View issued certificates

This page explains how you can view the issued certificates using the Google Cloud console, Google Cloud CLI, and Cloud Client Libraries.

You can only view certificates issued by Enterprise tier CAs.

View issued certificates

Console

In the Google Cloud console, go to the Certificate Authority Servicepage.

Go to Certificate Authority Service
Click the CA managertab.
On the Certificate authoritiespage, click the name of the CA.
At the bottom of the Certificate authoritydetails page, click View issued certificatesto view the list of certificates issued by the CA.

A list of certificates appear on the All certificatespage. The details displayed include the status of the certificate, issuing CA, the CA pool that contains the CA, the certificate's expiration date, and more.

gcloud

To list all certificates issued by a particular CA in a CA pool, use the following gcloud command:

 gcloud privateca certificates list --issuer-pool ISSUER_POOL 
--issuer-location ISSUER_LOCATION 
--ca CA_NAME

For more information about the gcloud privateca certificates list command, see gcloud privateca certificates list .

To list all certificates across all CAs in a given location, use the following gcloud command:

 gcloud privateca certificates list --location LOCATION

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 ( 
 "context" 
 "fmt" 
 "io" 
 privateca 
 "cloud.google.com/go/security/privateca/apiv1" 
 "cloud.google.com/go/security/privateca/apiv1/privatecapb" 
 "google.golang.org/api/iterator" 
 ) 
 // 
 List 
 Certificates 
 present 
 in 
 the 
 given 
 CA 
 pool 
 . 
 func 
 listCertificates 
 ( 
 w 
 io 
 . 
 Writer 
 , 
 projectId 
 string 
 , 
 location 
 string 
 , 
 caPoolId 
 string 
 ) 
 error 
 { 
 // 
 projectId 
 := 
 "your_project_id" 
 // 
 location 
 := 
 "us-central1" 
 // 
 For 
 a 
 list 
 of 
 locations 
 , 
 see 
 : 
 https 
 : 
 // 
 cloud 
 . 
 google 
 . 
 com 
 / 
 certificate 
 - 
 authority 
 - 
 service 
 / 
 docs 
 / 
 locations 
 . 
 // 
 caPoolId 
 := 
 "ca-pool-id" 
 // 
 The 
 CA 
 Pool 
 id 
 in 
 which 
 the 
 certificate 
 exists 
 . 
 ctx 
 := 
 context 
 . 
 Background 
 () 
 caClient 
 , 
 err 
 := 
 privateca 
 . 
 NewCertificateAuthorityClient 
 ( 
 ctx 
 ) 
 if 
 err 
 != 
 nil 
 { 
 return 
 fmt 
 . 
 Errorf 
 ( 
 "NewCertificateAuthorityClient creation failed: %w" 
 , 
 err 
 ) 
 } 
 defer 
 caClient 
 . 
 Close 
 () 
 fullCaName 
 := 
 fmt 
 . 
 Sprintf 
 ( 
 "projects/ 
 %s 
 /locations/ 
 %s 
 /caPools/ 
 %s 
 " 
 , 
 projectId 
 , 
 location 
 , 
 caPoolId 
 ) 
 // 
 Create 
 the 
 ListCertificatesRequest 
 . 
 // 
 See 
 https 
 : 
 // 
 pkg 
 . 
 go 
 . 
 dev 
 / 
 cloud 
 . 
 google 
 . 
 com 
 / 
 go 
 / 
 security 
 / 
 privateca 
 / 
 apiv1 
 / 
 privatecapb 
 #ListCertificatesRequest. 
 req 
 := 
& privatecapb 
 . 
 ListCertificatesRequest 
 { 
 Parent 
 : 
 fullCaName 
 } 
 it 
 := 
 caClient 
 . 
 ListCertificates 
 ( 
 ctx 
 , 
 req 
 ) 
 for 
 { 
 resp 
 , 
 err 
 := 
 it 
 . 
 Next 
 () 
 if 
 err 
 == 
 iterator 
 . 
 Done 
 { 
 break 
 } 
 if 
 err 
 != 
 nil 
 { 
 return 
 fmt 
 . 
 Errorf 
 ( 
 "unable to get the list of cerficates: %w" 
 , 
 err 
 ) 
 } 
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
 " - 
 %s 
 (common name: 
 %s 
 )" 
 , 
 resp 
 . 
 Name 
 , 
 resp 
 . 
 CertificateDescription 
 . 
 SubjectDescription 
 . 
 Subject 
 . 
 CommonName 
 ) 
 } 
 return 
 nil 
 }

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 com.google.cloud.security.privateca.v1. CaPoolName 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. Certificate 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. CertificateAuthorityServiceClient 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 ListCertificates 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // location: For a list of locations, see: 
  
 // https://cloud.google.com/certificate-authority-service/docs/locations 
  
 // poolId: Id of the CA pool which contains the certificates to be listed. 
  
