Manage trust configs

This page describes how to create and manage trust configs for use in mutualTLS authentication (mTLS) scenarios.

For more information about mTLS, see the following resources:

Note: The Google Cloud CLI instructions on this page assume that you are usingCloud Shell or another environment withbash installed. Formore information about the gcloud CLI commands used on this page, seetheCertificate Manager CLIreference.

Create a trust config

When you create a trust config, you must specify the trust anchors that are usedto validate the certificate.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

  • Certificate Manager Editor role (roles/certificatemanager.editor)
  • Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, seeRoles and permissions.

Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.

To create a trust config, complete the following steps:

Console

  1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

    Go to Certificate Manager

  2. ClickAdd Trust Config. TheCreate Trust Config page appears.

  3. In theName field, enter a name for the configuration.

    The name must be unique for the project. Also, it must start with alowercase letter, followed by up to 62 lowercase letters, numbers, orhyphens, and must not end with a hyphen.

  4. Optional: In theDescription field, enter a description for theconfiguration. This description helps you identify a specificconfiguration later.

  5. Optional: In theLabels field, specify labels to associate to thetrust config. To add a label, clickAdd label, and specify a keyand a value for your label.

  6. ForLocation, selectGlobal orRegional.

    If you selectedRegional, select theRegion.

  7. In theTrust store section, add trust anchors and intermediate CAs.

    You can specify multiple trust anchors and intermediate certificates byusing multiple instances of the complete PEM payload for thecertificate, one certificate per instance.

    1. In theTrust anchors section , clickAdd trust anchor andupload the PEM-encoded certificate file, or copy the contents of thecertificate. When you have finished, clickAdd.

    2. Optional: In theIntermediate CAs section, clickAddintermediate CA and upload the PEM-encoded intermediatecertificatefile, or copy the contents of the intermediate certificate. When youhave finished, clickAdd.

      This step lets you add another level of trust between the rootcertificate and your server certificate.

    3. Optional: In theAllowlisted certificates section, clickAddcertificate and upload the PEM-encoded certificate file, or copythe contents of the certificate. This adds the certificate to anallowlist. When you have finished, clickAdd.

    To specify multiple trust anchors or intermediate certificates withinthe trust config resource specification, use multiple instances of thepemCertificate field. Each instance of the field contains a singlecertificate.

    The trust config always considers a certificate on an allowlist asvalid. To encapsulate multiple certificates on an allowlist, usemultiple instances of thepemCertificate field, one certificate perinstance. You don't need a trust store when using certificates added toan allowlist.

    The trust config always considers a certificate on an allowlist valid ifit fulfills specific conditions: it must be parseable, possess proof ofprivate key ownership, and adhere to constraints on the certificate'sSAN field. Expired certificates are also considered valid when they areadded to an allowlist. For more information about the PEM-encodedformat, seeRFC 7468.

  8. ClickCreate.

Verify that the new trust config appears in the list of configurations.

gcloud

  1. Create a trust config YAML file that specifies the trust configparameters.

    The file has the following format:

    name:"TRUST_CONFIG_ID"trustStores:-trustAnchors:-pemCertificate:"CERTIFICATE_PEM_PAYLOAD"intermediateCas:-pemCertificate:"INTER_CERT_PEM_PAYLOAD"allowlistedCertificates:-pemCertificate:"ALLOWLISTED_CERT1"-pemCertificate:"ALLOWLISTED_CERT2"

    Replace the following:

    • TRUST_CONFIG_ID: the ID of the trust config resource.
    • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
    • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource.
    • ALLOWLISTED_CERT1 andALLOWLISTED_CERT2: the certificates that areadded to an allowlist to use for this trust config resource.

    To specify multiple trust anchors or intermediate certificates withinthe trust config resource specification, use multiple instances of thepemCertificate field. Each instance of the field contains a singlecertificate.

    The trust config always considers a certificate on an allowlist asvalid. To encapsulate multiple certificates on an allowlist, usemultiple instances of thepemCertificate field, one certificate perinstance. You don't need a trust store when using certificates added toan allowlist.

