Stay organized with collections
Save and categorize content based on your preferences.
Troubleshooting
This page shows you how to resolve common issues with Certificate Authority Service.
API request returns HTTP 403 Forbidden
If an API request returns HTTP 403 Forbidden with the message Read access to project PROJECT_NAME was denied
, then use the following resolution.
Resolution
- Check the IAM permissions of the requester.
- Check the location for the request. Unsupported regions can return a permission denied error. For more information about supported locations, see Locations.
Deleting a CA returns HTTP 412 Failed Precondition
If you see the following failed precondition errors when deleting a CA, use the resolution in this section.
Cannot perform Certificate Authority deletion, Certificate Authority is in state ENABLED.
Resolution
A CA needs to be in DISABLED
or STAGED
state for it to be deleted. Ensure the state of your CA before scheduling it for deletion. For more information about CA states, see CA states.
Certificate issuance failure
CA Service provides several policy controls that you can use to manage certificate issuance. For more information about the policy controls, see Overview of certificate templates and issuance policies.
Certificate issuance can fail because of several reasons. Some of these reasons are as follows.
Conflict between CA pool's certificate issuance policy and certificate template.
For example, consider that the issuance policy defines an extension foo
and assigns it the value bar
and the certificate template defines extension foo
and assigns it the value bat
. Assigning two different values to the same extension creates a conflict.
Resolution
Review the CA pool's certificate issuance policy against the certificate template, and identify and resolve the conflicts.
For more information about issuance policies, see Add a certificate issuance policy to a CA pool.
Subject or Subject Alternate Names (SANs) fail the CEL expression evaluation in either the certificate template or the CA pool's certificate issuance policy.
Resolution
Review the CA pool's certificate issuance policy and certificate template, and ensure that the subject and SAN satisfy the conditions set by Common Expression Language (CEL) expressions. For more information about CEL expressions, see Using Common Expression Language.
Incorrect IAM role being granted for a use case. For example, assigning the roles/privateca.certificateRequester
role for reflected identity or assigning the roles/privateca.workloadCertificateRequester
role for default identity mode.
Resolution
Confirm that you have assigned the roles/privateca.certificateRequester
role for default identity mode and the roles/privateca.workloadCertificateRequester
role for reflected identity. For more information about using identity reflection, see Identity reflection for federated workloads.
Attempting to use the reflected identity mode in an unsupported scenario, such as without Hub workload identity. An unsupported scenario for identity reflection returns the following error message:
Could not use the REFLECTED_SPIFFE subject mode because the caller does not have a SPIFFE identity. Please visit the CA Service documentation to ensure that this is a supported use-case.
Resolution
Determine which type of identity you need to use: default identity or reflected identity. If you need to use reflected identity, make sure that you are using it in one of the supported scenarios. For more information about identity reflection, see Identity reflection for federated workloads.
The default key size restriction rejects RSA keys with modulus size less than
2048 bits.
Industry best practices recommend using an RSA key of at least 2048 bits.
By default, CA Service prevents issuing certificates using an
RSA key whose modulus size is less than 2048 bits.
Resolution
If you want to use a RSA key with modulus size less than 2048 bits, you must
explicitly allow it using the certificate issuance policy.
