Stay organized with collections
Save and categorize content based on your preferences.
Google Distributed Cloud (GDC) air-gapped appliance provides a public key infrastructure (PKI) API
to get web certificates. This page provides instructions to change the
default certificate issuer to another issuer. For more information about PKI
certificate modes, see Web TLS certificate configuration.
Before you begin
To get the permissions you need to configure the PKI default certificate issuer,
ask your Organization IAM Admin to grant you the Infra PKI Admin
(infra-pki-admin) role in the system namespace.
Change default certificate issuer
The default issuer label looks like the following example. For each namespace,
one CertificateIssuer must contain the label:
pki.security.gdc.goog/is-default-issuer:'true'
View the current default issuer in the pki-system namespace:
Replace NEW_DEFAULT_ISSUER with the name of the new
default certificate issuer.
Manually trigger certificate reissuance
After you switch the default certificate issuer, GDC air-gapped appliance
won't automatically reissue certificates signed by the previous default
certificate issuer unless the certificate is about to expire. To immediately
reissue certificates with the new default issuer, see
Manually reissue PKI web certificates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Change the default certificate issuer\n\nGoogle Distributed Cloud (GDC) air-gapped appliance provides a [public key infrastructure (PKI) API](/distributed-cloud/hosted/docs/latest/appliance/apis/service/security/pki/v1/security-pki-v1)\nto get web certificates. This page provides instructions to change the\ndefault certificate issuer to another issuer. For more information about PKI\ncertificate modes, see [Web TLS certificate configuration](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/pki/web-tls-cert-config).\n\nBefore you begin\n----------------\n\nTo get the permissions you need to configure the PKI default certificate issuer,\nask your Organization IAM Admin to grant you the Infra PKI Admin\n(`infra-pki-admin`) role in the system namespace.\n\nChange default certificate issuer\n---------------------------------\n\n1. The default issuer label looks like the following example. For each namespace,\n one `CertificateIssuer` must contain the label:\n\n pki.security.gdc.goog/is-default-issuer: 'true'\n\n2. View the current default issuer in the `pki-system` namespace:\n\n kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=true\n\n The output looks similar to the following: \n\n NAME READY REASON ISDEFAULT\n default-tls-ca-issuer True CAaaSReady true\n\n3. Edit the existing default issuer, and update the default issuer label\n from the issuer:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer='false'\n\n Replace \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e with the name of the\n current default certificate issuer.\n4. To set the new `CertificateIssuer` as the default issuer, update the label:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer=true\n\n Replace \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e with the name of the new\n default certificate issuer.\n\nManually trigger certificate reissuance\n---------------------------------------\n\nAfter you switch the default certificate issuer, GDC air-gapped appliance\nwon't automatically reissue certificates signed by the previous default\ncertificate issuer unless the certificate is about to expire. To immediately\nreissue certificates with the new default issuer, see\n[Manually reissue PKI web certificates](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/pki/pki-cert-reissue)."]]