Change the default certificate issuer

Google Distributed Cloud (GDC) air-gapped provides a public key infrastructure (PKI) API to get web certificates. This page provides instructions to change the default certificate issuer to another issuer. For more information about PKI certificate modes, see Web TLS certificate configuration.

Change default certificate issuer

  1. The default issuer label looks like the following example. For each namespace, one CertificateIssuer must contain the label:

    pki.security.gdc.goog/is-default-issuer: 'true'
    
  2. View the current default issuer in the pki-system namespace:

    kubectl get certificateissuers -n pki-system -l pki.security.gdc.goog/is-default-issuer=true
    

    The output looks similar to the following:

    NAME                    READY   REASON       ISDEFAULT
    default-tls-ca-issuer   True    CAaaSReady   true
    
  3. Edit the existing default issuer, and update the default issuer label from the issuer:

    kubectl label --overwrite certificateissuers CURRENT_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer='false'
    

    Replace CURRENT_DEFAULT_ISSUER with the name of the current default certificate issuer.

  4. To set the new CertificateIssuer as the default issuer, update the label:

    kubectl label --overwrite certificateissuers NEW_DEFAULT_ISSUER -n pki-system pki.security.gdc.goog/is-default-issuer=true
    

    Replace NEW_DEFAULT_ISSUER with the name of the new default certificate issuer.

Manually trigger certificate reissuance

After you switch the default certificate issuer, Distributed Cloud won't automatically reissue certificates signed by the previous default certificate issuer unless the certificate is about to expire. To immediately reissue certificates with the new default issuer, see Manually reissue PKI web certificates.