Stay organized with collections
Save and categorize content based on your preferences.
Google Distributed Cloud (GDC) air-gapped provides a public key infrastructure (PKI) API
to get web certificates. This page provides instructions to change the
default certificate issuer to another issuer. For more information about PKI
certificate modes, see Web TLS certificate configuration.
Before you begin
To get the permissions you need to configure the PKI default certificate issuer,
ask your Organization IAM Admin to grant you the Infra PKI Admin
(infra-pki-admin) role in the system namespace.
Change default certificate issuer
The default issuer label looks like the following example. For each namespace,
one CertificateIssuer must contain the label:
pki.security.gdc.goog/is-default-issuer:'true'
View the current default issuer in the pki-system namespace:
Replace NEW_DEFAULT_ISSUER with the name of the new
default certificate issuer.
Manually trigger certificate reissuance
After you switch the default certificate issuer, Distributed Cloud
won't automatically reissue certificates signed by the previous default
certificate issuer unless the certificate is about to expire. To immediately
reissue certificates with the new default issuer, see
Manually reissue PKI web certificates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped uses a Public Key Infrastructure (PKI) API to manage web certificates, and you can change the default certificate issuer.\u003c/p\u003e\n"],["\u003cp\u003eTo change the default certificate issuer, you must have the \u003ccode\u003einfra-pki-admin\u003c/code\u003e role in the system namespace, and then modify the label of the current issuer to \u003ccode\u003efalse\u003c/code\u003e before labeling the new one to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe default issuer is identified by the label \u003ccode\u003epki.security.gdc.goog/is-default-issuer: 'true'\u003c/code\u003e, and only one \u003ccode\u003eCertificateIssuer\u003c/code\u003e per namespace can have this label.\u003c/p\u003e\n"],["\u003cp\u003eAfter changing the default certificate issuer, certificates signed by the old issuer are not automatically reissued, unless they are near expiration, and instead a manual reissuance is needed.\u003c/p\u003e\n"]]],[],null,["# Change the default certificate issuer\n\nGoogle Distributed Cloud (GDC) air-gapped provides a [public key infrastructure (PKI) API](/distributed-cloud/hosted/docs/latest/gdch/apis/service/security/pki/v1/security-pki-v1)\nto get web certificates. This page provides instructions to change the\ndefault certificate issuer to another issuer. For more information about PKI\ncertificate modes, see [Web TLS certificate configuration](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/web-tls-cert-config).\n\nBefore you begin\n----------------\n\nTo get the permissions you need to configure the PKI default certificate issuer,\nask your Organization IAM Admin to grant you the Infra PKI Admin\n(`infra-pki-admin`) role in the system namespace.\n\nChange default certificate issuer\n---------------------------------\n\n1. The default issuer label looks like the following example. For each namespace,\n one `CertificateIssuer` must contain the label:\n\n pki.security.gdc.goog/is-default-issuer: 'true'\n\n2. View the current default issuer in the `pki-system` namespace:\n\n kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=true\n\n The output looks similar to the following: \n\n NAME READY REASON ISDEFAULT\n default-tls-ca-issuer True CAaaSReady true\n\n3. Edit the existing default issuer, and update the default issuer label\n from the issuer:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer='false'\n\n Replace \u003cvar translate=\"no\"\u003eCURRENT_DEFAULT_ISSUER\u003c/var\u003e with the name of the\n current default certificate issuer.\n4. To set the new `CertificateIssuer` as the default issuer, update the label:\n\n kubectl label --overwrite certificateissuers \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e -n pki-system pki.security.gdc.goog/is-default-issuer=true\n\n Replace \u003cvar translate=\"no\"\u003eNEW_DEFAULT_ISSUER\u003c/var\u003e with the name of the new\n default certificate issuer.\n\nManually trigger certificate reissuance\n---------------------------------------\n\nAfter you switch the default certificate issuer, Distributed Cloud\nwon't automatically reissue certificates signed by the previous default\ncertificate issuer unless the certificate is about to expire. To immediately\nreissue certificates with the new default issuer, see\n[Manually reissue PKI web certificates](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/pki/pki-cert-reissue)."]]