Create a CA pool

This page describes how to create certificate authority (CA) pools.

A CA pool is a collection of multiple CAs with a common certificate issuance policy and Identity and Access Management (IAM) policy. A CA pool makes CA rotation management easier and lets you achieve higher total effective queries per second (QPS).

You must create a CA pool before you can use Certificate Authority Service to create a CA. For more information, see Overview of CA pools.

Before you begin

Make sure you have the CA Service Operation Manager (roles/privateca.caManager) IAM role. For information about granting an IAM to a principal, see Grant a single role.

Decide the CA pool's settings

This section describes the settings of a CA pool and provides recommendations for deciding the settings.

Permanent CA pool settings

The following CA pool settings can't be changed after creating the CA pool.

Location

Specify the CA pool's location. A CA pool is stored in a single Google Cloud location. We recommend that you create your CA pool in the same location or near the location where you intend to use it.

For the complete list of supported locations, see Locations.

Tier

Choose whether you want to create the CA pool with the DevOps or the Enterprise tier. This choice affects whether CA Service persists the created certificates, whether created certificates can later be revoked, and the maximum rate at which you can create certificates from the CAs in the CA pool. For more information, see Select the operation tiers.

Optional CA pool settings

Certificate issuance policy

A CA pool can have a certificate issuance policy. This issuance policy places restrictions on the certificates that the CAs in the CA pool are allowed to issue. You can update the issuance policy of a CA pool after you create the CA pool. For more information, see Overview of templates and issuance policies.

For more information about configuring a certificate issuance policy, see Add a certificate issuance policy to a CA pool.

Publishing options

You can configure a CA pool to publish the CA certificates for each of its CAs. When issuing a certificate, the URL to this CA certificate is included in the certificate as an authority information access (AIA) extension.

CAs in Enterprise tier CA pools can be permitted to publish certificate revocation lists (CRLs) to the associated Cloud Storage bucket. When issuing a certificate, a URL to this CRL is included in the certificate as the CRL Distribution Point (CDP) extension. You cannot find the CRL without the CDP extension in the certificate. For more information, see Revoke certificates.

You can also select the encoding format of published CA certificates and CRLs. The supported encoding formats are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). If an encoding format is not specified, PEM will be used.

If you create the CA pool using Google Cloud CLI or Google Cloud console, CA Service enables these publishing options by default. For more information, see Disabling CA certificate and CRL publication for CAs in a CA pool.

Create a CA pool

To create a CA pool, use the following instructions:

Console

Choose a name for the CA pool

  1. Go to the Certificate Authority Service page in the Google Cloud console.

    Go to Certificate Authority Service

  2. Click CA pool manager.

  3. Click Create pool.

  4. Add a name for the CA pool that is unique for the region.

  5. Select a region from the drop-down in the Region field. For more information, see Choosing the best location.

  6. Select either the Enterprise or the DevOps tier. For more information, see Select the operation tiers.

  7. Click Next.

Configure allowed key algorithms and sizes

CA Service lets you choose the signing algorithms for the Cloud KMS keys that back the CAs in the CA pool. All key algorithms are allowed by default.

To restrict the allowed keys in the certificates issued by the CA pool, do the following. This is an optional procedure.

  1. Click the toggle.
  2. Click Add an item.
  3. In the Type list, select the key type.

    If you want to use RSA keys, do the following:

    1. Optional: Add the minimum modulus size in bits.
    2. Optional: Add the maximum modulus size in bits.
    3. Click Done.

    If you want to use elliptic curve keys, do the following:

    1. Optional: In the Elliptic curve type list, select the elliptic curve type.
    2. Click Done.
  4. To add another allowed key, click Add an item, and repeat Step 2.

  5. Click Next.

Configure certificate request methods

To place limitations on the methods that certificate requesters can use to request certificates from the CA pool, do the following:

  1. Optional: To restrict CSR-based certificate requests, click the toggle.
  2. Optional: To restrict configuration-based certificate requests, click the toggle.

Configure publishing options

To configure publishing options, do the following:

  1. Optional: To disallow publishing CA certificates to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.
  2. Optional: To disallow publishing CRLs to the Cloud Storage bucket for the CAs in the CA pool, click the toggle.
  3. Click the menu to select the encoding format for published CA certificates and CRLs.

    Configure publishing options for CA certificates and CRLs for the CAs in the CA pool.

  4. Click Next.

Configure identity constraints

To configure constraints on the subject and SANs in the certificates that the CA pool issues, do the following:

  1. Optional: To disallow subject in certificate requests from being passed through, click the toggle.
  2. Optional: To disallow subject alternative names in certificate requests from being passed through, click the toggle.
  3. Optional: Add a Common Expression Language (CEL) expression to place restrictions on certificate subjects. For more information, see Using CEL.
  4. Click Next.
Configure extension constraints

To disallow all extensions from certificate requests from being included in the issued certificates, click the toggle.

