撤銷憑證

本頁說明如何撤銷憑證。

憑證授權單位服務會定期發布憑證撤銷清單 (CRL),支援憑證撤銷作業。您只能撤銷 Enterprise 方案中 CA 集區核發的憑證。

事前準備

確認您具備憑證授權單位服務作業管理員 (roles/privateca.caManager) 或 CA 服務管理員 (roles/privateca.admin) 身分與存取權管理 (IAM) 角色。如要進一步瞭解 CA 服務的預先定義 IAM 角色,請參閱「使用 IAM 控管存取權」一文。

如要瞭解如何授予身分與存取權管理角色,請參閱授予單一角色

啟用 CRL 發布功能

如要撤銷 CA 集區核發的憑證,您必須在 CA 集區中啟用 CRL 發布功能。您可以在建立 CA 集區時啟用 CRL 發布功能。如果一開始停用,您稍後可以啟用 CRL 發布功能。

啟用 CRL 發布功能後,系統每天都會發布新的 CRL,效期為 7 天。如果撤銷任何新憑證,系統也會在 15 分鐘內發布新的 CRL。

憑證包含憑證撤銷清單 (CRL) 發布點 (CDP) 擴充功能,可指定憑證的 CRL 資訊所在位置。根據預設,啟用 CRL 發布功能後,CA 服務會為 CA 核發的所有憑證填入 CDP 擴充功能,並使用 CA 採用的 Cloud Storage 發布位置。如要讓您自己的連結顯示在這個憑證擴充功能中,請設定 UserDefinedAccessUrls。如要保留預設的 Cloud Storage 發布位置連結,並新增自己的連結,請將 Cloud Storage 連結新增至您指定的連結清單。

如要在 CA 集區中啟用 CRL 發布功能,請按照下列步驟操作:

控制台

  1. 前往Google Cloud 控制台的「Certificate Authority Service」(憑證授權單位服務) 頁面。

    憑證授權單位服務

  2. 按一下「CA Pool Manager」(CA 集區管理員) 分頁標籤。

  3. 按一下要編輯的 CA 集區,或按一下含有要編輯 CA 的 CA 集區。

  4. 在「CA pool」(CA 集區) 頁面中,按一下

    編輯

  5. 按一下「下一步」,直到進入「設定發布選項」部分。

  6. 按一下「針對這個集區中的 CA,將 CRL 發布至 GCS 值區」切換按鈕。

gcloud

執行下列指令:

gcloud privateca pools update POOL_ID --location LOCATION --publish-crl

更改下列內容:

  • POOL_ID:CA 集區的名稱。
  • LOCATION:CA 集區的位置。如需完整的位置清單,請參閱「位置」。

如要進一步瞭解 gcloud privateca pools update 指令,請參閱 gcloud privateca pools update

憑證授權單位服務會對每個 CRL 施加限制,最多只能有 50 萬個未過期的已撤銷憑證。

撤銷憑證

憑證授權單位服務可依序號或資源名稱撤銷憑證,並接受選填原因。憑證遭撤銷後,其序號和撤銷原因會顯示在所有後續的 CRL 中,直到憑證到期為止。撤銷憑證後,系統也會在 15 分鐘內產生頻外 CRL。

如要撤銷憑證,請按照下列步驟操作:

控制台

  1. 前往 Google Cloud 控制台的「Certificate Authority Service」(憑證授權單位服務) 頁面。

    前往憑證授權單位服務

  2. 按一下「私人憑證管理員」分頁標籤。
  3. 在憑證清單中,按一下要刪除憑證所在列的「查看更多」
  4. 按一下「撤銷」
  5. 在開啟的對話方塊中,按一下「Confirm」(確認)

gcloud

  • 如要使用憑證的資源名稱撤銷憑證,請執行下列指令:

    gcloud privateca certificates revoke \
    --certificate CERT_ID \
    --issuer-pool POOL_ID \
    --issuer-location ISSUER_LOCATION \
    --reason REVOCATION_REASON

    更改下列內容:

    • CERT_ID:要撤銷的憑證專屬 ID。
    • POOL_ID:核發憑證的 CA 集區名稱。
    • ISSUER_LOCATION:核發 CA 集區的位置。
    • REVOCATION_REASON:撤銷憑證的原因。

    --reason 是選用旗標。如要進一步瞭解這個旗標,請參閱「--reason」,或使用下列 gcloud 指令並加上 --help 旗標:

    gcloud privateca certificates revoke --help

    如要進一步瞭解 gcloud privateca certificates revoke 指令,請參閱 gcloud privateca certificates revoke

