수동 자체 인증서 사용 (BYO cert) 순환을 트리거하고 완료할 때는 이전에 서명된 BYO cert에 대해 새로 생성된 인증서 서명 요청 (CSR)에 서명해야 합니다. 자세한 내용은 BYO 인증서 서명을 참고하세요.
교체 중에 Distributed Cloud는 새 비공개 키와 공개 키 쌍을 만듭니다. 따라서 이전에 업로드된 서명된 인증서가 새 CSR과 호환되지 않습니다. 초기 업로드 이후 인증서 사양이 변경되지 않은 경우 이전에 업로드된 인증서는 만료될 때까지 계속 사용됩니다. 사양이 변경되면 다음 이벤트 중 하나가 발생합니다.
Distributed Cloud는 일치하는 기존 인증서를 사용합니다.
대체 인증 기관 (CA)에서 새 인증서를 발급합니다.
BYO 인증서 수동 순환 예시
다음 예에서는 수동 순환을 위해 트리거된 이전에 서명된 BYO 인증서를 확인할 수 있습니다.
byoCertStatus에 인증서 type 값이 Ready로 표시됩니다.
reason 값은 이전 값보다 lastTransitionTime 값이 더 빠른 Issued입니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis page guides you through manually reissuing certificates for Google Distributed Cloud (GDC) air-gapped web endpoints using annotation updates via the \u003ccode\u003ekubectl\u003c/code\u003e CLI.\u003c/p\u003e\n"],["\u003cp\u003eReissuance of certificates is necessary when the default certificate issuer changes, as Distributed Cloud will not automatically reissue certificates from the previous issuer unless they are about to expire.\u003c/p\u003e\n"],["\u003cp\u003eTo access certificates in the system namespace you need an Infrastructure Operator (IO) account, whereas in other namespaces a Platform Administrator account is required.\u003c/p\u003e\n"],["\u003cp\u003eWhen performing a manual bring-your-own certificate (BYO cert) rotation, a new Certificate Signing Request (CSR) is created, and the previously signed certificate will be incompatible; requiring you to sign the newly generated CSR.\u003c/p\u003e\n"],["\u003cp\u003eCertificate signing alerts, such as \u003ccode\u003ePLATAUTH2001\u003c/code\u003e and \u003ccode\u003ePLATAUTH2002\u003c/code\u003e, must be addressed by the Infrastructure Operator (IO) using the troubleshooting steps found in the PKI runbook.\u003c/p\u003e\n"]]],[],null,["# Manually reissue PKI web certificates\n\nThis page provides instructions to manually trigger certificate reissuance for your\nGoogle Distributed Cloud (GDC) air-gapped web endpoints.\n\nBefore you begin\n----------------\n\nTo get the permissions you need to access certificates in a namespace, ask your\nOrganization IAM Admin to grant you the Web TLS Certificate\nAdmin (`web-tls-cert-admin`) role.\n\nConsider the following account requirements when performing certificate reissuance:\n\n- Use an Infrastructure Operator (IO) account to access the certificate in the system namespace. Ask your IO to perform this task.\n\n\u003c!-- --\u003e\n\n- Use a Platform Administrator account to access certificates in other namespaces.\n\nReissue a certificate\n---------------------\n\nYou can manually reissue a certificate with an annotation update. If the default\ncertificate issuer changes, Distributed Cloud won't automatically reissue\ncertificates signed by the previous default certificate issuer unless the\ncertificate is about to expire.\n\nTo manually trigger the reissuance of a certificate, use the `kubectl` CLI to\nperform the following steps:\n\n1. Set the `manual-reissuance` annotation to `requested` for target\n `Certificate`. The following example updates the `default-wildcard-cert`\n certificate in the `istio-system` namespace which uses the current default\n certificate issuer:\n\n kubectl annotate --overwrite certificate.pki.security.gdc.goog\n default-wildcard-cert -n istio-system\n pki.security.gdc.goog/manual-reissuance='requested'\n\n2. You might see an `in-progress` annotation value as a transitioning state\n while the certificate is being reissued. Wait for the `manual-reissuance`\n annotation value to show `finished`:\n\n kubectl -n istio-system get\n certificate.pki.security.gdc.goog/default-wildcard-cert -ojson | jq -r '\n .metadata.annotations.