Certificate Authority Service is a highly available and scalable Google Cloud service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).

Guides

Reference

Resources

Training and tutorials

Try CA Service tutorials, courses, and self-paced training from Google Cloud Skills Boost.

Training

Getting started with Certificate Authority Service

Learn how to enable the Certificate Authority Service API, create a root CA and a subordinate CA, and issue certificates from those CAs.

Learn more  
Tutorial

Manage policy controls

Policy controls let you control the type of certificates that your CA pool can issue. This tutorial explains how you can manage various policies to control certificate issuance and access to CA Service resources.

Learn more  

Use cases

Explore use cases, reference architectures, whitepapers, best practices, and industry solutions.

Use case

Hashicorp Vault CA integration

Hashicorp Vault is commonly used for managing and storing secrets on-premises. This topic describes how Hashicorp Vault CA can be configured to act as a proxy that forwards all certificate issuance requests to Certificate Authority Service. This integration allows a currently deployed solution to natively work with CA Service.

Hashicorp On-premises Secrets

Learn more  
Use case

Implementing a delegated OCSP responder

Using OCSP to provide the certificate revocation status can have many benefits. These benefits include quicker response time and smaller requirement for network bandwidth, as compared to Certificate Revocation Lists (CRLs), which can get very large. This page provides information about configuring a delegated OCSP responder that works with CA Service.

OCSP Security

Learn more  
Use case

Using Terraform

Terraform is a popular open source tool that lets you create and manage your Certificate Authority Service resources using its infrastructure-as-code paradigm. This guide provides information about using Terraform with CA Service.

Terraform CA Service APIs

Learn more  
Use case

Manage certificate lifecycle using Cert-Manager

Cert-Manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. You can use Cert-Manager to manage the lifecycle of certificates issued by CAs that are created using CA Service. Cert-Manager ensures certificates are valid and duly renewed before they expire.

Cert-Manager Certificate renewal

Learn more  
Use case

Use Certificate Authority Service with Anthos Service Mesh

CA Service lets you request workload identity certificates from a certificate authority (CA) that you control. This document explains how you can install Anthos Service Mesh and use Certificate Authority Service with it.

Anthos Service Mesh

Learn more  
Use case

Set up Traffic Director service security with Envoy

Learn how you can set up service security for Traffic Director with Envoy and Certificate Authority Service.

Traffic Director Envoy

Learn more  
Use case

Set up Traffic Director service security with proxyless gRPC

Learn how you can set up service security for Traffic Director with proxyless gRPC and Certificate Authority Service.

Traffic Director proxyless gRPC

Learn more  
Whitepaper

How to deploy a secure and reliable PKI with Certificate Authority Service

This whitepaper provides security and architectural recommendations to organizations for the use of CA Service. It describes critical concepts to securing and deploying a PKI and provides specific recommendations for configuring CA Service to ensure high operational availability.

PKI design

Learn more  
Whitepaper

Scaling certificate management with Certificate Authority Service

This whitepaper explains how CA Service addresses the challenges organizations face as they use digital certificates in a fast-changing and interconnected digital world.

IoT Cloud computing

Learn more  
Best practice

Best practices for Certificate Authority Service

This topic provides the best practices to use CA Service more effectively.

Access control Signing keys CA Service tiers

Learn more  
Solution

GCLB rotation tool

Certificate expiry is one of the main sources of service outages in the industry. Even large and well-established companies have suffered from this in recent years. The GCLB rotation tool can be configured to periodically check the status of SSL proxy load balancers and rotate their certificates using CA Service when they reach a given threshold.

Certificate management

Learn more  

Code samples

Dive into coding with examples that demonstrate how to use and connect Google Cloud services.

github

Certificate Authority Service Client for Go

Samples that use the Go idiomatic client for Certificate Authority Service.

Open GitHub  

github

Certificate Authority Service Client for Java

Samples that use the Java idiomatic client for Certificate Authority Service.

Open GitHub  

github

Certificate Authority Service Client for Python

Samples that use the Python idiomatic client for Certificate Authority Service.

Open GitHub  

Videos