Google Distributed Cloud (GDC) air-gapped appliance provides a public key infrastructure (PKI) API to get web certificates. This page provides instructions to change the default certificate issuer to another issuer. For more information about PKI certificate modes, see Web TLS certificate configuration.
Before you begin
To get the permissions you need to configure the PKI default certificate issuer,
ask your Organization IAM Admin to grant you the Infra PKI Admin
(infra-pki-admin) role in the system namespace.
Change default certificate issuer
The default issuer label looks like the following example. For each namespace, one
CertificateIssuermust contain the label:pki.security.gdc.goog/is-default-issuer: 'true'View the current default issuer in the
pki-systemnamespace:kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=trueThe output looks similar to the following:
NAME READY REASON ISDEFAULT default-tls-ca-issuer True CAaaSReady trueEdit the existing default issuer, and update the default issuer label from the issuer:
kubectl label --overwrite certificateissuers CURRENT_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer='false'Replace CURRENT_DEFAULT_ISSUER with the name of the current default certificate issuer.
To set the new
CertificateIssueras the default issuer, update the label:kubectl label --overwrite certificateissuers NEW_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer=trueReplace NEW_DEFAULT_ISSUER with the name of the new default certificate issuer.
Manually trigger certificate reissuance
After you switch the default certificate issuer, GDC air-gapped appliance won't automatically reissue certificates signed by the previous default certificate issuer unless the certificate is about to expire. To immediately reissue certificates with the new default issuer, see Manually reissue PKI web certificates.