This page describes how to create and manage a certificate issuance configuration.
For more information about certificate issuance configuration resources, see How Certificate Manager works.
Keep in mind that to disable the last CA you enabled in the CA pool referenced in the certificate issuance configuration, or to delete the referenced CA pool altogether, you must first delete every certificate issuance configuration that references that CA pool.
To learn how to deploy a certificate with Certificate Manager, see Deployment overview.
For more information about the gcloud
commands used on this page, see the
Certificate Manager CLI reference.
Create a certificate issuance configuration
To create a certificate issuance configuration, complete the steps in this section.
Keep in mind that even though you are using a regional CA pool to issue a Google-managed TLS certificate, the certificate itself is global and can be used in any region.
To complete this task, you must have one of the following roles on the target Google Cloud project:
- Certificate Manager Editor
- Certificate Manager Owner
For more information, see Roles and permissions.
gcloud
gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \ --ca-pool=CA_POOL \ --lifetime=CERTIFICATE_LIFETIME \ --rotation-window-percentage=ROTATION_WINDOW_PERCENTAGE \ --key-algorithm=KEY_ALGORITHM
Replace the following:
ISSUANCE_CONFIG_NAME
is a unique name that identifies this certificate issuance configuration resource.CA_POOL
is the full resource path and name of the CA pool you want to assign to this certificate issuance configuration resource.CERTIFICATE_LIFETIME
(optional) is the certificate lifetime in days. Valid values are from 21 to 30 days. Default is 30 days.ROTATION_WINDOW_PERCENTAGE
(optional) is the percentage of the certificate's lifetime at which a renewal triggers. Default is 66 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires.- The certificate must be renewed 7 full days or sooner from its expiration.
KEY_ALGORITHM
(optional) is the encryption algorithm used to generate private key. Valid values areecdsa-p256
orrsa-2048
. Default isrsa-2048
.
API
Create the certificate issuance configuration by making a POST
request to the certificateIssuanceConfigs.create
method as follows:
POST /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?issuanceConfig_id=ISSUANCE_CONFIG_NAME { "name": "ISSUANCE_CONFIG_NAME", "description": "DESCRIPTION", "certificateAuthorityConfig": { "certificateAuthorityServiceConfig" { "caPool": "CA_POOL" }, }, "lifetime": "CERTIFICATE_LIFETIME", "rotationWindowPercentage": "ROTATION_WINDOW_PERCENTAGE", "keyAlgorithm": "KEY_ALGORITHM", }
Replace the following:
PROJECT_ID
is the ID of the target Google Cloud project.ISSUANCE_CONFIG_NAME
is a unique name that identifies this certificate issuance configuration resource.DESCRIPTION
(optional) is a meaningful description for this certificate issuance configuration resource.CA_POOL
is the full resource path and name of the CA pool you want to assign to this certificate issuance configuration resource.CERTIFICATE_LIFETIME
(optional) is the certificate lifetime in days. Valid values are from 21 to 30 days in standard duration format. Default is 30 days (30D
).
ROTATION_WINDOW_PERCENTAGE
(optional) is the percentage of the certificate's lifetime at which a renewal triggers. Default is 66 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires.KEY_ALGORITHM
is the encryption algorithm used to generate private key. Valid values areecdsa-p256
orrsa-2048
. Default isrsa-2048
.
Update a certificate issuance configuration resource
To update a certificate issuance configuration resource you must delete it and re-create it.
List certificate issuance configuration resources
To list the certificate issuance configuration resources, complete the steps in this section.
To complete this task, you must have one of the following roles on the target Google Cloud project:
- Certificate Manager Viewer
- Certificate Manager Editor
- Certificate Manager Owner
For more information, see Roles and permissions.
Console
In the Google Cloud console, go to the Certificate Manager page.
On the page that appears, select the Issuance Configs tab. This tab lists all of the certificate issuance configuration resources managed by Certificate Manager in the selected project.
gcloud
gcloud certificate-manager issuance-configs list \ --filter="FILTER" \ --page-size="PAGE_SIZE" \ --limit="LIMIT" \ --sort-by="SORT_BY"
Replace the following:
FILTER
is an expression that constrains the returned results to specific values. For example, you can filter results by the following criteria:- Labels and creation time:
--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'
For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.
- Labels and creation time:
PAGE_SIZE
is the number of results to return per page.LIMIT
is the maximum number of results to return.SORT_BY
is a comma-delimited list ofname
fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~
).
API
List configured certificate issuance configuration resources by making a LIST
request to the certificateIssuanceConfigs.list
method as follows:
GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY
Replace the following:
PROJECT_ID
is the ID of the target Google Cloud project.FILTER
is an expression that constrains the returned results to specific values.PAGE_SIZE
is the number of results to return per page.SORT_BY
is a comma-delimited list of field names by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with~
.
View the state of a certificate issuance configuration
To view the state of a certificate issuance configuration, complete the steps in this section.
To complete this task, you must have one of the following roles on the target Google Cloud project:
- Certificate Manager Viewer
- Certificate Manager Editor
- Certificate Manager Owner
For more information, see Roles and permissions.
Console
In the Google Cloud console, go to the Certificate Manager page.
On the page that appears, select the Issuance Configs tab. This tab lists all of the certificate issuance configuration resources managed by Certificate Manager in the selected project.
Click the certificate issuance configuration that you want to view.
The Google Cloud console displays the certificate issuance configuration details.
gcloud
gcloud certificate-manager issuance-configs describe ISSUANCE_CONFIG_NAME
Replace the following:
ISSUANCE_CONFIG_NAME
is the name of the target certificate issuance configuration.
API
View the state of the certificate issuance configuration by making a GET
request to the certificateIssuanceConfigs.get
method as follows:
GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME
Replace the following:
PROJECT_ID
is the ID of the target Google Cloud project.ISSUANCE_CONFIG__NAME
is the name of the target certificate issuance configuration.
Delete a certificate issuance configuration
To delete a certificate issuance configuration, complete the steps in this section. Before deleting a certificate issuance configuration, you must first delete the Google-managed certificate that references it.
To complete this task, you must have the Certificate Manager Owner role on the target Google Cloud project.
For more information, see Roles and permissions.
Console
In the Google Cloud console, go to the Certificate Manager page.
On the Issuance Configs tab, select the checkbox of the issuance config that you want to delete.
Click Delete.
In the dialog that appears, click Delete to confirm.
gcloud
gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME
Replace the following:
ISSUANCE_CONFIG_NAME
is the name of the target certificate issuance configuration.
API
Delete the certificate issuance configuration by making a DELETE
request to the certificateIssuanceConfigs.delete
method as follows:
DELETE /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME
Replace the following:
PROJECT_ID
is the ID of the target Google Cloud project.ISSUANCE_CONFIG_NAME
is the name of the target certificate issuance configuration.
What's next
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations