Console

1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

   Go to Certificate Manager

2. ClickAdd Trust Config. TheCreate Trust Config page appears.

3. In theName field, enter a name for the configuration.

   The name must be unique for the project. Also, it must start with alowercase letter, followed by up to 62 lowercase letters, numbers, orhyphens, and must not end with a hyphen.

4. Optional: In theDescription field, enter a description for theconfiguration. This description helps you identify a specificconfiguration later.

5. Optional: In theLabels field, specify labels to associate to thetrust config. To add a label, clickadd_boxAdd label, and specify a keyand a value for your label.

6. ForLocation, selectGlobal orRegional.

   If you selectedRegional, select theRegion.

7. In theTrust store section, add trust anchors and intermediate CAs.

   You can specify multiple trust anchors and intermediate certificates byusing multiple instances of the complete PEM payload for thecertificate, one certificate per instance.

   1. In theTrust anchors section , clickAdd trust anchor andupload the PEM-encoded certificate file, or copy the contents of thecertificate. When you have finished, clickAdd.

   2. Optional: In theIntermediate CAs section, clickAddintermediate CA and upload the PEM-encoded intermediatecertificatefile, or copy the contents of the intermediate certificate. When youhave finished, clickAdd.

      This step lets you add another level of trust between the rootcertificate and your server certificate.

   3. Optional: In theAllowlisted certificates section, clickAddcertificate and upload the PEM-encoded certificate file, or copythe contents of the certificate. This adds the certificate to anallowlist. When you have finished, clickAdd.

   To specify multiple trust anchors or intermediate certificates withinthe trust config resource specification, use multiple instances of thepemCertificate field. Each instance of the field contains a singlecertificate.

   The trust config always considers a certificate on an allowlist asvalid. To encapsulate multiple certificates on an allowlist, usemultiple instances of thepemCertificate field, one certificate perinstance. You don't need a trust store when using certificates added toan allowlist.

   The trust config always considers a certificate on an allowlist valid ifit fulfills specific conditions: it must be parseable, possess proof ofprivate key ownership, and adhere to constraints on the certificate'sSAN field. Expired certificates are also considered valid when they areadded to an allowlist. For more information about the PEM-encodedformat, seeRFC 7468.

8. ClickCreate.

Verify that the new trust config appears in the list of configurations.

gcloud

1. Create a trust config YAML file that specifies the trust configparameters.

   The file has the following format:

   name:"TRUST_CONFIG_ID"trustStores:-trustAnchors:-pemCertificate:"CERTIFICATE_PEM_PAYLOAD"intermediateCas:-pemCertificate:"INTER_CERT_PEM_PAYLOAD"allowlistedCertificates:-pemCertificate:"ALLOWLISTED_CERT1"-pemCertificate:"ALLOWLISTED_CERT2"

   Replace the following:

   • TRUST_CONFIG_ID: the ID of the trust config resource.
   • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
   • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource.
   • ALLOWLISTED_CERT1 andALLOWLISTED_CERT2: the certificates that areadded to an allowlist to use for this trust config resource.

   To specify multiple trust anchors or intermediate certificates withinthe trust config resource specification, use multiple instances of thepemCertificate field. Each instance of the field contains a singlecertificate.

   The trust config always considers a certificate on an allowlist asvalid. To encapsulate multiple certificates on an allowlist, usemultiple instances of thepemCertificate field, one certificate perinstance. You don't need a trust store when using certificates added toan allowlist.

   The trust config always considers a certificate on an allowlist valid ifit fulfills specific conditions: it must be parseable, possess proof ofprivate key ownership, and adhere to constraints on the certificate'sSAN field. Expired certificates are also considered valid when they areadded to an allowlist. For more information about the PEM-encodedformat, seeRFC 7468.

2. To import the trust config YAML file, use thegcloud certificate-manager trust-configs import command:

   gcloud certificate-manager trust-configs importTRUST_CONFIG_ID \  --project=PROJECT_ID \  --source=TRUST_CONFIG_FILE \  --location=LOCATION

   Replace the following:

   • TRUST_CONFIG_ID: the ID of the trust config resource.
   • PROJECT_ID: the ID of the Google Cloud project.
   • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file that you created in step 1.
   • LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aPOST request to thetrustConfigs.create method:

POST /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs?trust_config_id=TRUST_CONFIG_ID{  "description": "DESCRIPTION",  "trust_stores": [{    "trust_anchors": [{      "pem_certificate": "CERTIFICATE_PEM_PAYLOAD"    }],    "intermediate_cas": [{      "pem_certificate": "INTER_CERT_PEM_PAYLOAD"    }],  }],  "allowlistedCertificates": [{    "pem_certificate": "ALLOWLISTED_CERT"  }],}

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.
• TRUST_CONFIG_ID: the ID of the trust config resource.
• DESCRIPTION: a meaningful description for this trustconfig resource. This value is optional.
• CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
• INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value is optional.
• ALLOWLISTED_CERT: the certificate that is added to anallowlist to use for this trust config resource. This value is optional.

