Google Distributed Cloud (GDC) air-gapped provides a public key infrastructure (PKI) API to get web certificates. This page provides instructions to change the default certificate issuer to another issuer. For more information about PKI certificate modes, see Web TLS certificate configuration.
Change default certificate issuer
The default issuer label looks like the following example. For each namespace, one
CertificateIssuer
must contain the label:pki.security.gdc.goog/is-default-issuer: 'true'
View the current default issuer in the
pki-system
namespace:kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=true
The output looks similar to the following:
NAME READY REASON ISDEFAULT default-tls-ca-issuer True CAaaSReady true
Edit the existing default issuer, and update the default issuer label from the issuer:
kubectl label --overwrite certificateissuers CURRENT_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer='false'
Replace CURRENT_DEFAULT_ISSUER with the name of the current default certificate issuer.
To set the new
CertificateIssuer
as the default issuer, update the label:kubectl label --overwrite certificateissuers NEW_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer=true
Replace NEW_DEFAULT_ISSUER with the name of the new default certificate issuer.
Manually trigger certificate reissuance
After you switch the default certificate issuer, Distributed Cloud won't automatically reissue certificates signed by the previous default certificate issuer unless the certificate is about to expire. To immediately reissue certificates with the new default issuer, see Manually reissue PKI web certificates.