  • 如要使用憑證序號撤銷憑證,請執行下列指令:

    gcloud privateca certificates revoke \
    --serial-number SERIAL_NUMBER \
    --issuer-pool POOL_ID \
    --issuer-location ISSUER_LOCATION \
    --reason REVOCATION_REASON

    更改下列內容:

    • SERIAL_NUMBER:憑證的序號。
    • POOL_ID:核發憑證的 CA 集區名稱。
    • ISSUER_LOCATION:核發 CA 集區的位置。
    • REVOCATION_REASON:撤銷憑證的原因。

    如要進一步瞭解 gcloud privateca certificates revoke 指令,請參閱 gcloud privateca certificates revoke

    系統提示確認時,請輸入「Y」:

    You are about to revoke Certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID]

Do you want to continue? (Y/n) Y
Revoked certificate [projects/PROJECT_ID/locations/CA_POOL_REGION/caPools/POOL_ID/certificates/CERT_ID] at DATE_TIME.

Go

如要向 CA 服務進行驗證,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Revoke an issued certificate. Once revoked, the certificate will become invalid
// and will expire post its lifetime.
func revokeCertificate(
	w io.Writer,
	projectId string,
	location string,
	caPoolId string,
	certId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"		// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"			// The CA Pool id in which the certificate exists.
	// certId := "certificate"			// A unique name for the certificate.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	fullCertName := fmt.Sprintf("projects/%s/locations/%s/caPools/%s/certificates/%s", projectId, location,
		caPoolId, certId)

	// Create the RevokeCertificateRequest and specify the appropriate revocation reason.
	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#RevokeCertificateRequest.
	req := &privatecapb.RevokeCertificateRequest{
		Name:   fullCertName,
		Reason: privatecapb.RevocationReason_PRIVILEGE_WITHDRAWN,
	}

	_, err = caClient.RevokeCertificate(ctx, req)
	if err != nil {
		return fmt.Errorf("RevokeCertificate failed: %w", err)
	}

	fmt.Fprintf(w, "Certificate %s revoked", certId)

	return nil
}

Java

如要向 CA 服務進行驗證,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.Certificate;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateName;
import com.google.cloud.security.privateca.v1.RevocationReason;
import com.google.cloud.security.privateca.v1.RevokeCertificateRequest;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class RevokeCertificate {

  public static void main(String[] args)
      throws IOException, ExecutionException, InterruptedException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Id for the CA pool which contains the certificate.
    // certificateName: Name of the certificate to be revoked.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    String certificateName = "certificate-name";
    revokeCertificate(project, location, poolId, certificateName);
  }

  // Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire
  // post its lifetime.
  public static void revokeCertificate(
      String project, String location, String poolId, String certificateName)
      throws IOException, ExecutionException, InterruptedException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      // Create Certificate Name.
      CertificateName certificateNameParent =
          CertificateName.newBuilder()
              .setProject(project)
              .setLocation(location)
              .setCaPool(poolId)
              .setCertificate(certificateName)
              .build();

      // Create Revoke Certificate Request and specify the appropriate revocation reason.
      RevokeCertificateRequest revokeCertificateRequest =
          RevokeCertificateRequest.newBuilder()
              .setName(certificateNameParent.toString())
              .setReason(RevocationReason.PRIVILEGE_WITHDRAWN)
              .build();

      // Revoke certificate.
      ApiFuture<Certificate> response =
          certificateAuthorityServiceClient
              .revokeCertificateCallable()
              .futureCall(revokeCertificateRequest);
      Certificate certificateResponse = response.get();

      System.out.println("Certificate Revoked: " + certificateResponse.getName());
    }
  }
}

Python

如要向 CA 服務進行驗證,請設定應用程式預設憑證。 詳情請參閱「為本機開發環境設定驗證」。


import google.cloud.security.privateca_v1 as privateca_v1


def revoke_certificate(
    project_id: str,
    location: str,
    ca_pool_name: str,
    certificate_name: str,
) -> None:
    """
    Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime.

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: name for the CA pool which contains the certificate.
        certificate_name: name of the certificate to be revoked.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    # Create Certificate Path.
    certificate_path = caServiceClient.certificate_path(
        project_id, location, ca_pool_name, certificate_name
    )

    # Create Revoke Certificate Request and specify the appropriate revocation reason.
    request = privateca_v1.RevokeCertificateRequest(
        name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN
    )
    result = caServiceClient.revoke_certificate(request=request)

    print("Certificate revoke result:", result)

後續步驟