Create a CA pool
This page describes how to create certificate authority (CA) pools.
A CA pool is a collection of multiple CAs with a common certificate issuance policy and Identity and Access Management (IAM) policy. A CA pool makes CA rotation management easier and lets you achieve higher total effective queries per second (QPS).
You must create a CA pool before you can use Certificate Authority Service to create a CA. For more information, see Overview of CA pools.
Before you begin
Make sure you have the CA Service Operation Manager
(roles/privateca.caManager
) IAM role. For information about
granting an IAM to a principal, see Grant a single
role.
Decide the CA pool's settings
This section describes the settings of a CA pool and provides recommendations for deciding the settings.
Permanent CA pool settings
The following CA pool settings can't be changed after creating the CA pool.
- Location
Specify the CA pool's location. A CA pool is stored in a single Google Cloud location. We recommend that you create your CA pool in the same location or near the location where you intend to use it.
For the complete list of supported locations, see Locations.
- Tier
Choose whether you want to create the CA pool with the DevOps or the Enterprise tier. This choice affects whether CA Service persists the created certificates, whether created certificates can later be revoked, and the maximum rate at which you can create certificates from the CAs in the CA pool. For more information, see Select the operation tiers.
Optional CA pool settings
- Certificate issuance policy
A CA pool can have a certificate issuance policy. This issuance policy places restrictions on the certificates that the CAs in the CA pool are allowed to issue. You can update the issuance policy of a CA pool after you create the CA pool. For more information, see Overview of templates and issuance policies.
For more information about configuring a certificate issuance policy, see Add a certificate issuance policy to a CA pool.
- Publishing options
You can configure a CA pool to publish the CA certificates for each of its CAs. When issuing a certificate, the URL to this CA certificate is included in the certificate as an authority information access (AIA) extension.
CAs in Enterprise tier CA pools can be permitted to publish certificate revocation lists (CRLs) to the associated Cloud Storage bucket. When issuing a certificate, a URL to this CRL is included in the certificate as the CRL Distribution Point (CDP) extension. You cannot find the CRL without the CDP extension in the certificate. For more information, see Revoke certificates.
You can also select the encoding format of published CA certificates and CRLs. The supported encoding formats are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). If an encoding format is not specified, PEM will be used.
If you create the CA pool using Google Cloud CLI or Google Cloud console, CA Service enables these publishing options by default. For more information, see Disabling CA certificate and CRL publication for CAs in a CA pool.
Create a CA pool
To create a CA pool, use the following instructions:
Console
Choose a name for the CA pool
Go to the Certificate Authority Service page in the Google Cloud console.
Click CA pool manager.
Click
Create pool.Add a name for the CA pool that is unique for the region.
Select a region from the drop-down in the Region field. For more information, see Choosing the best location.
Select either the Enterprise or the DevOps tier. For more information, see Select the operation tiers.
Click Next.
Configure allowed key algorithms and sizes
CA Service lets you choose the signing algorithms for the Cloud KMS keys that back the CAs in the CA pool. All key algorithms are allowed by default.
To restrict the allowed keys in the certificates issued by the CA pool, do the following. This is an optional procedure.
- Click the toggle.
- Click Add an item.
In the Type list, select the key type.
If you want to use RSA keys, do the following:
- Optional: Add the minimum modulus size in bits.
- Optional: Add the maximum modulus size in bits.
- Click Done.
If you want to use elliptic curve keys, do the following:
- Optional: In the Elliptic curve type list, select the elliptic curve type.
- Click Done.
To add another allowed key, click Add an item, and repeat Step 2.
Click Next.
Configure certificate request methods
To place limitations on the methods that certificate requesters can use to request certificates from the CA pool, do the following:
- Optional: To restrict CSR-based certificate requests, click the toggle.
- Optional: To restrict configuration-based certificate requests, click the toggle.
Configure publishing options
To configure publishing options, do the following:
- Optional: To disallow publishing CA certificates to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.
- Optional: To disallow publishing CRLs to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.
Click the menu to select the encoding format for published CA certificates and CRLs.
Click Next.
To configure baseline values in the certificates issued from the CA pool, do the following:
- Click the toggle.
- Click Configure baseline values.
You can use this setting to configure the ways in which the key contained in the certificate can be used. The options for key usage include key encipherment, data encipherment, certificate signing, CRL signing, and more.
For more information, see Key usage.
To define the base key usages, do the following:
- Optional: In the window that appears, click the toggle, if you want to specify base key usages for the certificates.
- Select the checkboxes for the ways in which you want a key to be used.
- Click Next.
You can use this setting to select more granular scenarios for which the key contained in the certificate can be used. The options include server authentication, client authentication, code signing, email protection, and more.
Extended key usages are defined using object identifiers (OIDs). If you don't configure the extended key usages, all key usage scenarios are allowed.
For more information, see Extended key usage.
