再試行可能な他のエラーコード(UNAVAILABLE など)が API から返された場合、自動化は適切なバックオフを使用して呼び出しを再試行する必要があります。通常、これらのエラーは、UpdateLdapsSettings への最初のブロック呼び出しによって返される長時間実行オペレーションをポーリングしているときに返されます。
自動化によってフィンガープリントを計算する方法と、Managed Microsoft AD によるフィンガープリントの保存方法の違いに注意してください。たとえばマネージド Microsoft AD では、サムプリントが単一の区切り文字されていない 16 進数の文字列 771B8FD90806E074A7AD49B1624D2761137557D2 として保存されます。OpenSSL は、同じ証明書に対して SHA1 Fingerprint=77:1B:8F:D9:08:06:E0:74:A7:AD:49:B1:62:4D:27:61:13:75:57:D2 を返します。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Best practices for automating certificate renewal\n\nThis topic describes the best practices for automating certificate renewal for\nLDAPS.\n\nOverview\n--------\n\nIf you are issuing shorter-lived certificates, we recommend that you automate\nthe renewal of these certificates.\n\nDealing with API errors\n-----------------------\n\nAutomation should check for errors both on the initial blocking API call as\nwell as when polling the returned long-running operation. The update can only be\nconsidered as successful if the long-running operation is marked as done without\nerror.\n\nIf `UpdateLdapsSettings` returns an error with code `INVALID_ARGUMENT`, the\nerror message can explain what is wrong with the uploaded certificate. This\nerror is typically returned during the initial blocking call to the API. In such\ncases, retries are ineffective and the automation should send an alert.\n\nIf the API returns any other error code which is retriable (such as\n`UNAVAILABLE`), the automation should retry the call with the appropriate\nbackoff. These errors are typically returned when polling the long-running\noperation that is returned by the initial blocking call to\n`UpdateLdapsSettings`.\n\nLearn more about\n[`UpdateLdapsSettings`](../reference/rest/v1/projects.locations.global.domains/updateLdapssettings).\n\nChecking the `LDAPSSettings` state\n----------------------------------\n\nAfter calling `UpdateLdapsSettings`, it is good practice to check that\n`LDAPSSettings` meets expectations and is in a good state (`ACTIVE`). You can\ncall `GetLdapsSettings` to compare the fingerprints of certificates in the\nintended state against the deployed certificate fingerprints. You can use tools\nlike OpenSSL to calculate the fingerprints of your new certificates.\n\nDo take note of any display differences between the method the automation uses\nto compute fingerprints versus how Managed Microsoft AD stores them.\nFor example, Managed Microsoft AD stores a thumbprint as a single undelimited\nhexadecimal string: `771B8FD90806E074A7AD49B1624D2761137557D2`. OpenSSL returns\nthe following for the same certificate:\n`SHA1 Fingerprint=77:1B:8F:D9:08:06:E0:74:A7:AD:49:B1:62:4D:27:61:13:75:57:D2`.\n\nLearn more about [`LDAPSSettings`](../reference/rest/v1/LDAPSSettings) and\n[`GetLdapsSettings`](../reference/rest/v1/projects.locations.global.domains/getLdapssettings).\n\nBuilding a PFX certificate chain\n--------------------------------\n\nIf your automation procures certificates in the PEM or CRT formats, you must\nconvert them to PFX and include the entire certificate chain.\n\nTo convert to PFX and include the entire chain, complete the following steps\nusing shell and OpenSSL.\n\n1. Create a single PEM file that includes all intermediate certificates as well\n as the root certificate.\n\n ```\n cat root-ca-cert.pem \u003e\u003e temp.pem\n echo -e \"\\n\" \u003e\u003e temp.pem\n cat intermediate-ca-cert.pem \u003e\u003e temp.pem\n ```\n2. Build the output PFX file. `leaf.key` is the private key.\n\n ```\n openssl pkcs12 -export -out out.pfx -inkey leaf.key -in leaf-cert.pem \\\n -certfile temp.pem -passout \"EXPORT_PASSWORD\"\n ```\n3. Show info of the PFX file. This should show the entire root to leaf chain\n and the private key.\n\n ```\n openssl pkcs12 -in out.pfx -nodes -passin \"EXPORT_PASSWORD\"\n ```"]]