撤消证书

本页面介绍了如何撤消证书。

Certificate Authority Service 支持通过定期发布证书吊销列表 (CRL) 来撤消证书。您只能撤消由企业层级中的 CA 池颁发的证书。

准备工作

确保您拥有 Certificate Authority Service Operation Manager (roles/privateca.caManager) 或 CA Service Admin (roles/privateca.admin) Identity and Access Management (IAM) 角色。如需详细了解 CA Service 的预定义 IAM 角色,请参阅使用 IAM 进行访问权限控制

如需了解如何授予 IAM 角色,请参阅授予 单个角色

启用 CRL 发布

如需撤消由 CA 池颁发的证书,您必须在 CA 池中启用 CRL 发布。您可以在创建 CA 池时启用 CRL 发布。如果最初停用了 CRL 发布,您可以稍后启用。

启用 CRL 发布后,系统每天都会发布新的 CRL,有效期为 7 天。此外,在任何新证书被撤消后的 15 分钟内,系统也会发布新的 CRL。

证书包含 CRL 分发点 (CDP) 扩展,用于指定证书的 CRL 信息所在的位置。默认情况下,当您 启用 CRL 发布时,CA Service 会使用 CA 使用的 Cloud Storage 发布位置 填充 CA 颁发的所有证书的 CDP 扩展。如需设置自己的链接以显示在此证书扩展中, 请设置 UserDefinedAccessUrls。 如需保留默认 Cloud Storage 发布位置链接并添加自己的链接,请将 Cloud Storage 链接添加到您指定的链接列表中。

如需在 CA 池中启用 CRL 发布,请执行以下操作:

控制台

  1. 前往Certificate Authority Service页面,在 Google Cloud 控制台中。

    Certificate Authority Service

  2. 点击 CA 池管理器 标签页。

  3. 点击要修改的 CA 池,或点击包含要修改的 CA 的 CA 池。

  4. CA 池 页面上,点击

    修改

  5. 点击下一步 ,直到看到配置发布选项 部分。

  6. 点击将 CRL 发布到此池中 CA 专用的 GCS 存储桶 开关。

gcloud

运行以下命令:

gcloud privateca pools update POOL_ID --location LOCATION --publish-crl

替换以下内容:

  • POOL_ID:CA 池的名称
  • LOCATION:CA 池的位置。如需查看 完整的位置列表,请参阅位置

如需详细了解 gcloud privateca pools update 命令,请参阅 gcloud privateca pools update

CA Service 对每个 CRL 强制执行 500,000 个未过期的已撤消证书的限制。

系统只会按时间顺序保留最新的 100 个 CRL 作为 CertificateRevocationList 资源,较旧的 CRL 会自动删除。在客户管理的 Cloud Storage 存储分区中保留较旧的 CRL 需遵守客户配置的对象 版本控制保留 政策
请注意,从 CA Service 中删除的 CRL 仍可从服务管理的 Cloud Storage 存储分区中访问,除非 CA 被删除。即使 CA 被删除,系统也绝不会从客户管理的 Cloud Storage 存储分区中删除 CRL。

撤消证书

CA Service 允许按序列号或资源名称撤消证书,并且还接受可选的原因。证书被撤消后,其序列号和撤消原因会显示在所有未来的 CRL 中,直到证书达到失效日期为止。此外,系统还会在撤消后的 15 分钟内生成带外 CRL。

如需撤消证书,请按照以下步骤操作:

控制台

  1. 前往控制台中的 Certificate Authority Service 页面。 Google Cloud

    前往 Certificate Authority Service

  2. 点击专用证书管理器 标签页。
  3. 在证书列表中,点击 查看更多在要删除的证书所在行中。
  4. 点击撤消
  5. 在随即打开的对话框中,点击确认

gcloud

  • 如需使用证书的资源名称撤消证书,请运行以下命令:

    gcloud privateca certificates revoke \
    --certificate CERT_ID \
    --issuer-pool POOL_ID \
    --issuer-location ISSUER_LOCATION \
    --reason REVOCATION_REASON

    替换以下内容:

    • CERT_ID:要撤消的 证书的唯一标识符
    • POOL_ID:颁发证书的 CA 池的名称
    • ISSUER_LOCATION:颁发 CA 池的位置
    • REVOCATION_REASON:撤消证书的原因

    --reason 标志是可选的。如需详细了解此标志,请参阅 --reason,或使用以下 gcloud 命令和 --help 标志:

    gcloud privateca certificates revoke --help

    如需详细了解 gcloud privateca certificates revoke 命令,请参阅 gcloud privateca certificates revoke

  • 如需使用证书的序列号撤消证书,请运行以下命令:

    gcloud privateca certificates revoke \
    --serial-number SERIAL_NUMBER \
    --issuer-pool POOL_ID \
    --issuer-location ISSUER_LOCATION \
    --reason REVOCATION_REASON

    替换以下内容:

    • SERIAL_NUMBER:证书的序列号
    • POOL_ID:颁发证书的 CA 池的名称
    • ISSUER_LOCATION:颁发 CA 池的位置
    • REVOCATION_REASON:撤消 证书的原因

    如需详细了解 gcloud privateca certificates revoke 命令,请参阅 gcloud privateca certificates revoke

    当系统提示您确认时,您可以输入“Y”进行确认:

    You are about to revoke Certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID]

Do you want to continue? (Y/n) Y
Revoked certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] at DATE_TIME.

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅 为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Revoke an issued certificate. Once revoked, the certificate will become invalid
// and will expire post its lifetime.
func revokeCertificate(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	certId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate exists.
	// certId := "certificate"			// A unique name for the certificate.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCertName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificates/%s", projectId, location,
		caPoolId, certId)

	// Create the RevokeCertificateRequest and specify the appropriate revocation reason.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#RevokeCertificateRequest.
	req := &privatecapb.RevokeCertificateRequest{
		Name:   fullCertName,
		Reason: privatecapb.RevocationReason_PRIVILEGE_WITHDRAWN,
	}

	_, err = caClient.RevokeCertificate(ctx, req)
	if err != nil {
		return fmt.Errorf("RevokeCertificate failed: %w", err)
	}

	fmt.Fprintf(w, "Certificate %s revoked", certId)

	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅 为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateName;
import com.google.cloud.security.privateca.v1.RevocationReason;
import com.google.cloud.security.privateca.v1.RevokeCertificateRequest;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class RevokeCertificate {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Id for the CA pool which contains the certificate.
    // certificateName: Name of the certificate to be revoked.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateName = "certificate-name";
    revokeCertificate(project, location, poolId, certificateName);
  }

  // Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire
  // post its lifetime.
  public static void revokeCertificate(
      String project, String location, String poolId, String certificateName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create Certificate Name.
      CertificateName certificateNameParent =
          CertificateName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificate(certificateName)
              .build();

      // Create Revoke Certificate Request and specify the appropriate revocation reason.
      RevokeCertificateRequest revokeCertificateRequest =
          RevokeCertificateRequest.newBuilder()
              .setName(certificateNameParent.toString())
              .setReason(RevocationReason.PRIVILEGE_WITHDRAWN)
              .build();

      // Revoke certificate.
      ApiFuture<Certificate> response =
          certificateAuthorityServiceClient
              .revokeCertificateCallable()
              .futureCall(revokeCertificateRequest);
      Certificate certificateResponse = response.get();

      System.out.println("Certificate Revoked: " + certificateResponse.getName());
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。如需了解详情,请参阅 为本地开发环境设置身份验证


import google.cloud.security.privateca_v1 as privateca_v1


def revoke_certificate(
    project_id: str,
    location: str,
    ca_pool_name: str,
    certificate_name: str,
) -> None:
    """
    Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: name for the CA pool which contains the certificate.
        certificate_name: name of the certificate to be revoked.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Create Certificate Path.
    certificate_path = caServiceClient.certificate_path(
        project_id, location, ca_pool_name, certificate_name
    )

    # Create Revoke Certificate Request and specify the appropriate revocation reason.
    request = privateca_v1.RevokeCertificateRequest(
        name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN
    )
    result = caServiceClient.revoke_certificate(request=request)

    print("Certificate revoke result:", result)

后续步骤