Determine certificate authority settings
This page provides information about the various settings of a certificate authority (CA).
Permanent settings
You cannot change the settings mentioned in this section after creating the CA.
Service-specific settings
Type of CA
CA Service lets you create both root CAs and subordinate CAs.
| Root CA | Subordinate CA |
|---|---|
| A root CA is a self-signed CA.
Parties that need to authenticate
certificates created from a root CA
(a relying party) must know its CA
certificate in advance. The root CA
certificate is often referred to as
a trust anchor. Frequently changing a root CA is difficult. To change the root CA, you must first update all relying parties about the new trust anchor. Otherwise, they won't be able to authenticate certificates from the new root CA. Root CAs cannot be revoked using the CRLs of the issuing CA because root CAs are self-signed. To revoke a root CA, you must remove it from the trust store of every single client that trusts it. This process can be long and tedious. Hence, we recommend protecting the root CAs. |
A subordinate CA is a CA that is
signed by a root CA or another
subordinate CA. Following a chain of
subordinate CAs, the chain always
ends with a root CA. A relying party that only knows about a root CA can also implicitly trust a subordinate CA that chains to the explicitly trusted root CA certificate. The subordinate CA can be trusted only if the relying party is able to cryptographically validate the certificate chain that forms a path to the root CA certificate. A chain containing a root and one or more subordinate CAs can include CAs that are managed in CA Service and CAs that aren't. |
Cloud KMS key
By default, new CAs use a Google-managed Cloud Key Management Service (Cloud KMS) key. You can choose a specific key algorithm for the Google-managed Cloud KMS key. Alternatively, you can grant CA Service access to a key that already exists. For more information, see Choose a key algorithm.
For more information about the management models for Cloud KMS keys and Cloud Storage buckets, see Manage resources.
Cloud Storage bucket
By default, CA Service creates a new Google-managed Cloud Storage bucket in the same location as the CA. You can also choose to use an existing self-managed bucket or create a new bucket. To minimize latency while publishing CRLs, we recommend creating the Cloud Storage bucket in the same location as your CA. For more information, see Manage resources.
CA certificate settings
The following settings are directly reflected in the CA's own certificate:
| Setting | Description |
|---|---|
| Lifetime | Specifies a CA's lifetime. Lifetime is the amount of time, starting from the CA's creation, that the CA is valid for. |
| Subject | A CA can specify a distinguished name and subject alternative
names. In many cases, these fields are purely informational.
However, a relying party can choose to treat certificates issued
from a CA with particular subject attributes differently. If you want to specify a subject alternative name for your CA's certificate, you must use the Google Cloud CLI. |
Optional CA settings
The following CA settings are optional. You can change the following setting after creating the CA.
| Setting | Description |
|---|---|
| Label | A CA can have one or more user labels attached to it. Labels have no semantic meaning to CA Service. |
What's next
- Learn how to create a root CA.
- Learn how to create a subordinate CA.
- Learn how to create a subordinate CA from an external CA.