Use the following YAML example to allow such RSA keys:
allowedKeyTypes:
- rsa:
minModulusSize: 1024
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-09-04 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page provides solutions for common issues encountered with Certificate Authority Service, including API errors, CA deletion problems, and certificate issuance failures.\u003c/p\u003e\n"],["\u003cp\u003eAn HTTP 403 Forbidden error on API requests can be resolved by checking the requester's IAM permissions and ensuring the request location is supported.\u003c/p\u003e\n"],["\u003cp\u003eTo delete a CA, it must be in the \u003ccode\u003eDISABLED\u003c/code\u003e or \u003ccode\u003eSTAGED\u003c/code\u003e state, otherwise you will get an HTTP 412 error, so you must ensure the CA's state before attempting deletion.\u003c/p\u003e\n"],["\u003cp\u003eCertificate issuance failures may arise from conflicts between CA pool policies and certificate templates, incorrect IAM role assignments, or unsupported identity reflection scenarios, which can all be resolved by reviewing and correcting those settings.\u003c/p\u003e\n"],["\u003cp\u003eCertificate issuance can be blocked if the RSA key's modulus size is less than 2048 bits, but you can explicitly allow smaller keys through the certificate issuance policy.\u003c/p\u003e\n"]]],[],null,["# Troubleshooting\n===============\n\nThis page shows you how to resolve common issues with Certificate Authority Service.\n\nAPI request returns HTTP 403 Forbidden\n--------------------------------------\n\nIf an API request returns HTTP 403 Forbidden with the message `Read access to project PROJECT_NAME was denied`, then use the following resolution.\n\n**Resolution**\n\n1. Check the IAM permissions of the requester.\n2. Check the location for the request. Unsupported regions can return a permission denied error. For more information about supported locations, see [Locations](/certificate-authority-service/docs/locations).\n\nDeleting a CA returns HTTP 412 Failed Precondition\n--------------------------------------------------\n\nIf you see the following failed precondition errors when deleting a CA, use the resolution in this section.\n\n- `Cannot perform Certificate Authority deletion, Certificate Authority is in state ENABLED.`\n\n**Resolution**\n\nA CA needs to be in `DISABLED` or `STAGED` state for it to be deleted. Ensure the state of your CA before scheduling it for deletion. For more information about CA states, see [CA states](/certificate-authority-service/docs/certificate-authority-states).\n\nCertificate issuance failure\n----------------------------\n\nCA Service provides several policy controls that you can use to manage certificate issuance. For more information about the policy controls, see [Overview of certificate templates and issuance policies](/certificate-authority-service/docs/policy-controls).\n\nCertificate issuance can fail because of several reasons. Some of these reasons are as follows.\n\n- Conflict between CA pool's certificate issuance policy and certificate template.\n\n For example, consider that the issuance policy defines an extension `foo` and assigns it the value `bar` and the certificate template defines extension `foo` and assigns it the value `bat`. Assigning two different values to the same extension creates a conflict.\n\n **Resolution**\n\n Review the CA pool's certificate issuance policy against the certificate template, and identify and resolve the conflicts.\n\n For more information about issuance policies, see [Add a certificate issuance policy to a CA pool](/certificate-authority-service/docs/use-issuance-policy).\n- Subject or Subject Alternate Names (SANs) fail the CEL expression evaluation in either the certificate template or the CA pool's certificate issuance policy.\n\n **Resolution**\n\n Review the CA pool's certificate issuance policy and certificate template, and ensure that the subject and SAN satisfy the conditions set by Common Expression Language (CEL) expressions. For more information about CEL expressions, see [Using Common Expression Language](/certificate-authority-service/docs/using-cel).\n- Incorrect IAM role being granted for a use case. For example, assigning the `roles/privateca.certificateRequester` role for reflected identity or assigning the `roles/privateca.workloadCertificateRequester` role for default identity mode.\n\n **Resolution**\n\n Confirm that you have assigned the `roles/privateca.certificateRequester` role for default identity mode and the `roles/privateca.workloadCertificateRequester` role for reflected identity. For more information about using identity reflection, see [Identity reflection for federated workloads](/certificate-authority-service/docs/using-identity-reflection).\n- Attempting to use the reflected identity mode in an unsupported scenario, such as without Hub workload identity. An unsupported scenario for identity reflection returns the following error message:\n\n ```\n Could not use the REFLECTED_SPIFFE subject mode because the caller does not have a SPIFFE identity. Please visit the CA Service documentation to ensure that this is a supported use-case.\n ```\n\n **Resolution**\n\n Determine which type of identity you need to use: default identity or reflected identity. If you need to use reflected identity, make sure that you are using it in one of the supported scenarios. For more information about identity reflection, see [Identity reflection for federated workloads](/certificate-authority-service/docs/using-identity-reflection).\n- The default key size restriction rejects RSA keys with modulus size less than\n 2048 bits.\n\n Industry best practices recommend using an RSA key of at least 2048 bits.\n By default, CA Service prevents issuing certificates using an\n RSA key whose modulus size is less than 2048 bits.\n\n **Resolution**\n\n If you want to use a RSA key with modulus size less than 2048 bits, you must\n explicitly allow it [using the certificate issuance policy](/certificate-authority-service/docs/use-issuance-policy#gcloud).\n Use the following YAML example to allow such RSA keys: \n\n allowedKeyTypes:\n - rsa:\n minModulusSize: 1024\n\nWhat's next\n-----------\n\n- Learn about the [best practices for using Certificate Authority Service](/certificate-authority-service/docs/best-practices).\n- [Frequently asked questions](/certificate-authority-service/docs/faqs)"]]