\"pki.security.gdc.goog/manual-reissuance\"'\n\n The output looks similar to the following: \n\n finished\n\n3. Verify the certificate issuer; it must either match the issuer mentioned in\n the certificate specification or, if not specified, the issuer must match the\n current default issuer:\n\n kubectl -n istio-system get certificate.pki.security.gdc.goog/default-wildcard-cert -ojson | jq -r '\n .status.issuedBy'\n\n The output looks similar to the following: \n\n {\n \"name\": \"byo-cert-issuer\",\n \"namespace\": \"pki-system\"\n }\n\n### Bring-your-own certificate manual rotation\n\nWhen you trigger and complete a manual bring-your-own certificate (BYO cert)\nrotation, you must sign the newly generated Certificate Signing Request (CSR) for\na previously signed BYO cert. For more information, see\n[Sign the BYO certificate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/transition-pki-modes#sign-byo-cert).\n\nDuring rotation, Distributed Cloud creates a new private and public key\npair. This makes the signed certificate uploaded earlier incompatible with the\nnew CSR. If the certificate specification hasn't changed since the initial upload,\nthe previously uploaded certificate remains in use until it expires. If the\nspecification changes, one of the following events occur:\n\n- Distributed Cloud uses an existing matching certificate.\n- A fallback Certificate Authority (CA) issues a new certificate.\n\n#### BYO cert manual rotation example\n\nIn the following example, you see a previously signed BYO cert triggered\nfor manual rotation:\n\n- The `byoCertStatus` shows the certificate `type` value is `Ready`,\n- The `reason` value is `Issued` with an earlier `lastTransitionTime` value than\n the previous value:\n\n {\n \"byoCertStatus\": {\n \"csrStatus\": {\n \"conditions\": [\n {\n \"lastTransitionTime\": \"2024-05-03T22:38:43Z\",\n \"message\": \"\",\n \"observedGeneration\": 2,\n \"reason\": \"WaitingForSigning\",\n \"status\": \"False\",\n \"type\": \"Ready\"\n }\n ],\n \"csr\": \"LS0tLS1CRUdJTiBDRVJ...\"\n },\n \"signedCertStatus\": {\n \"conditions\": [\n {\n \"lastTransitionTime\": \"2024-05-03T22:38:43Z\",\n \"message\": \"RawSubjectPublickKeyInfo does not match with the CSR\",\n \"observedGeneration\": 2,\n \"reason\": \"Rejected\",\n \"status\": \"False\",\n \"type\": \"Ready\"\n }\n ]\n }\n },\n ```\n\nIn the following example, you see output for a previously signed BYO cert triggered\nfor manual rotation:\n\n- In the `signedCertStatus`, the `reason` field shows `Rejected` because the previously signed certificate no longer matches the new CSR after rotation.\n- The CSR `reason` states `WaitingForSigning`:\n\n \"conditions\": [\n {\n \"lastTransitionTime\": \"2024-05-03T08:42:10Z\",\n \"message\": \"Certificate is issued\",\n \"observedGeneration\": 2,\n \"reason\": \"Issued\",\n \"status\": \"True\",\n \"type\": \"Ready\"\n }\n ],\n \"errorStatus\": {\n \"errors\": [\n {\n \"code\": \"PLATAUTH2002\",\n \"message\": \"Waiting for CSR signing\"\n }\n ],\n \"lastUpdateTime\": \"2024-05-03T22:38:43Z\"\n },\n \"issuedBy\": {\n \"name\": \"byo-cert-issuer\",\n \"namespace\": \"pki-system\"\n }\n }\n\n Manage certificate signing alerts\n ---------------------------------\n\nCertificate signing alerts for initial issuance, rotation, and expiration must be\naddressed by your IO using the troubleshooting steps documented in these sections\nof the PKI runbook:\n\n- For subCA errorCode: `PLATAUTH2001`, see PLATAUTH-R2001.\n\n- For BYO cert errorCode: `PLATAUTH2002`, see PLATAUTH-R2002."]]