Google Distributed Cloud (GDC) 에어 갭은 웹 인증서를 가져오는 공개 키 인프라 (PKI) API를 제공합니다. 이 페이지에서는 기본 인증서 발급자를 다른 발급자로 변경하는 방법을 설명합니다. PKI 인증서 모드에 대한 자세한 내용은 웹 TLS 인증서 구성을 참고하세요.
시작하기 전에
PKI 기본 인증서 발급자를 구성하는 데 필요한 권한을 얻으려면 조직 IAM 관리자에게 시스템 네임스페이스의 인프라 PKI 관리자(infra-pki-admin) 역할을 부여해 달라고 요청하세요.
기본 인증서 발급기관 변경
기본 발급자 라벨은 다음 예시와 같습니다. 각 네임스페이스에 대해 하나의 CertificateIssuer에 다음 라벨이 포함되어야 합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped uses a Public Key Infrastructure (PKI) API to manage web certificates, and you can change the default certificate issuer.\u003c/p\u003e\n"],["\u003cp\u003eTo change the default certificate issuer, you must have the \u003ccode\u003einfra-pki-admin\u003c/code\u003e role in the system namespace, and then modify the label of the current issuer to \u003ccode\u003efalse\u003c/code\u003e before labeling the new one to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe default issuer is identified by the label \u003ccode\u003epki.security.gdc.goog/is-default-issuer: 'true'\u003c/code\u003e, and only one \u003ccode\u003eCertificateIssuer\u003c/code\u003e per namespace can have this label.\u003c/p\u003e\n"],["\u003cp\u003eAfter changing the default certificate issuer, certificates signed by the old issuer are not automatically reissued, unless they are near expiration, and instead a manual reissuance is needed.\u003c/p\u003e\n"]]],[],null,["# Change the default certificate issuer\n\nGoogle Distributed Cloud (GDC) air-gapped provides a [public key infrastructure (PKI) API](/distributed-cloud/hosted/docs/latest/gdch/apis/service/security/pki/v1/security-pki-v1)\nto get web certificates. This page provides instructions to change the\ndefault certificate issuer to another issuer. For more information about PKI\ncertificate modes, see [Web TLS certificate configuration](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/web-tls-cert-config).\n\nBefore you begin\n----------------\n\nTo get the permissions you need to configure the PKI default certificate issuer,\nask your Organization IAM Admin to grant you the Infra PKI Admin\n(`infra-pki-admin`) role in the system namespace.\n\nChange default certificate issuer\n---------------------------------\n\n1. The default issuer label looks like the following example. For each namespace,\n one `CertificateIssuer` must contain the label:\n\n pki.security.gdc.goog/is-default-issuer: 'true'\n\n2. View the current default issuer in the `pki-system` namespace:\n\n kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=true\n\n The output looks similar to the following: \n\n NAME READY REASON ISDEFAULT\n default-tls-ca-issuer True CAaaSReady true\n\n3. Edit the existing default issuer, and update the default issuer label\n from the issuer:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer='false'\n\n Replace \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e with the name of the\n current default certificate issuer.\n4. To set the new `CertificateIssuer` as the default issuer, update the label:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer=true\n\n Replace \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e with the name of the new\n default certificate issuer.\n\nManually trigger certificate reissuance\n---------------------------------------\n\nAfter you switch the default certificate issuer, Distributed Cloud\nwon't automatically reissue certificates signed by the previous default\ncertificate issuer unless the certificate is about to expire. To immediately\nreissue certificates with the new default issuer, see\n[Manually reissue PKI web certificates](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/pki-cert-reissue)."]]