Stay organized with collections
Save and categorize content based on your preferences.
A trust bundle, also known as a trust list, is a group of trust anchors, such
as entities, that are inherently trusted and whose trust is not transferred by
another entity (trusted third parties). These trust anchors are delivered as
certificate authority (CA) certificates. The certification path-building
algorithm uses these CA certificates to establish a chain between a certificate
obtaining validation and the trust anchors.
Google Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines
the steps to fetch the trust bundle for organizational administrators.
Trust bundle types
Distributed Cloud provides two types of managed trust bundles for platform
administrators:
trust-store-root-ext: contains the internal root CA and web-tls CA. The
content is different depending on where it resides, such as the root or
the tenant organization. Use this trust bundle to communicate across
organization boundaries or to access services like object storage within the
organization.
trust-store-global-root-ext: available in the global API server and zonal
API server platform namespace. When the global API server is ready, the
bundle populates all other zonal trust-store-root-ext data, including local
data.
Fetch the trust bundle
You can fetch trust bundles from the well-known server endpoint, or from the
cluster using kubectl.
Fetch from the well-known server
GDC provides a secure way to access trust bundles
through a well-known server endpoint. Use this method when you need to fetch
the trust-store-global-root-ext bundle without directly interacting with the
cluster using kubectl.
Export the following environment variables:
exportSTORAGE=STORAGEexportORG_NAME=ORG_NAME
Replace the following:
STORAGE: the directory path where you want to
store the trust bundle file.
ORG_NAME: the name of your organization within
GDC.
You can fetch trust bundles directly from the GDC
cluster using the kubectl command-line tool. Use this method if you have
direct access to the cluster and its configuration, and you need to fetch either
the trust-store-root-ext or the trust-store-global-root-ext trust bundles.
You must obtain the following before you can complete the steps in this section:
Required permissions: Ask your Organization IAM Admin to grant you the
Trust Store Viewer (trust-store-viewer) role.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eTrust bundles in Google Distributed Cloud (GDC) air-gapped environments are groups of trusted entities, such as certificate authorities (CAs), used to establish secure communication and are delivered as CA certificates.\u003c/p\u003e\n"],["\u003cp\u003eGDC provides two types of managed trust bundles: \u003ccode\u003etrust-store-root-ext\u003c/code\u003e for internal communication within or between organizations, and \u003ccode\u003etrust-store-global-root-ext\u003c/code\u003e for global API server access, which then populates \u003ccode\u003etrust-store-root-ext\u003c/code\u003e data.\u003c/p\u003e\n"],["\u003cp\u003eTo fetch these trust bundles, users need the Trust Store Viewer role and must have the kubeconfig file for the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves exporting environment variables, setting a trust bundle file location, and using \u003ccode\u003ekubectl\u003c/code\u003e commands to retrieve the CA certificates and store them in the designated file.\u003c/p\u003e\n"],["\u003cp\u003eThe fetched trust bundle file will store one or more CA certificates in a format that begin and end with the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer, respectively.\u003c/p\u003e\n"]]],[],null,["# Fetch GDC trust bundles\n\nA trust bundle, also known as a trust list, is a group of trust anchors, such\nas entities, that are inherently trusted and whose trust is not transferred by\nanother entity (trusted third parties). These trust anchors are delivered as\ncertificate authority (CA) certificates. The certification path-building\nalgorithm uses these CA certificates to establish a chain between a certificate\nobtaining validation and the trust anchors.\n\nGoogle Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines\nthe steps to fetch the trust bundle for organizational administrators.\n\nTrust bundle types\n------------------\n\nDistributed Cloud provides two types of managed trust bundles for platform\nadministrators:\n\n- `trust-store-root-ext`: contains the internal root CA and web-tls CA. The\n content is different depending on where it resides, such as the root or\n the tenant organization. Use this trust bundle to communicate across\n organization boundaries or to access services like object storage within the\n organization.\n\n- `trust-store-global-root-ext`: available in the global API server and zonal\n API server `platform` namespace. When the global API server is ready, the\n bundle populates all other zonal `trust-store-root-ext` data, including local\n data.\n\nFetch the trust bundle\n----------------------\n\nYou can fetch trust bundles from the well-known server endpoint, or from the\ncluster using `kubectl`.\n\n### Fetch from the well-known server\n\nGDC provides a secure way to access trust bundles\nthrough a well-known server endpoint. Use this method when you need to fetch\nthe `trust-store-global-root-ext` bundle without directly interacting with the\ncluster using `kubectl`.\n| **Caution:** When fetching trust bundles from the well-known server, it's crucial to protect against person-in-the-middle (PITM) attacks. Make sure that you're connecting to a secure and controlled environment.\n\n1. Export the following environment variables:\n\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ORG_NAME=\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e: the name of your organization within GDC.\n2. Set the `WELL_KNOWN_URL` environment variable:\n\n export WELL_KNOWN_URL=https://console.${ORG_NAME:?}.google.gdch.test/.well-known/certificate-authority\n\n3. Set the `GLOBAL_TRUST_BUNDLE_FILE`environment variable. This file stores the\n GDC trust bundle locally in your specified `$STORAGE`\n location.\n\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n4. Obtain the `trust-store-global-root-ext` trust bundle from the well-known\n server and store it in the file created in the previous step:\n\n ### Linux\n\n echo -n | curl ${WELL_KNOWN_URL:?} \u003e ${GLOBAL_TRUST_BUNDLE_FILE:?}\n\n ### Windows\n\n Invoke-WebRequest -Uri \"https://console.${ORG_NAME}.google.gdch.test/.well-known/certificate-authority\" -OutFile \".\\global-trust-bundle.crt\"\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----\n\n### Fetch from the cluster using kubectl\n\nYou can fetch trust bundles directly from the GDC\ncluster using the `kubectl` command-line tool. Use this method if you have\ndirect access to the cluster and its configuration, and you need to fetch either\nthe `trust-store-root-ext` or the `trust-store-global-root-ext` trust bundles.\n\nYou must obtain the following before you can complete the steps in this section:\n\n- **Required permissions** : Ask your Organization IAM Admin to grant you the Trust Store Viewer (`trust-store-viewer`) role.\n- **Kubeconfig file** : Sign in and [generate the kubeconfig file for the Management API server](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#zonal-resources-kubeconfig) if you don't already have one. You need the path to the kubeconfig file to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e in the following steps.\n\nFetch the trust bundle from the cluster using `kubectl`:\n\n1. Export the following environment variables:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ZONE=\u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e: the path to the Management API server kubeconfig.\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: your GDC zone name.\n2. Set the `TRUST_BUNDLE_FILE` environment variable. This file stores\n the GDC trust bundle locally in your specified `$STORAGE`\n location for your GDC `$ZONE`:\n\n export TRUST_BUNDLE_FILE=\"$STORAGE/$ZONE/ca-bundles/trust-bundle\"\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n3. Set the `NS` namespace environment variable for the namespace:\n\n export NS=platform\n\n4. Obtain the certificate authorities (CA) and store them in the file created in\n step 2:\n\n For `trust-store-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${TRUST_BUNDLE_FILE}\n\n For `trust-store-global-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${GLOBAL_TRUST_BUNDLE_FILE}\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----"]]