To define the extended key usages, do the following:
- Optional: To specify the extended key usages for the certificates that the CA pool issues, click the toggle.
- Select the checkboxes for the extended key usage scenarios.
- Click Next.
The certificate policies extension in the certificate expresses the policies that the issuing CA pool follows. This extension can include information about how identities are validated before certificate issuance, how certificates are revoked, and how the CA pool's integrity is ensured. This extension helps you verify the certificates that the CA pool issues and see how the certificates are used.
For more information, see Certificate policies.
To specify the policy that defines the certificate usage, do the following:
- Optional: Add the policy identifier in the Policy identifiers field.
- Click Next.
The AIA extension in a certificate provides the following information:
- Address of the OCSP servers from where you can check the revocation status of the certificate.
- The access method for the issuer of the certificate.
For more information, see Authority information access.
To add the OCSP servers that appear in the AIA extension field in the certificates, do the following. The following procedure is optional.
- Optional: Click Add item.
- In the Server URL field, add the URL of the OCSP server.
- Click Done.
- Click Next.
To configure additional custom extensions to include in the certificates issued by the CA pool, do the following. The following procedure is optional.
- Click Add item.
- In the Object identifier field, add a valid object identifier that is formatted as dot-separated digits.
- In the Value field, add the base64-encoded value for the identifier.
- If the extension is critical, select Extension is critical.
To save all the baseline value configurations, click Done.
Configure extension constraintsTo disallow all extensions from certificate requests from being included in the issued certificates, click the toggle.
After you click the toggle, you will see the Known certificate extensions field that you can use to select the certificate extensions. To select the certificate extensions, do the following:
- Optional: Click the Known certificate extensions field, and clear the unrequired extensions from the menu.
- Optional: In the Custom extensions field, add the object identifiers for extensions you want to be included in the certificates that the CA pool issues.
To configure constraints on the subject and SANs in the certificates that the CA pool issues, do the following:
- Optional: To disallow subject in certificate requests from being passed through, click the toggle.
- Optional: To disallow subject alternative names in certificate requests from being passed through, click the toggle.
- Optional: Add a Common Expression Language (CEL) expression to place restrictions on certificate subjects. For more information, see Using CEL.
- Click Next.
To learn how to configure additional parameters in the certificate issuance policy, see IssuancePolicy.
To create the CA pool, click Done.
gcloud
Run the following command:
gcloud privateca pools create POOL_NAME
Replace POOL_NAME with the name of the CA pool.
If you don't specify which tier you require for your CA pool, the Enterprise
tier is selected by default. If you want to specify the tier for your
CA pool, run the following gcloud
command:
gcloud privateca pools create POOL_NAME --tier=TIER_NAME
Replace the following:
- POOL_NAME: The name of your CA pool.
- TIER_NAME: Either
devops
orenterprise
. For more information, see Select the operation tiers.
If you don't specify the publishing encoding format for your CA pool, the PEM
publishing encoding format is selected by default. If you want to specify the publishing encoding format for your
CA pool, run the following gcloud
command:
gcloud privateca pools create POOL_NAME --publishing-encoding-format=PUBLISHING_ENCODING_FORMAT
Replace the following:
- POOL_NAME: The name of your CA pool.
- PUBLISHING_ENCODING_FORMAT: Either
PEM
orDER
.
For more information about the gcloud privateca pools create
command, see
gcloud privateca pools create.
For information about placing restrictions on the type of certificates that a CA pool can issue, see Add a certificate issuance policy to a CA pool.
Terraform
Go
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST API
Create a CA pool.
HTTP method and URL:
POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID
Request JSON body:
{ "tier": "ENTERPRISE" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": false }
Poll the operation until it is complete.
The operation is complete when the long-running operation's
done
property is set totrue
.HTTP method and URL:
GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID", "metadata": {...}, "done": true, "response": { "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CaPool", "name": "...", "tier": "ENTERPRISE" } }
Add or update labels on a CA pool
A label is a key-value pair that helps you organize your CA Service resources. You can filter your resources based on their labels.
To add or update labels on a CA pool, do the following:
Console
To add a label, do the following:
Go to the Certificate Authority Service page.
In the CA pool manager tab, select the CA pool.
Click Labels.
Click
Add label.Add a key-value pair.
Click Save.
To edit an existing label, do the following:
Go to the Certificate Authority Service page.
In the CA pool manager tab, select the CA pool.
Click Labels.
Edit the value of the label.
Click Save.
gcloud
Run the following command:
gcloud privateca pools update POOL_ID --update-labels foo=bar
Replace POOL_ID with the name of the CA pool.
What's next
- Learn how to create a root CA.
- Learn how to create a subordinate CA.
- Learn how to use a certificate issuance policy.
- Learn how to increase certificate creation throughput using CA pools.
- Learn how to update and delete a CA pool.