Delete a CA pool

This page explains how to delete a CA pool.

You can delete a CA pool only after you have permanently deleted all CAs within that CA pool. CA Service permanently deletes a CA after a 30-day grace period from when the deletion process is initiated. For more information, see Delete CAs .

To delete a CA pool, use the following instructions.

Console

Go to the Certificate Authority Service page in the Google Cloud console.

Go to Certificate Authority Service

Click the CA pool manager tab.
In the list of CA pools, select the CA pool you want to delete.
Click Delete .

In the dialog box that opens, click Confirm .

gcloud

Run the following command:

 gcloud privateca pools delete POOL_ID 
--location= LOCATION

Replace the following:

POOL_ID : the name of the CA pool that you want to delete.
LOCATION : the location of the CA pool. For the complete list of locations, see Locations .

For more information about the gcloud privateca pools delete command, see gcloud privateca pools delete .

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 privateca 
  
 "cloud.google.com/go/security/privateca/apiv1" 
  
 "cloud.google.com/go/security/privateca/apiv1/privatecapb" 
 ) 
 // Delete the CA pool as mentioned by the ca_pool_name. 
 // Before deleting the pool, all CAs in the pool MUST BE deleted. 
 func 
  
 deleteCaPool 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
  
 string 
 , 
  
 location 
  
 string 
 , 
  
 caPoolId 
  
 string 
 ) 
  
 error 
  
 { 
  
 // projectId := "your_project_id" 
  
 // location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. 
  
 // caPoolId := "ca-pool-id"		// A unique id/name for the ca pool. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 caClient 
 , 
  
 err 
  
 := 
  
 privateca 
 . 
  NewCertificateAuthorityClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "NewCertificateAuthorityClient creation failed: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 caClient 
 . 
  Close 
 
 () 
  
 fullCaPoolName 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/caPools/%s" 
 , 
  
 projectId 
 , 
  
 location 
 , 
  
 caPoolId 
 ) 
  
 // See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#DeleteCaPoolRequest. 
  
 req 
  
 := 
  
& privatecapb 
 . 
 DeleteCaPoolRequest 
 { 
  
 Name 
 : 
  
 fullCaPoolName 
 , 
  
 } 
  
 op 
 , 
  
 err 
  
 := 
  
 caClient 
 . 
 DeleteCaPool 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "DeleteCaPool failed: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 if 
  
 err 
  
 = 
  
 op 
 . 
 Wait 
 ( 
 ctx 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "DeleteCaPool failed during wait: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "CA Pool deleted" 
 ) 
  
 return 
  
 nil 
 }

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 com.google.api.core. ApiFuture 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. CaPoolName 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. CertificateAuthorityServiceClient 
 
 ; 
 import 
  
 com.google.cloud.security.privateca.v1. DeleteCaPoolRequest 
 
 ; 
 import 
  
 com.google.longrunning. Operation 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.concurrent.ExecutionException 
 ; 
 import 
  
 java.util.concurrent.TimeoutException 
 ; 
 public 
  
 class 
 DeleteCaPool 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 InterruptedException 
 , 
  
 ExecutionException 
 , 
  
 IOException 
 , 
  
 TimeoutException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // location: For a list of locations, see: 
  
 // https://cloud.google.com/certificate-authority-service/docs/locations 
  
 // poolId: The id of the CA pool to be deleted. 
  
 String 
  
 project 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 location 
  
 = 
  
 "ca-location" 
 ; 
  
 String 
  
 poolId 
  
 = 
  
 "ca-pool-id" 
 ; 
  
 deleteCaPool 
 ( 
 project 
 , 
  
 location 
 , 
  
 poolId 
 ); 
  
 } 
  
 // Delete the CA pool as mentioned by the poolId. 
  
 // Before deleting the pool, all CAs in the pool MUST BE deleted. 
  
 public 
  
 static 
  
 void 
  
 deleteCaPool 
 ( 
 String 
  
 project 
 , 
  
 String 
  
 location 
 , 
  
 String 
  
 poolId 
 ) 
  
 throws 
  
 InterruptedException 
 , 
  
 ExecutionException 
 , 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the `certificateAuthorityServiceClient.close()` method on the client to safely 
  
 // clean up any remaining background resources. 
  
 try 
  
 ( 
  CertificateAuthorityServiceClient 
 
  
 certificateAuthorityServiceClient 
  
 = 
  
  CertificateAuthorityServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Set the project, location and poolId to delete. 
  
  CaPoolName 
 
  
 caPool 
  
 = 
  
  CaPoolName 
 
 . 
 newBuilder 
 () 
  
 . 
 setProject 
 ( 
 project 
 ) 
  
 . 
 setLocation 
 ( 
 location 
 ) 
  
 . 
 setCaPool 
 ( 
 poolId 
 ) 
  
 . 
 build 
 (); 
  
 // Create the Delete request. 
  
  DeleteCaPoolRequest 
 
  
 deleteCaPoolRequest 
  
 = 
  
  DeleteCaPoolRequest 
 
 . 
 newBuilder 
 (). 
 setName 
 ( 
 caPool 
 . 
  toString 
 
 ()). 
 build 
 (); 
  
 // Delete the CA Pool. 
  
 ApiFuture<Operation> 
  
 futureCall 
  
 = 
  
 certificateAuthorityServiceClient 
 . 
  deleteCaPoolCallable 
 
 (). 
 futureCall 
 ( 
 deleteCaPoolRequest 
 ); 
  
  Operation 
 
  
 response 
  
 = 
  
 futureCall 
 . 
 get 
 (); 
  
 if 
  
 ( 
 response 
 . 
  hasError 
 
 ()) 
  
 { 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Error while deleting CA pool !" 
  
 + 
  
 response 
 . 
  getError 
 
 ()); 
  
 return 
 ; 
  
 } 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Deleted CA Pool: " 
  
 + 
  
 poolId 
 ); 
  
 } 
  
 } 
 }

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .

  import 
  
 google.cloud.security.privateca_v1 
  
 as 
  
 privateca_v1 
 def 
  
 delete_ca_pool 
 ( 
 project_id 
 : 
 str 
 , 
 location 
 : 
 str 
 , 
 ca_pool_name 
 : 
 str 
 ) 
 - 
> None 
 : 
  
 """ 
 Delete the CA pool as mentioned by the ca_pool_name. 
 Before deleting the pool, all CAs in the pool MUST BE deleted. 
 Args: 
 project_id: project ID or project number of the Cloud project you want to use. 
 location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. 
 ca_pool_name: the name of the CA pool to be deleted. 
 """ 
 caServiceClient 
 = 
 privateca_v1 
 . 
 CertificateAuthorityServiceClient 
 () 
 ca_pool_path 
 = 
 caServiceClient 
 . 
 ca_pool_path 
 ( 
 project_id 
 , 
 location 
 , 
 ca_pool_name 
 ) 
 # Create the Delete request. 
 request 
 = 
 privateca_v1 
 . 
 DeleteCaPoolRequest 
 ( 
 name 
 = 
 ca_pool_path 
 ) 
 # Delete the CA Pool. 
 caServiceClient 
 . 
 delete_ca_pool 
 ( 
 request 
 = 
 request 
 ) 
 print 
 ( 
 "Deleted CA Pool:" 
 , 
 ca_pool_name 
 )

What's next

Learn how to use an issuance policy to restrict the type of certificates a CA pool can issue .
Learn how to update certificate authorities . - Learn how to delete certificate authorities .