    The trust config always considers a certificate on an allowlist valid ifit fulfills specific conditions: it must be parseable, possess proof ofprivate key ownership, and adhere to constraints on the certificate'sSAN field. Expired certificates are also considered valid when they areadded to an allowlist. For more information about the PEM-encodedformat, seeRFC 7468.

  2. To import the trust config YAML file, use thegcloud certificate-manager trust-configs import command:

    gcloud certificate-manager trust-configs importTRUST_CONFIG_ID \  --project=PROJECT_ID \  --source=TRUST_CONFIG_FILE \  --location=LOCATION

    Replace the following:

    • TRUST_CONFIG_ID: the ID of the trust config resource.
    • PROJECT_ID: the ID of the Google Cloud project.
    • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file that you created in step 1.
    • LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aPOST request to thetrustConfigs.create method:

POST /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs?trust_config_id=TRUST_CONFIG_ID{  "description": "DESCRIPTION",  "trust_stores": [{    "trust_anchors": [{      "pem_certificate": "CERTIFICATE_PEM_PAYLOAD"    }],    "intermediate_cas": [{      "pem_certificate": "INTER_CERT_PEM_PAYLOAD"    }],  }],  "allowlistedCertificates": [{    "pem_certificate": "ALLOWLISTED_CERT"  }],}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.
  • TRUST_CONFIG_ID: the ID of the trust config resource.
  • DESCRIPTION: a meaningful description for this trustconfig resource. This value is optional.
  • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
  • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value is optional.
  • ALLOWLISTED_CERT: the certificate that is added to anallowlist to use for this trust config resource. This value is optional.

Update a trust config

To update a trust config, you create another trust config YAML file thatspecifies the new trust config parameters and import this file intoCertificate Manager.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

  • Certificate Manager Editor role (roles/certificatemanager.editor)
  • Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, seeRoles and permissions.

Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.

Console

  1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

    Go to Certificate Manager

  2. Locate and select the trust config that you want to update.

  3. In theMore Options column, click

  4. Make the required changes.

  5. ClickSave.

Verify that the configuration changes are updated.

gcloud

  1. Export the trust config YAML file.

    gcloud certificate-manager trust-configs exportTRUST_CONFIG_ID \    --project=PROJECT_ID \    --destination=TRUST_CONFIG_FILE \    --location=LOCATION

    Replace the following:

    • TRUST_CONFIG_ID: the ID of the trust config resource.
    • PROJECT_ID: the ID of the Google Cloud project.
    • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file.
    • LOCATION: the region where the trust config resource is stored. The default location isglobal.
  2. Edit the trust config YAML file.

    The file has the following format:

    name:"TRUST_CONFIG_ID"trustStores:-trustAnchors:-pemCertificate:"CERTIFICATE_PEM_PAYLOAD"intermediateCas:-pemCertificate:"INTER_CERT_PEM_PAYLOAD"allowlistedCertificates:-pemCertificate:"ALLOWLISTED_CERT1"-pemCertificate:"ALLOWLISTED_CERT2"

    Replace the following:

    • TRUST_CONFIG_ID: the ID of the trust config resource.
    • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
    • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value isoptional.
    • ALLOWLISTED_CERT1 andALLOWLISTED_CERT2: the certificates that are addedto an allowlist to use for this trust config resource. This value isoptional.
  3. Import the new trust config file into Certificate Manageragainst the existing trust config resource name.

    gcloud certificate-manager trust-configs importTRUST_CONFIG_ID \    --project=PROJECT_ID \    --source=TRUST_CONFIG_FILE \    --location=LOCATION

    Replace the following:

    • TRUST_CONFIG_ID: the ID of the trust config resource.
    • PROJECT_ID: the ID of the Google Cloud project.
    • TRUST_CONFIG_FILE: the full path and name of the trust config YAML file.
    • LOCATION: the region where the trust config resource is stored. The default locationisglobal.