Console

1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

   Go to Certificate Manager

2. Locate and select the trust config that you want to update.

3. In theMore Options column, clickmore_vertMore actions for the config you want toupdate, and then selectEdit.

4. Make the required changes.

5. ClickSave.

Verify that the configuration changes are updated.

gcloud

1. Export the trust config YAML file.

   gcloud certificate-manager trust-configs exportTRUST_CONFIG_ID \    --project=PROJECT_ID \    --destination=TRUST_CONFIG_FILE \    --location=LOCATION

   Replace the following:

   • TRUST_CONFIG_ID: the ID of the trust config resource.
   • PROJECT_ID: the ID of the Google Cloud project.
   • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file.
   • LOCATION: the region where the trust config resource is stored. The default location isglobal.

2. Edit the trust config YAML file.

   The file has the following format:

   name:"TRUST_CONFIG_ID"trustStores:-trustAnchors:-pemCertificate:"CERTIFICATE_PEM_PAYLOAD"intermediateCas:-pemCertificate:"INTER_CERT_PEM_PAYLOAD"allowlistedCertificates:-pemCertificate:"ALLOWLISTED_CERT1"-pemCertificate:"ALLOWLISTED_CERT2"

   Replace the following:

   • TRUST_CONFIG_ID: the ID of the trust config resource.
   • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
   • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value isoptional.
   • ALLOWLISTED_CERT1 andALLOWLISTED_CERT2: the certificates that are addedto an allowlist to use for this trust config resource. This value isoptional.

3. Import the new trust config file into Certificate Manageragainst the existing trust config resource name.

   gcloud certificate-manager trust-configs importTRUST_CONFIG_ID \    --project=PROJECT_ID \    --source=TRUST_CONFIG_FILE \    --location=LOCATION

   Replace the following:

   • TRUST_CONFIG_ID: the ID of the trust config resource.
   • PROJECT_ID: the ID of the Google Cloud project.
   • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file.
   • LOCATION: the region where the trust config resource is stored. The default locationisglobal.

API

Make aPATCH request to thetrustConfigs.update method:

PATCH /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID?update_mask=*  {    "description": "DESCRIPTION",    "trust_stores": [{      "trust_anchors": [{        "pem_certificate": "CERTIFICATE_PEM_PAYLOAD"      }],      "intermediate_cas": [{        "pem_certificate": "INTER_CERT_PEM_PAYLOAD"      }],    }],    "allowlistedCertificates": [{      "pem_certificate": "ALLOWLISTED_CERT"  }],  }

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.
• TRUST_CONFIG_ID: the ID of the trust config resource.
• DESCRIPTION: a meaningful description for this trustconfig resource. This description is optional.
• CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
• INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value is optional.
• ALLOWLISTED_CERT: the certificate that is added to anallowlist to use for this trust config resource. This value is optional.

Console

1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

   Go to Certificate Manager

2. On theTrust configs tab, you can view a list of all the configuredtrust config resources in the selected project.

gcloud

Use thegcloud certificate-manager trust-configs list command:

gcloud certificate-manager trust-configs list \    --filter="FILTER" \    --page-size="PAGE_SIZE" \    --limit="LIMIT" \    --sort-by="SORT_BY" \    --location=LOCATION

Replace the following:

• FILTER: an expression that constrains the returned results to specific values.

  For example, to filter results by thelabels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

  For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.

• PAGE_SIZE: the number of results to return per page.

• LIMIT: the maximum number of results to return.

• SORT_BY: a comma-delimited list ofname fields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).

• LOCATION: the region where the trust config resource is stored. To list trust configs from all regions, use- as the value. The default is-. This flag is optional.

API

Make aGET request to thetrustConfigs.list method:

GET /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project.
• LOCATION: the region where the trust config resource is stored. To see all trust configs across alllocations, specify a single hyphen (-).

• FILTER: an expression that constrains the returned results to specific values.

  For example, to filter results by thelabels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

  For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.

• PAGE_SIZE: the number of results to return per page.

• SORT_BY: a comma-delimited list ofname fields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).

Console

1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

   Go to Certificate Manager

2. Click the trust config resource that you want to view. TheTrust Config details page displays detailed information about theselected trust config resource.

gcloud

Use thegcloud certificate-manager trust-configs describe command:

gcloud certificate-manager trust-configs describeTRUST_CONFIG_ID \    --location=LOCATION

Replace the following:

• TRUST_CONFIG_ID: the ID of the trust config resource.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aGET request to thetrustConfigs.get method:

GET /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.
• TRUST_CONFIG_ID: the ID of the trust config resource.

Console

1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

   Go to Certificate Manager

2. Select the checkbox of the trust config that you want to delete.

3. ClickDelete.

4. In the dialog that appears, clickDelete to confirm.

gcloud

Use thegcloud certificate-manager trust-configs delete command:

gcloud certificate-manager trust-configs deleteTRUST_CONFIG_ID \    --location=LOCATION

Replace the following:

• TRUST_CONFIG_ID: the ID of the trust config resource.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aDELETE request to thetrustConfigs.delete method:

DELETE /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID

Replace the following:

• PROJECT_ID: the ID of the Google Cloud project.
• LOCATION: the region where the trust config resource is stored. The default location isglobal.
• TRUST_CONFIG_ID: the ID of the trust config resource.