Frequently asked questions

What is Certificate Authority Service?

Certificate Authority Service is a highly available, scalable Google Cloud service that enables customers to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CAs) while staying in control of their private keys.

What are the common use cases for Certificate Authority Service?

Given below are some common use cases for CA Service.

  • Workload identities: Leverage APIs to get certificates for applications or use certificates in applications, containers, systems, and other resources.
  • Enterprise scenarios: Use certificates for VPN, BeyondCorp Enterprise, signing documents, WiFi access, email, smartcard, and more.
  • Centralized certificate issuance and management: Configure Anthos Service Mesh to use CA Service.
  • IoT and mobile device identity: Issue TLS certificates as identity for endpoints.
  • CI/CD channel, Binary Authorization, Istio, and Kubernetes.

Which locations can we create CA Service resources in?

CA Service resources can be created in one of many locations. For the complete list of locations, see Locations.

Does CA Service support a global PKI under a single root?

Yes, provided the root CA lives in a single region. However, you can create multiple issuing CAs in different regions that chain up to the same root.

Are labels supported for CAs?

Yes, you can associate labels when you create and update CAs.

Is it possible to use cloud monitoring to track certificate creation and CA expiration? Is it possible to generate Pub/Sub events for them?

Yes, all of these events can be monitored. CA Service does not natively support Pub/Sub but it can be configured using Cloud Monitoring. For more information, see Using Cloud Monitoring with CA Service.

How long are unactivated CAs retained?

Subordinate CAs that have been created in a PENDING_ACTIVATION state and have not been activated will be retained for 30 days. If a subordinate CA is still in the PENDING_ACTIVATION state 30 days after it has been created, it will be deleted.

What access controls does CA Service support for certificate issuance?

CA Service supports setting IAM policies on a CA to control who can issue certificates. A CA admin can attach an Issuance Policy to a CA, which defines restrictions on the type of certificates that the CA can issue. These restrictions include placing limits on domain name, extensions, and certificate validity period, among other things.

For more information on how to configure an Issuance Policy on a CA, see Using an Issuance Policy.

For information on how to configure the necessary IAM policies for creating and managing CA Service resources, see Configuring IAM policies.

Does CA Service support multi-region Cloud KMS keys?

No, CA Service does not support multi-region Cloud KMS keys.

Will CA Service ever throttle my requests? What is the target QPS for CA Service?

Yes, there exists a throttling mechanism for CA Service. For more information, see Quotas and limits.

Does CA Service support VPC Service Controls?

Yes, CA Service supports VPC Service Controls. For more information, see Supported products and limitations > Certificate Authority Service.

How will CAs and certificates created during public preview be affected at general availability (GA)?

CAs and certificates created during public preview will be deleted when CA Service announces GA.

How are PEM encoded public keys supposed to be used with REST APIs?

PEM encoded public keys can only be used with REST APIs after they have been Base64 encoded.

Can CSRs be used with REST APIs?

Yes, Certificate Signing Requests (CSRs) can be used with REST APIs.

Will the APIs change at general availability (GA)? Will the APIs at GA be backward compatible with APIs during preview period?

Yes, CA Service APIs are going to be modified between preview and GA to implement customer feedback. There will be breaking changes so it is recommended that all integrations be updated after a careful review of differences.

Can preview stage APIs still be used after CA Service announces general availability (GA)?

Yes, there will be a short period after CA Service announces GA when the preview APIs can still be used. Note that this period is only intended for customers to smoothly transition to using the latest APIs and will be short-lived with limited support. It is recommended that customers migrate to using the GA APIs as soon as they are available.

What's next