启用、停用和恢复证书授权机构

本主题介绍了如何管理证书授权机构 (CA) 的状态。

启用 CA

所有子 CA 均在 AWAITING_USER_ACTIVATION 状态下创建,并在激活后设为 STAGED 状态。默认情况下,所有根 CA 均在 STAGED 状态下创建。您必须将 CA 状态更改为 ENABLED,才能将其包含在 CA 池的证书颁发轮替中。如需详细了解 CA 的运行状态,请参阅证书授权机构状态

如需启用处于 STAGEDDISABLED 状态的 CA,请按照以下说明操作:

控制台

  1. 在 Google Cloud 控制台中,前往证书颁发机构页面。

    前往“证书授权机构”页面

  2. 证书授权机构下,选择您的目标 CA。

  3. 点击启用

  4. 在随即打开的对话框中,点击确认

gcloud

如需启用根 CA,请使用以下命令:

gcloud privateca roots enable CA_ID --pool POOL_ID

其中:

  • CA_ID 是 CA 的唯一标识符。
  • POOL_ID 是 CA 所属 CA 池的唯一标识符。

如需详细了解 gcloud privateca roots enable 命令,请参阅 gcloud privateca roots enable

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Enable the Certificate Authority present in the given ca pool.
// CA cannot be enabled if it has been already deleted.
func enableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be enabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the EnableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#EnableCertificateAuthorityRequest.
	req := &privatecapb.EnableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.EnableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("EnableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_ENABLED {
		return fmt.Errorf("unable to enable Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully enabled Certificate Authority: %s.", caId)
	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.EnableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class EnableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be enabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    enableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Enable the Certificate Authority present in the given ca pool.
  // CA cannot be enabled if it has been already deleted.
  public static void enableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {
      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Enable Certificate Authority Request.
      EnableCertificateAuthorityRequest enableCertificateAuthorityRequest =
          EnableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent.toString())
              .build();

      // Enable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .enableCertificateAuthorityCallable()
              .futureCall(enableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while enabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityParent)
              .getState();

      // Check if the CA is enabled.
      if (caState == State.ENABLED) {
        System.out.println("Enabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot enable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1


def enable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Enable the Certificate Authority present in the given ca pool.
    CA cannot be enabled if it has been already deleted.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be enabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Enable Certificate Authority Request.
    request = privateca_v1.EnableCertificateAuthorityRequest(
        name=ca_path,
    )

    # Enable the Certificate Authority.
    operation = caServiceClient.enable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is enabled.
    if ca_state == privateca_v1.CertificateAuthority.State.ENABLED:
        print("Enabled Certificate Authority:", ca_name)
    else:
        print("Cannot enable the Certificate Authority ! Current CA State:", ca_state)

停用 CA

停用 CA 会导致其无法颁发证书。系统会拒绝对已停用的 CA 的所有证书请求。其他功能(例如吊销证书、发布证书吊销列表 [CRL] 和更新 CA 元数据)仍然可以执行。

如需停用 CA,请按照以下说明操作:

控制台

  1. 在 Google Cloud 控制台中,前往证书颁发机构页面。

    前往“证书授权机构”页面

  2. 证书授权机构下,选择您的目标 CA。

  3. 点击停用

  4. 在随即打开的对话框中,点击确认

gcloud

如需停用根 CA,请使用以下命令。

gcloud privateca roots disable CA_ID --pool POOL_ID

替换以下内容:

  • CA_ID 是您要停用的根 CA 的唯一标识符。
  • POOL_ID 是根 CA 所属 CA 池的唯一标识符。

如需详细了解 gcloud privateca roots disable 命令,请参阅 gcloud privateca roots disable

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Disable a Certificate Authority from the specified CA pool.
func disableCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be disabled.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Create the DisableCertificateAuthorityRequest.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#DisableCertificateAuthorityRequest.
	req := &privatecapb.DisableCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.DisableCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("DisableCertificateAuthority failed: %w", err)
	}

	var caResp *privatecapb.CertificateAuthority
	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("DisableCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_DISABLED {
		return fmt.Errorf("unable to disabled Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully disabled Certificate Authority: %s.", caId)
	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.DisableCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class DisableCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the CA is present.
    // certificateAuthorityName: The name of the CA to be disabled.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";
    disableCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Disable a Certificate Authority which is present in the given CA pool.
  public static void disableCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create the Certificate Authority Name.
      CertificateAuthorityName certificateAuthorityNameParent =
          CertificateAuthorityName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificateAuthority(certificateAuthorityName)
              .build();

      // Create the Disable Certificate Authority Request.
      DisableCertificateAuthorityRequest disableCertificateAuthorityRequest =
          DisableCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityNameParent.toString())
              .build();

      // Disable the Certificate Authority.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .disableCertificateAuthorityCallable()
              .futureCall(disableCertificateAuthorityRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while disabling Certificate Authority !" + response.getError());
        return;
      }

      // Get the current CA state.
      State caState =
          certificateAuthorityServiceClient
              .getCertificateAuthority(certificateAuthorityNameParent)
              .getState();

      // Check if the Certificate Authority is disabled.
      if (caState == State.DISABLED) {
        System.out.println("Disabled Certificate Authority : " + certificateAuthorityName);
      } else {
        System.out.println(
            "Cannot disable the Certificate Authority ! Current CA State: " + caState);
      }
    }
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1


def disable_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Disable a Certificate Authority which is present in the given CA pool.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the CA is present.
        ca_name: the name of the CA to be disabled.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Create the Disable Certificate Authority Request.
    request = privateca_v1.DisableCertificateAuthorityRequest(name=ca_path)

    # Disable the Certificate Authority.
    operation = caServiceClient.disable_certificate_authority(request=request)
    operation.result()

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # Check if the CA is disabled.
    if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
        print("Disabled Certificate Authority:", ca_name)
    else:
        print("Cannot disable the Certificate Authority ! Current CA State:", ca_state)

恢复 CA

安排删除 CA 后,系统会先给予 30 天的宽限期,然后才会删除。在宽限期内,CA Service Operation Manager (roles/privateca.caManager) 或 CA Service Admin (roles/privateca.admin) 可以停止删除流程。您只能在宽限期内恢复 CA。

如需将已安排删除的 CA 恢复为停用状态,请按照以下说明操作:

控制台

  1. 在 Google Cloud 控制台中,前往证书颁发机构页面。

    前往“证书授权机构”页面

  2. 证书授权机构下,选择要恢复的 CA。

  3. 点击恢复

  4. 在随即打开的对话框中,点击确认

  5. 检查 CA 现在是否处于 DISABLED 状态。

gcloud

  1. 确认 CA 处于 DELETED 状态。

    gcloud privateca roots describe CA_ID \
  --pool POOL_ID \
  --format="value(state)"

    其中:

    • CA_ID 是 CA 的唯一标识符。
    • POOL_ID 是 CA 所属 CA 池的唯一标识符。
    • --format 标志用于设置用于输出命令输出资源的格式。

    该命令会返回 DELETED

  2. 恢复 CA。

    gcloud privateca roots undelete CA_ID --pool POOL_ID

    其中:

    • CA_ID 是 CA 的唯一标识符。
    • POOL_ID 是 CA 所属 CA 池的唯一标识符。

    如需详细了解 gcloud privateca roots undelete 命令,请参阅 gcloud privateca roots undelete

  3. 确认 CA 的状态现在为 DISABLED

    gcloud privateca roots describe CA_ID \
  --pool POOL_ID \
  --format="value(state)"

    其中:

    • CA_ID 是 CA 的唯一标识符。
    • POOL_ID 是 CA 所属 CA 池的唯一标识符。
    • --format 标志用于设置用于输出命令输出资源的格式。

    该命令会返回 DISABLED

Go

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Undelete a Certificate Authority from the specified CA pool.
func unDeleteCa(w io.Writer, projectId string, location string, caPoolId string, caId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// The id of the CA pool under which the CA is present.
	// caId := "ca-id"				// The id of the CA to be undeleted.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCaName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificateAuthorities/%s",
		projectId, location, caPoolId, caId)

	// Check if the CA is deleted.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#GetCertificateAuthorityRequest.
	caReq := &privatecapb.GetCertificateAuthorityRequest{Name: fullCaName}
	caResp, err := caClient.GetCertificateAuthority(ctx, caReq)
	if err != nil {
		return fmt.Errorf("GetCertificateAuthority failed: %w", err)
	}

	if caResp.State != privatecapb.CertificateAuthority_DELETED {
		return fmt.Errorf("you can only undelete deleted Certificate Authorities. %s is not deleted", caId)
	}

