Manage certificate issuance configuration

This page describes how to create and manage a certificate issuance configuration.

For more information about certificate issuance configuration resources, see How Certificate Manager works.

Keep in mind that to disable the last CA you enabled in the CA pool referenced in the certificate issuance configuration, or to delete the referenced CA pool altogether, you must first delete every certificate issuance configuration that references that CA pool.

To learn how to deploy a certificate with Certificate Manager, see Deployment overview.

For more information about the gcloud commands used on this page, see the Certificate Manager CLI reference.

Create a certificate issuance configuration

To create a certificate issuance configuration, complete the steps in this section.

Keep in mind that even though you are using a regional CA pool to issue a Google-managed TLS certificate, the certificate itself is global and can be used in any region.

To complete this task, you must have one of the following roles on the target Google Cloud project:

  • Certificate Manager Editor
  • Certificate Manager Owner

For more information, see Roles and permissions.

gcloud 

gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \
    --ca-pool=CA_POOL \
    --lifetime=CERTIFICATE_LIFETIME \
    --rotation-window-percentage=ROTATION_WINDOW_PERCENTAGE \
    --key-algorithm=KEY_ALGORITHM

Replace the following:

  • ISSUANCE_CONFIG_NAME is a unique name that identifies this certificate issuance configuration resource.
  • CA_POOL is the full resource path and name of the CA pool you want to assign to this certificate issuance configuration resource.
  • CERTIFICATE_LIFETIME (optional) is the certificate lifetime in days. Valid values are from 21 to 30 days. Default is 30 days.
  • ROTATION_WINDOW_PERCENTAGE (optional) is the percentage of the certificate's lifetime at which a renewal triggers. Default is 66 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires.
    • The certificate must be renewed 7 full days or sooner from its expiration.
  • KEY_ALGORITHM (optional) is the encryption algorithm used to generate private key. Valid values are ecdsa-p256 or rsa-2048. Default is rsa-2048.

API

Create the certificate issuance configuration by making a POST request to the certificateIssuanceConfigs.create method as follows:

POST /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?issuanceConfig_id=ISSUANCE_CONFIG_NAME
 {
  "name": "ISSUANCE_CONFIG_NAME",
  "description": "DESCRIPTION",
  "certificateAuthorityConfig": {
    "certificateAuthorityServiceConfig" {
          "caPool": "CA_POOL"
    },
  },
  "lifetime": "CERTIFICATE_LIFETIME",
  "rotationWindowPercentage": "ROTATION_WINDOW_PERCENTAGE",
  "keyAlgorithm": "KEY_ALGORITHM",
  }

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • ISSUANCE_CONFIG_NAME is a unique name that identifies this certificate issuance configuration resource.
  • DESCRIPTION (optional) is a meaningful description for this certificate issuance configuration resource.
  • CA_POOL is the full resource path and name of the CA pool you want to assign to this certificate issuance configuration resource.
    • CERTIFICATE_LIFETIME (optional) is the certificate lifetime in days. Valid values are from 21 to 30 days in standard duration format. Default is 30 days (30D).
  • ROTATION_WINDOW_PERCENTAGE (optional) is the percentage of the certificate's lifetime at which a renewal triggers. Default is 66 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires.
  • KEY_ALGORITHM is the encryption algorithm used to generate private key. Valid values are ecdsa-p256 or rsa-2048. Default is rsa-2048.

Update a certificate issuance configuration resource

To update a certificate issuance configuration resource you must delete it and re-create it.

List certificate issuance configuration resources

To list the certificate issuance configuration resources, complete the steps in this section.

To complete this task, you must have one of the following roles on the target Google Cloud project:

  • Certificate Manager Viewer
  • Certificate Manager Editor
  • Certificate Manager Owner

For more information, see Roles and permissions.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the page that appears, select the Issuance Configs tab. This tab lists all of the certificate issuance configuration resources managed by Certificate Manager in the selected project.

gcloud 

gcloud certificate-manager issuance-configs list \
    --filter="FILTER" \
    --page-size="PAGE_SIZE" \
    --limit="LIMIT" \
    --sort-by="SORT_BY"

Replace the following:

  • FILTER is an expression that constrains the returned results to specific values. For example, you can filter results by the following criteria:

    • Labels and creation time: --filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.

  • PAGE_SIZE is the number of results to return per page.

  • LIMIT is the maximum number of results to return.

  • SORT_BY is a comma-delimited list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

API

List configured certificate issuance configuration resources by making a LIST request to the certificateIssuanceConfigs.list method as follows:

GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • FILTER is an expression that constrains the returned results to specific values.
  • PAGE_SIZE is the number of results to return per page.
  • SORT_BY is a comma-delimited list of field names by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with ~.

View the state of a certificate issuance configuration

To view the state of a certificate issuance configuration, complete the steps in this section.

To complete this task, you must have one of the following roles on the target Google Cloud project:

  • Certificate Manager Viewer
  • Certificate Manager Editor
  • Certificate Manager Owner

For more information, see Roles and permissions.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the page that appears, select the Issuance Configs tab. This tab lists all of the certificate issuance configuration resources managed by Certificate Manager in the selected project.

  3. Click the certificate issuance configuration that you want to view.

The Google Cloud console displays the certificate issuance configuration details.

gcloud 

gcloud certificate-manager issuance-configs describe ISSUANCE_CONFIG_NAME

Replace the following:

  • ISSUANCE_CONFIG_NAME is the name of the target certificate issuance configuration.

API

View the state of the certificate issuance configuration by making a GET request to the certificateIssuanceConfigs.get method as follows:

  GET /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • ISSUANCE_CONFIG__NAME is the name of the target certificate issuance configuration.

Delete a certificate issuance configuration

To delete a certificate issuance configuration, complete the steps in this section. Before deleting a certificate issuance configuration, you must first delete the Google-managed certificate that references it.

To complete this task, you must have the Certificate Manager Owner role on the target Google Cloud project.

For more information, see Roles and permissions.

gcloud 

gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME

Replace the following:

  • ISSUANCE_CONFIG_NAME is the name of the target certificate issuance configuration.

API

Delete the certificate issuance configuration by making a DELETE request to the certificateIssuanceConfigs.delete method as follows:

  DELETE /v1/projects/PROJECT_ID/locations/global/certificateIssuanceConfigs/ISSUANCE_CONFIG_NAME

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • ISSUANCE_CONFIG_NAME is the name of the target certificate issuance configuration.

What's next