Best practices for Certificate Authority Service

This topic outlines some of the best practices that can help you use Certificate Authority Service more effectively.

Roles and access control

Using Identity and Access Management (IAM), you can grant roles to users. Roles are a bundle of one or more permissions. Roles in IAM can either be basic, predefined or custom.

IAM role type Description
Basic Includes the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
Predefined Predefined roles are created and maintained by Google.
Custom Custom roles are are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. For more information, see Understanding custom roles.

Individuals shouldn't be assigned more than one role at any given time. In addition, everyone holding an assigned role should be properly briefed and trained on their responsibilities and security practices. If you want to assign a diverse set of permissions to an individual, you should create a custom role using IAM. For information on how to create a custom role, see Creating and managing custom roles.

For information about permissions and predefined roles, see Permissions and roles.

CA Service tiers

CA Service provides two operational service tiers for CAs: DevOps and Enterprise. These two tiers provide organizations with a balance of performance and lifecycle management capabilities based on operational requirements.

  • It is recommended that the use of DevOps tier be carefully considered as it does not support certificate revocation.
  • For CAs in the DevOps tier, issued certificates are not stored in the CA. You can only track certificates by reviewing Cloud Audit Logs, if enabled. DevOps tier should only be used for short-lived certificates that don't need to be revoked, such as microservices, containers, session certificates, non-persistent virtual machines and other isolated needs.
  • A Public Key Infrastructure (PKI) can consist of a combination of CAs in DevOps and Enterprise tiers to meet a variety of needs.
  • In most cases, you should use the Enterprise tier to create root CAs and any subordinate CAs that issue certificates to other CAs and end-entities.

For more information about CA Service tiers, see Workload-optimized tiers.

For information about enabling Cloud Audit Logs, see Configuring Data Access audit logs.

CA signing keys

The proper control of the underlying cryptographic key pair for CA certificates determines the security and integrity afforded by the PKI. This section lists some best practices for securing CA signing keys.

Hardware Security Modules (HSM)

CA Service can be automatically configured to use Google-managed keys that leverage Cloud HSM for generating, storing and using keys. However, if you wish to use your own key or leverage another key stored in Cloud KMS, you can use the key during the setup of the CA.

For more information about Cloud HSM, see Cloud HSM.

For more information on importing a cryptographic key into Cloud HSM or Cloud KMS, see Importing a key into Cloud KMS.

Service-managed vs Customer-managed keys

If you don't have a custom security or operational requirement that requires direct management of keys outside of CA Service, it is recommended that you use service-managed keys. Service-managed keys provide a simplified and secure-by-default key generation, storage, and utilization system.

Note that service-managed keys use Cloud HSM and as a result, aren't accessible or usable by any other organization. Access and use of Cloud HSM signing keys are auditable through Cloud Audit Logs.

For more information about lifecycle management models, see Managed resources.

Importing external Certificate Authorities (CAs)

It isn't possible to import previously issued certificates into CA Service. You shouldn't migrate an existing external CA with issued certificates into CA Service.

Key Escrow

CA Service uses Cloud KMS and Cloud HSM to protect keys from export and extraction. If your organization wants to maintain a copy of its CA keys, you can generate keys using on-premise tools and then import them to Cloud KMS and Cloud HSM for use with CA Service. You can then safely escrow the keys and maintain possession until needed in future.

For information about importing keys into Cloud KMS, see Importing a key into Cloud KMS.

CA key sizes and algorithms

Cryptographic key sizes and algorithms define the type and strength of the asymmetric keypair that is used to sign certificates and Certificate Revocation Lists (CRLs). As CAs can live for a relatively long period of time, the keys should be strong enough to be secure throughout the length of their intended lifetime.

If you have a well-defined PKI environment with modern devices, Elliptic Curve Digital Signature Algorithm (ECDSA) offers the best performance and security. In organizations with a wide range of systems and uncertainty about key support, it could be sufficient to use RSA-based keys.

There are also other considerations for CA signing keys, such as compliance with certifications, compatibility with other systems and the specific threat models. Consider your use case when choosing a key size and algorithm.

Regardless of the CA lifetime, or key size and algorithm, it is strongly recommended that you put in place a process for regular rotation of CA keys.

For more information on choosing an algorithm for signing keys, see Choosing a key algorithm.

What's next