	// Create the UndeleteCertificateAuthority.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#UndeleteCertificateAuthorityRequest.
	req := &privatecapb.UndeleteCertificateAuthorityRequest{Name: fullCaName}

	op, err := caClient.UndeleteCertificateAuthority(ctx, req)
	if err != nil {
		return fmt.Errorf("UndeleteCertificateAuthority failed: %w", err)
	}

	if caResp, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("UndeleteCertificateAuthority failed during wait: %w", err)
	}

	if caResp.State == privatecapb.CertificateAuthority_DELETED {
		return fmt.Errorf("unable to undelete Certificate Authority. Current state: %s", caResp.State.String())
	}

	fmt.Fprintf(w, "Successfully undeleted Certificate Authority: %s.", caId)
	return nil
}

Java

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority.State;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.UndeleteCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class UndeleteCertificateAuthority {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, TimeoutException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: The id of the CA pool under which the deleted CA is present.
    // certificateAuthorityName: The name of the CA to be restored (undeleted).
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateAuthorityName = "certificate-authority-name";

    undeleteCertificateAuthority(project, location, poolId, certificateAuthorityName);
  }

  // Restore a deleted CA, if still within the grace period of 30 days.
  public static void undeleteCertificateAuthority(
      String project, String location, String poolId, String certificateAuthorityName)
      throws IOException, ExecutionException, InterruptedException, TimeoutException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      String certificateAuthorityParent =
          CertificateAuthorityName.of(project, location, poolId, certificateAuthorityName)
              .toString();

      // Confirm if the CA is in DELETED stage.
      if (getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
          != State.DELETED) {
        System.out.println("CA is not deleted !");
        return;
      }

      // Create the Request.
      UndeleteCertificateAuthorityRequest undeleteCertificateAuthorityRequest =
          UndeleteCertificateAuthorityRequest.newBuilder()
              .setName(certificateAuthorityParent)
              .build();

      // Undelete the CA.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient
              .undeleteCertificateAuthorityCallable()
              .futureCall(undeleteCertificateAuthorityRequest);

      Operation response = futureCall.get(5, TimeUnit.SECONDS);

      // CA state changes from DELETED to DISABLED if successfully restored.
      // Confirm if the CA is DISABLED.
      if (response.hasError()
          || getCurrentState(certificateAuthorityServiceClient, certificateAuthorityParent)
          != State.DISABLED) {
        System.out.println(
            "Unable to restore the Certificate Authority! Please try again !"
                + response.getError());
        return;
      }

      // The CA will be in the DISABLED state. Enable before use.
      System.out.println(
          "Successfully restored the Certificate Authority ! " + certificateAuthorityName);
    }
  }

  // Get the current state of CA.
  private static State getCurrentState(
      CertificateAuthorityServiceClient client, String certificateAuthorityParent) {
    return client.getCertificateAuthority(certificateAuthorityParent).getState();
  }
}

Python

如需向 CA Service 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证

import google.cloud.security.privateca_v1 as privateca_v1


def undelete_certificate_authority(
    project_id: str, location: str, ca_pool_name: str, ca_name: str
) -> None:
    """
    Restore a deleted CA, if still within the grace period of 30 days.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: the name of the CA pool under which the deleted CA is present.
        ca_name: the name of the CA to be restored (undeleted).
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
    ca_path = caServiceClient.certificate_authority_path(
        project_id, location, ca_pool_name, ca_name
    )

    # Confirm if the CA is in DELETED stage.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state
    if ca_state != privateca_v1.CertificateAuthority.State.DELETED:
        print("CA is not deleted !")
        return

    # Create the Request.
    request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path)

    # Undelete the CA.
    operation = caServiceClient.undelete_certificate_authority(request=request)
    result = operation.result()

    print("Operation result", result)

    # Get the current CA state.
    ca_state = caServiceClient.get_certificate_authority(name=ca_path).state

    # CA state changes from DELETED to DISABLED if successfully restored.
    # Confirm if the CA is DISABLED.
    if ca_state == privateca_v1.CertificateAuthority.State.DISABLED:
        print("Successfully undeleted Certificate Authority:", ca_name)
    else:
        print(
            "Unable to restore the Certificate Authority! Please try again! Current state:",
            ca_state,
        )

后续步骤