 String 
  
 project 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 location 
  
 = 
  
 "ca-location" 
 ; 
  
 String 
  
 poolId 
  
 = 
  
 "ca-pool-id" 
 ; 
  
 listCertificates 
 ( 
 project 
 , 
  
 location 
 , 
  
 poolId 
 ); 
  
 } 
  
 // List Certificates present in the given CA pool. 
  
 public 
  
 static 
  
 void 
  
 listCertificates 
 ( 
 String 
  
 project 
 , 
  
 String 
  
 location 
 , 
  
 String 
  
 poolId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the `certificateAuthorityServiceClient.close()` method on the client to safely 
  
 // clean up any remaining background resources. 
  
 try 
  
 ( 
  CertificateAuthorityServiceClient 
 
  
 certificateAuthorityServiceClient 
  
 = 
  
  CertificateAuthorityServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
  CaPoolName 
 
  
 caPool 
  
 = 
  
  CaPoolName 
 
 . 
 newBuilder 
 () 
  
 . 
 setProject 
 ( 
 project 
 ) 
  
 . 
 setLocation 
 ( 
 location 
 ) 
  
 . 
 setCaPool 
 ( 
 poolId 
 ) 
  
 . 
 build 
 (); 
  
 // Retrieve and print the certificate names. 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Available certificates: " 
 ); 
  
 for 
  
 ( 
  Certificate 
 
  
 certificate 
  
 : 
  
 certificateAuthorityServiceClient 
 . 
 listCertificates 
 ( 
 caPool 
 ). 
 iterateAll 
 ()) 
  
 { 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 certificate 
 . 
 getName 
 ()); 
  
 } 
  
 } 
  
 } 
 }

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 google.cloud.security.privateca_v1 
  
 as 
  
 privateca_v1 
 def 
  
 list_certificates 
 ( 
 project_id 
 : 
 str 
 , 
 location 
 : 
 str 
 , 
 ca_pool_name 
 : 
 str 
 , 
 ) 
 - 
> None 
 : 
  
 """ 
 List Certificates present in the given CA pool. 
 Args: 
 project_id: project ID or project number of the Cloud project you want to use. 
 location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. 
 ca_pool_name: name of the CA pool which contains the certificates to be listed. 
 """ 
 caServiceClient 
 = 
 privateca_v1 
 . 
 CertificateAuthorityServiceClient 
 () 
 ca_pool_path 
 = 
 caServiceClient 
 . 
 ca_pool_path 
 ( 
 project_id 
 , 
 location 
 , 
 ca_pool_name 
 ) 
 # Retrieve and print the certificate names. 
 print 
 ( 
 f 
 "Available certificates in CA pool 
 { 
 ca_pool_name 
 } 
 :" 
 ) 
 for 
 certificate 
 in 
 caServiceClient 
 . 
 list_certificates 
 ( 
 parent 
 = 
 ca_pool_path 
 ): 
 print 
 ( 
 certificate 
 . 
 name 
 )

View all the certificates issued in your project

Console

In the Google Cloud console, go to the Certificate Authority Servicepage.

Go to Certificate Authority Service
Click the Private certificate managertab.

A list of certificates appear on the All certificatespage.

The details displayed include the status of the certificate, issuing CA, the CA pool that contains the CA, the certificate's expiration date, and more. You can filter the certificates using any of the parameters.

View details for a single certificate

Console

In the Google Cloud console, go to the Certificate Authority Servicepage.

Go to Certificate Authority Service
Pick your target CA under the CA Managertab.
Click the CA name.
At the bottom of the Certificate authoritydetails page, click View issued certificatesto see the list of issued certificates.
Click in the Actionscolumn for the certificate you want to download.
Under Download, click Certificate. You can download the certificate chain by clicking Certificate chain.

gcloud

To see the full description of a certificate, run the following command:

 gcloud privateca certificates describe CERT_NAME 
--issuer-pool POOL_ID 
--issuer-location ISSUER_LOCATION

For more information about the gcloud privateca certificates describe command, see gcloud privateca certificates describe .

To export the PEM-encoded X.509 certificate chain and to a file, run the following command:

  gcloud 
  
 privateca 
  
 certificates 
  
 export 
  
  CERT_NAME 
 
  
\  
 -- 
 issuer 
 - 
 pool 
  
  POOL_ID 
 
  
\  
 -- 
 issuer 
 - 
 location 
  
  ISSUER_LOCATION 
 
  
\  
 -- 
 include 
 - 
 chain 
  
\  
 -- 
 output 
 - 
 file 
  
  certificate 
 - 
 file

For more information about the gcloud privateca certificates export command, see gcloud privateca certificates export .

Proof-of-possession for certificates

Proof-of-possession of the private key ensures that the requester of a certificate holds the private key for that certificate. CA Service checks proof-of-possession only if the requester provides a PKCS #10 CSR according to RFC 2986 . Proof-of-possession for other forms of certificate requests, such as requests by CertificateConfig is not enforced.

It is the responsibility of client applications that accept certificates to validate whether the certificate holder possesses the private key of that certificate. Enforcing proof-of-possession checks during certificate issuance is a form of defense-in-depth to protect against misbehaving clients. The existence of such clients, regardless of whether the CA checks proof-of-possession, could constitute a security vulnerability.

What's next

Learn how to revoke certificates .
Learn how to sort and filter certificates .