Certificate Authority Service is a scalable Google Distributed Cloud (GDC) air-gapped service that lets you simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA). Private certificate authorities are one of the most common ways to authenticate users, machines, or services over networks. Private CAs issue digital certificates for entity identity, issuer identity, and cryptographic signatures.
With CA Service, you can create both root CAs and sub CAs:
- Root CAs: The root CA has a self-signed certificate. This certificate type sits at the top of the certificate chain.
- Sub CAs: The signer of the CA certificate is either another CA created in the CA Service, or an external CA.
CA Service provides the following capabilities:
Manage certificate authorities: Create and manage your own root CAs and subordinate CAs. Subordinate CAs can be chained to a root CA managed within the service or to an external root CA.
Issue certificates: Request certificates for your applications and services. CA Service supports issuing certificates using ACME-enabled CAs or ACME-disabled CAs through a
CertificateRequestcustom resource.Use predefined certificate templates: Simplify and standardize certificate creation using predefined certificate templates. These templates offer pre-configured X.509 parameters tailored for common use cases, and enforce compatibility with the issuing CA's allowed profile.
Revoke certificates: Invalidate certificates before their scheduled expiration date if they can no longer be trusted (such as due to key compromise). CA Service enables this by publishing Certificate Revocation Lists (CRLs), which clients can check to verify a certificate's status.
What's next
- Create a root CA
- Create a managed subordinate certificate authority
- Request a certificate
- Predefined certificate templates
- Revoke a certificate