcloud certificate-manager issuance-configs describe ISSUANCE_CONFIG_NAME

Replace ISSUANCE_CONFIG_NAME with the name of the certificate issuance configuration resource that references the target CA pool.

API

View the state of the certificate issuance configuration resource by making a GET request to the certificateIssuanceConfigs.get method as follows:

  GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.

Delete a certificate issuance configuration resource

Before deleting a certificate issuance configuration resource, you must first delete the Google-managed certificate that references it.

To disable the last CA that you enabled within a CA pool referenced in the certificate issuance configuration resource, or to delete the CA pool entirely, you must first delete all certificate issuance configuration resources that reference the CA pool.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Issuance Configs tab, select the checkbox of the issuance configuration that you want to delete.

  3. Click Delete.

  4. In the dialog that appears, click Delete to confirm.

gcloud

To delete a certificate issuance configuration resource, use the certificate-manager issuance-configs delete command:

gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME
    [--location=LOCATION]

Replace the following:

  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • LOCATION: the target Google Cloud location.

API

Delete the certificate issuance configuration resource by making a DELETE request to the certificateIssuanceConfigs.delete method as follows:

  DELETE /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.

What's next