BYO 証明書モードでは、外部 CA またはユーザー管理の CA を使用したリーフ証明書の署名がサポートされています。このモードでは、証明書リクエストごとに証明書署名リクエスト(CSR)が生成されます。署名を待機している間、BYO 証明書モードは、証明書リクエストと一致する既存の顧客署名証明書をプールから検索します。
一致する証明書が見つからない場合、GDC マネージド フォールバック CA は、すぐに使用できる一時証明書を発行します。
一致する証明書が見つかった場合、一致する証明書を現在のリクエストの一時証明書として使用します。
CSR に署名するには、次の手順を行います。
Certificate カスタム リソースのステータスから CSR をダウンロードします。
署名付き証明書と外部 CA 証明書を同じ Certificate カスタム リソースにアップロードし、spec フィールドを更新します。
検証を管理して一時証明書を置き換えるため、Distributed Cloud は、アップロードされた証明書と外部 CA を使用して証明書シークレットを更新します。トラストストアを変更する必要はありません。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped offers a Public Key Infrastructure (PKI) API to obtain web certificates, supporting different user modes.\u003c/p\u003e\n"],["\u003cp\u003eThe PKI API supports four user modes: fully-managed, BYO cert, BYO cert with ACME, and BYO SubCA, each with unique methods for certificate issuance and management.\u003c/p\u003e\n"],["\u003cp\u003eIn fully-managed mode, GDC's PKI infrastructure issues certificates, which is the default setting when creating a new organization, requiring distribution of the root CA for trust.\u003c/p\u003e\n"],["\u003cp\u003eBYO certificate mode allows users to sign certificates with external CAs, utilizing a temporary certificate from either a customer-signed certificate or a GDC-managed fallback CA while awaiting signing.\u003c/p\u003e\n"],["\u003cp\u003eBYO SubCA mode enables the generation of a CSR for a SubCA within the Distributed Cloud, allowing all subsequent web certificates to be issued by the newly created subCA, which will not require a change of trust stores.\u003c/p\u003e\n"]]],[],null,["# Web TLS certificate configuration\n\nGoogle Distributed Cloud (GDC) air-gapped provides a [public key infrastructure (PKI) API](/distributed-cloud/hosted/docs/latest/gdch/apis/service/security/pki/v1/security-pki-v1)\nfor you to obtain a web certificate. This API supports several user modes:\n\n- **Fully-managed**: certificates issued by GDC PKI infrastructure and chained to a GDC-managed self-signed root certificate authority (CA).\n- **BYO cert**: you provide a pool of certificates with a default wildcard certificate. GDC will use the best matched certificate for your service.\n- **BYO cert with ACME**: certificates used by public facing services issued by your ACME server.\n- **BYO SubCA**: certificates issued by GDC PKI infrastructure and chained to your SubCA. You must provide the SubCA and let GDC operate it.\n\nInfra PKI mode definitions\n--------------------------\n\nThis section provides a detailed explanation of each PKI user mode.\n\n### Fully Managed mode (default mode)\n\nIn fully managed mode, each organization admin cluster relies on the GDC\npublic key infrastructure (PKI) to issue certificates. When you create a new\norganization, this mode is the default mode applied. Afterwards, you can switch\nto a different PKI mode.\n\nWith this mode, you must obtain and distribute the root CA to your environment\nfor trust.\n\n### BYO Certificates mode\n\nBYO certificate mode supports signing leaf certificates with external or user-managed\nCAs. This mode generates a certificate signing request (CSR) for every\ncertificate request. While waiting for signing, BYO cert mode searches for an\nexisting customer-signed certificate among the pool that matches with the\ncertificate request:\n\n- If it can't find a matching certificate, a GDC-managed fallback CA issues a temporary certificate ready for immediate use.\n- If it finds a matching certificate, it uses the matching certificate as the temporary certificate for the current request.\n\nTo sign the CSR, you must perform the following steps:\n\n1. Download the CSR from the `Certificate` custom resource status.\n2. Upload the signed certificate and the external CA certificate to the same `Certificate` custom resource with an update to the `spec` field.\n\nTo manage verification and replace the temporary certificate, Distributed Cloud\nupdates the certificate secret with the uploaded certificate and the external CA.\nYou don't have to change your trust stores.\n\nFor more information, see\n[Sign the BYO certificate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/transition-pki-modes#sign-byo-cert).\n\n### BYO Certificates with ACME mode\n\nWith BYO Cert with ACME mode, a GDC-managed ACME client\ndeploys at a Distributed Cloud site and communicates with an ACME server;\na CA deployed by you at your site. The ACME server uses the ACME protocol to\nrequest, validate, and manage certificates.\n\nThe ACME protocol supports different challenges, for example, HTTP-01 and DNS-01.\nThese challenges help prove domain ownership and obtain certificates automatically.\nDistributed Cloud uses the DNS-01 challenge. With this challenge,\nthe Distributed Cloud client adds a specific DNS record to the domain's DNS\nzone. Once the challenge completes successfully, the ACME CA will automatically\nissue the certificate. You don't have to change your trust stores.\n\nTo learn more about the ACME protocol, see the Datatracker public document for\nRFC 8555: \u003chttps://datatracker.ietf.org/doc/html/rfc8555\u003e.\n\n### BYO SubCA mode\n\nWith BYO SubCA mode, a CSR for the SubCA generates within the Distributed Cloud\norganization admin cluster. You must sign the CSR request, and upload the signed\ncertificate into the system. For more information, see\n[Sign the BYO SubCA certificate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/transition-pki-modes#sign-byo-subca-cert).\nYou can create a `CertificateIssuer` custom resource that points to this SubCA\nand mark it as the default `CertificateIssuer`.\n\nThe newly created subCA issues all of the subsequent web certificates. You\ndon't have to change your trust stores.\n\nTransition to a different PKI mode\n----------------------------------\n\nThe PKI API supports transition from the default fully-managed mode to other\nsupported custom modes. For more information, see\n[transition to different PKI modes](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/transition-pki-modes)."]]