API

Make aPATCH request to thetrustConfigs.update method:

PATCH /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID?update_mask=*  {    "description": "DESCRIPTION",    "trust_stores": [{      "trust_anchors": [{        "pem_certificate": "CERTIFICATE_PEM_PAYLOAD"      }],      "intermediate_cas": [{        "pem_certificate": "INTER_CERT_PEM_PAYLOAD"      }],    }],    "allowlistedCertificates": [{      "pem_certificate": "ALLOWLISTED_CERT"  }],  }

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.
  • TRUST_CONFIG_ID: the ID of the trust config resource.
  • DESCRIPTION: a meaningful description for this trustconfig resource. This description is optional.
  • CERTIFICATE_PEM_PAYLOAD: the complete PEM payloadfor the certificate to use for the trust config resource.
  • INTER_CERT_PEM_PAYLOAD: the completePEM payload for the intermediate certificate to use for the trust config resource. This value is optional.
  • ALLOWLISTED_CERT: the certificate that is added to anallowlist to use for this trust config resource. This value is optional.

List trust configs

You can see all configured trust configs of your project.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

  • Certificate Manager Editor role (roles/certificatemanager.editor)
  • Certificate Manager Owner role (roles/certificatemanager.owner)
  • Certificate Manager Viewer role (roles/certificatemanager.viewer)

For more information, seeRoles and permissions.

Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.

Console

  1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

    Go to Certificate Manager

  2. On theTrust configs tab, you can view a list of all the configuredtrust config resources in the selected project.

gcloud

Use thegcloud certificate-manager trust-configs list command:

gcloud certificate-manager trust-configs list \    --filter="FILTER" \    --page-size="PAGE_SIZE" \    --limit="LIMIT" \    --sort-by="SORT_BY" \    --location=LOCATION

Replace the following:

  • FILTER: an expression that constrains the returned results to specific values.

    For example, to filter results by thelabels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.

  • PAGE_SIZE: the number of results to return per page.

  • LIMIT: the maximum number of results to return.

  • SORT_BY: a comma-delimited list ofname fields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).

  • LOCATION: the region where the trust config resource is stored. To list trust configs from all regions, use- as the value. The default is-. This flag is optional.

API

Make aGET request to thetrustConfigs.list method:

GET /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the region where the trust config resource is stored. To see all trust configs across alllocations, specify a single hyphen (-).
  • FILTER: an expression that constrains the returned results to specific values.

    For example, to filter results by thelabels and creation time, you can specify:--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.

  • PAGE_SIZE: the number of results to return per page.

  • SORT_BY: a comma-delimited list ofname fields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).

View trust configs

You can see details of a specific trust config.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

  • Certificate Manager Editor role (roles/certificatemanager.editor)
  • Certificate Manager Owner role (roles/certificatemanager.owner)
  • Certificate Manager Viewer role (roles/certificatemanager.viewer)

For more information, seeRoles and permissions.

Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.

Console

  1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

    Go to Certificate Manager

  2. Click the trust config resource that you want to view. TheTrust Config details page displays detailed information about theselected trust config resource.

gcloud

Use thegcloud certificate-manager trust-configs describe command:

gcloud certificate-manager trust-configs describeTRUST_CONFIG_ID \    --location=LOCATION

Replace the following:

  • TRUST_CONFIG_ID: the ID of the trust config resource.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aGET request to thetrustConfigs.get method:

GET /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.
  • TRUST_CONFIG_ID: the ID of the trust config resource.

Delete a trust config

Before deleting a trust config, detach the trust config from the ClientAuthentication (ServerTlsPolicy) resource.

Roles required for this task

To perform this task, you must have one of the following IAM roles on the target Google Cloud project.

  • Certificate Manager Owner role (roles/certificatemanager.owner)

For more information, seeRoles and permissions.

Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.

Console

  1. In the Google Cloud console, go to theTrust configs tab on theCertificate Manager page.

    Go to Certificate Manager

  2. Select the checkbox of the trust config that you want to delete.

  3. ClickDelete.

  4. In the dialog that appears, clickDelete to confirm.

gcloud

Use thegcloud certificate-manager trust-configs delete command:

gcloud certificate-manager trust-configs deleteTRUST_CONFIG_ID \    --location=LOCATION

Replace the following:

  • TRUST_CONFIG_ID: the ID of the trust config resource.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.

API

Make aDELETE request to thetrustConfigs.delete method:

DELETE /v1/projects/PROJECT_ID/locations/LOCATION/trustConfigs/TRUST_CONFIG_ID

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the region where the trust config resource is stored. The default location isglobal.
  • TRUST_CONFIG_ID: the ID of the trust config resource.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.