Manage certificate issuance configuration resources (original) (raw)

This page describes how to create and manage a certificate issuance configuration resource.

For more information about certificate issuance configuration resources, seeCertificate issuance configs.

Create a certificate issuance configuration resource

Before you create the issuance configuration resource, configure CA Service integration with Certificate Manager.

To create a certificate issuance configuration resource, specify the certificate's lifetime, rotation window percentage, key algorithm, and the CA pool to use.

Even though you use a regional CA pool to issue a Google-managed TLS certificate, the certificate can be used globally.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

• Certificate Manager Editor role (roles/certificatemanager.editor)
• Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, see Roles and permissions.

Console

1. In the Google Cloud console, go to the Issuance configs tab on theCertificate Manager page.
   Go to Certificate Manager
2. Click Create. The Create a Certificate Issuance Config page appears.
3. In the Name field, enter a unique name for the certificate issuance configuration resource.
4. Optional: In the Description field, enter a description for the issuance configuration.
5. For Location, select Global or Regional. If you selected Regional, select the same Region as your certificate and CA pool.
6. In the Lifetime field, specify the lifetime of issued certificate in days. The value must be between 21 to 30 days (inclusive).
7. For Rotation window percentage, specify the percentage of the certificate's lifetime when its renewal process begins. To find the range of valid values, see Lifetime and Rotation window percentage.
8. From the Key algorithm list, select the key algorithm to use when generating the private key.
9. From the CA pool list, select the name of the CA pool to assign to this certificate issuance configuration resource.
10. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.
11. Click Create.

gcloud

To create a certificate issuance configuration resource, use thecertificate-manager issuance-configs createcommand:

gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME
--ca-pool=CA_POOL
--lifetime=CERTIFICATE_LIFETIME
--rotation-window-percentage=ROTATION_WINDOW_PERCENTAGE
--key-algorithm=KEY_ALGORITHM [--location=LOCATION]

Replace the following:

• ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
• CA_POOL: the full resource path and name of the CA pool that you want to assign to the certificate issuance configuration resource.
• CERTIFICATE_LIFETIME: the certificate lifetime in days. Valid values are from 21 to 30 days in the absolute duration format. The default value is 30 days (30D). This flag is optional.
• ROTATION_WINDOW_PERCENTAGE: the percentage of the certificate's remaining lifetime before renewal. The default value is 66%. To find the range of valid values, see [Lifetime and Rotation window percentage](#lifetime-rotation-percentage). This flag is optional.
• KEY_ALGORITHM: the encryption algorithm used to generate the private key. Valid values are ecdsa-p256 or rsa-2048. The default value is rsa-2048. This flag is optional.
• LOCATION: the target Google Cloud location.

API

Create the certificate issuance configuration resource by making a POSTrequest to the certificateIssuanceConfigs.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificateIssuanceConfigs?issuanceConfig_id=ISSUANCE_CONFIG_NAME { "name": "ISSUANCE_CONFIG_NAME", "description": "DESCRIPTION", "certificateAuthorityConfig": { "certificateAuthorityServiceConfig": { "caPool": "CA_POOL" }, }, "lifetime": "CERTIFICATE_LIFETIME", "rotationWindowPercentage": "ROTATION_WINDOW_PERCENTAGE", "keyAlgorithm": "KEY_ALGORITHM", }

Replace the following:

• PROJECT_ID: ID of your Google Cloud project.
• LOCATION: the target Google Cloud location.
• ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
• DESCRIPTION: a meaningful description for the certificate issuance configuration resource.
• CA_POOL: the full resource path and name of the CA pool that you want to assign to the certificate issuance configuration resource.
• CERTIFICATE_LIFETIME: the certificate lifetime in days. Valid values are from 21 to 30 days in the absolute duration format. The default value is 30 days (30D). This flag is optional.
• ROTATION_WINDOW_PERCENTAGE: the percentage of the certificate's remaining lifetime before renewal. The default value is 66%. To find the range of valid values, see [Lifetime and Rotation window percentage](#lifetime-rotation-percentage). This flag is optional.
• KEY_ALGORITHM: the encryption algorithm used to generate the private key. Valid values are ecdsa-p256 or rsa-2048. The default value is rsa-2048. This flag is optional.

Lifetime and Rotation window percentage

When you create a certificate issuance configuration resource, you also define the certificate's lifetime in the Lifetime field, and when the certificate's renewal process begins before it expires in the Rotation window percentagefield.

To make sure that the certificate renews at least seven days before its expiry and seven days after its issuance, set the rotation window percentage relative to the certificate's lifetime. To calculate the allowed range for the rotation window percentage, use the following formulas:

• Minimum value: Rotation window percentage ≥ (7 / Lifetime) * 100
• Maximum value: Rotation window percentage ≤ ( (Lifetime - 7) / Lifetime) * 100

In the previous formulas, 7 is seven days.

If the minimum value is a decimal value, round it up to the nearest whole number. If the maximum value is a decimal value, round it down to the nearest whole number.

When you update a certificate issuance configuration, you can do the following:

• Specify new labels
• Specify a new description

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

• Certificate Manager Editor role (roles/certificatemanager.editor)
• Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, see Roles and permissions.

gcloud

To update a certificate issuance configuration resource, use thecertificate-manager issuance-configs updatecommand:

gcloud certificate-manager issuance-configs update ISSUANCE_CONFIG_NAME [--update-labels="LABELS"]
[--description="DESCRIPTION"]

Replace the following:

• ISSUANCE_CONFIG_NAME: the name of the target certificate issuance configuration that you want to update.
• LABELS: labels that you want to specify for the certificate issuance configuration. Labels must be specified in a comma-delimited list as KEY=VALUE pairs. This field is optional.
• DESCRIPTION: the description of the certificate issuance configuration. This field is optional.

API

Use thecertificateIssuanceConfigs.patchmethod to update a certificate issuance configuration:

PATCH /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME?updateMask=labels,description { labels: { "LABEL_KEY": "LABEL_VALUE" }, description: "DESCRIPTION" }

Replace the following:

• PROJECT_ID: ID of your Google Cloud project.
• ISSUANCE_CONFIG_NAME: the name of the target certificate issuance configuration that you want to update.
• LABEL_KEY: the label key. This field is optional.
• LABEL_VALUE: the value of the label. This field is optional.
• DESCRIPTION: the certificate issuance configuration.

List certificate issuance configurations

You can see all certificate issuance configuration resources of your project and their details.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

• Certificate Manager Viewer role (roles/certificatemanager.viewer)
• Certificate Manager Editor role (roles/certificatemanager.editor)
• Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, see Roles and permissions.

Console

1. In the Google Cloud console, go to the Issuance configs tab on theCertificate Manager page.
   Go to Certificate Manager
   On the Issuance configs tab, all certificate issuance configuration resources managed by Certificate Manager in the selected project are displayed.

gcloud

To list certificate issuance configuration resources, use thecertificate-manager issuance-configs listcommand:

gcloud certificate-manager issuance-configs list
--filter="FILTER"
--page-size="PAGE_SIZE"
--limit="LIMIT"
--sort-by="SORT_BY"
[--location=LOCATION]

Replace the following:

• FILTER: an expression that constrains the returned results to specific values.
  For example, to filter results by the labels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'
  For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list resultsin the Cloud Key Management Service documentation.
• PAGE_SIZE: number of results that you want to return per page
• LIMIT: maximum number of results that you want to return
• SORT_BY: a comma-separated list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).
• LOCATION: the target Google Cloud location.

API

List configured certificate issuance configuration resources by making a LISTrequest to the certificateIssuanceConfigs.list method as follows:

GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

• PROJECT_ID: ID of your Google Cloud project.
• FILTER: an expression that constrains the returned results to specific values.
  For example, to filter results by the labels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'
  For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.
• PAGE_SIZE: number of results that you want to return per page
• SORT_BY: a comma-separated list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

View the state of a certificate issuance configuration resource

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

• Certificate Manager Viewer role (roles/certificatemanager.viewer)
• Certificate Manager Editor role (roles/certificatemanager.editor)
• Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, see Roles and permissions.

Console

1. In the Google Cloud console, go to the Issuance configs tab on theCertificate Manager page.
   Go to Certificate Manager
2. Click the name of the certificate issuance configuration resource that you want to view. The Certificate Issuance Config page displays detailed information about the certificate issuance configuration resource.

gcloud

To view the state of a certificate issuance configuration resource, use thecertificate-manager issuance-configs describecommand:

gcloud certificate-manager issuance-configs describe ISSUANCE_CONFIG_NAME

Replace ISSUANCE_CONFIG_NAME with the name of the certificate issuance configuration resource that references the target CA pool.

API

View the state of the certificate issuance configuration resource by making a GET request to the certificateIssuanceConfigs.get method as follows:

GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

• PROJECT_ID: ID of your Google Cloud project.
• ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.

Delete a certificate issuance configuration resource

Before deleting a certificate issuance configuration resource, you must firstdelete the Google-managed certificate that references it.

To disable the last CA that you enabled within a CA pool referenced in the certificate issuance configuration resource, or to delete the CA pool entirely, you must first delete all certificate issuance configuration resources that reference the CA pool.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

• Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, see Roles and permissions.

Console

1. In the Google Cloud console, go to the Issuance configs tab on theCertificate Manager page.
   Go to Certificate Manager
2. Select the checkbox of the issuance configuration that you want to delete.
3. Click Delete.
4. In the dialog that appears, click Delete to confirm.

gcloud

To delete a certificate issuance configuration resource, use thecertificate-manager issuance-configs deletecommand:

gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME [--location=LOCATION]

Replace the following:

• ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
• LOCATION: the target Google Cloud location.

API

Delete the certificate issuance configuration resource by making a DELETErequest to the certificateIssuanceConfigs.delete method as follows:

DELETE /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

• PROJECT_ID: ID of your Google Cloud project.
• ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.

What's next

• Manage certificates
• Manage certificate maps
• Manage certificate map entries
• Manage DNS authorizations