After you click the toggle, you will see the Known certificate extensions field that you can use to select the certificate extensions. To select the certificate extensions, do the following:

  1. Optional: Click the Known certificate extensions field, and clear the unrequired extensions from the menu.
  2. Optional: In the Custom extensions field, add the object identifiers for extensions you want to be included in the certificates that the CA pool issues.
Configure baseline values

To configure baseline values in the certificates issued from the CA pool, do the following:

  1. Click the toggle.
  2. Click Configure baseline values.
Define base key usage

You can use this setting to configure the ways in which the key contained in the certificate can be used. The options for key usage include key encipherment, data encipherment, certificate signing, CRL signing, and more.

For more information, see Key usage

To define the base key usages, do the following:

  1. Optional: In the window that appears, click the toggle, if you want to specify base key usages for the certificates.
  2. Select the checkboxes for the ways in which you want a key to be used.
  3. Select the high-level ways in which you want a key to be used.
  4. Click Next.
Define extended key usage

You can use this setting to select more granular scenarios for which the key contained in the certificate can be used. The options include server authentication, client authentication, code signing, email protection, and more.

Extended key usages are defined using object identifiers (OIDs). If you don't configure the extended key usages, all key usage scenarios are allowed.

For more information, see Extended key usage.

To define the extended key usages, do the following:

  1. Optional: To specify the extended key usages for the certificates that the CA pool issues, click the toggle.
  2. Select the checkboxes for the extended key usage scenarios.
  3. Click Next.
Define policy identifiers

The certificate policies extension in the certificate expresses the policies that the issuing CA pool follows. This extension can include information about how identities are validated before certificate issuance, how certificates are revoked, and how the CA pool's integrity is ensured. This extension helps you verify the certificates that the CA pool issues and see how the certificates are used.

For more information, see Certificate policies.

To specify the policy that defines the certificate usage, do the following:

  1. Optional: Add the policy identifier in the Policy identifiers field.
  2. Click Next.
Add Authority information access (AIA) OCSP servers

The AIA extension in a certificate provides the following information:

  • Address of the OCSP servers from where you can check the revocation status of the certificate.
  • The access method for the issuer of the certificate.

For more information, see Authority information access.

To add the OCSP servers that appear in the AIA extension field in the certificates, do the following. The following procedure is optional.

  1. Optional: Click Add item.
  2. In the Server URL field, add the URL of the OCSP server.
  3. Click Done.
  4. Click Next.
Configure additional extensions

To configure additional custom extensions to include in the certificates issued by the CA pool, do the following. The following procedure is optional.

  1. Click Add item.
  2. In the Object identifier field, add a valid object identifier that is formatted as dot-separated digits.
  3. In the Value field, add the base64-encoded value for the identifier.
  4. If the extension is critical, select Extension is critical.

To save all the baseline value configurations, click Done.

To create the CA pool, click Done.

gcloud

Run the following command:

gcloud privateca pools create POOL_NAME

Replace POOL_NAME with the name of the CA pool.

If you don't specify which tier you require for your CA pool, the Enterprise tier is selected by default. If you want to specify the tier for your CA pool, run the following gcloud command:

gcloud privateca pools create POOL_NAME --tier=TIER_NAME

Replace the following:

  • POOL_NAME: The name of your CA pool.
  • TIER_NAME: Either devops or enterprise. For more information, see Select the operation tiers.

If you don't specify the publishing encoding format for your CA pool, the PEM publishing encoding format is selected by default. If you want to specify the publishing encoding format for your CA pool, run the following gcloud command:

gcloud privateca pools create POOL_NAME --publishing-encoding-format=PUBLISHING_ENCODING_FORMAT

Replace the following:

  • POOL_NAME: The name of your CA pool.
  • PUBLISHING_ENCODING_FORMAT: Either PEM or DER.

For more information about the gcloud privateca pools create command, see gcloud privateca pools create.

For information about placing restrictions on the type of certificates that a CA pool can issue, see Add a certificate issuance policy to a CA pool.

Terraform

resource "google_privateca_ca_pool" "default" {
  name     = "ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
  publishing_options {
    publish_ca_cert = true
    publish_crl     = true
  }
  labels = {
    foo = "bar"
  }
}

Go

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import (
	"context"
	"fmt"
	"io"

	privateca "cloud.google.com/go/security/privateca/apiv1"
	"cloud.google.com/go/security/privateca/apiv1/privatecapb"
)

// Create a Certificate Authority pool. All certificates created under this CA pool will
// follow the same issuance policy, IAM policies, etc.
func createCaPool(w io.Writer, projectId string, location string, caPoolId string) error {
	// projectId := "your_project_id"
	// location := "us-central1"	// For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
	// caPoolId := "ca-pool-id"		// A unique id/name for the ca pool.

	ctx := context.Background()
	caClient, err := privateca.NewCertificateAuthorityClient(ctx)
	if err != nil {
		return fmt.Errorf("NewCertificateAuthorityClient creation failed: %w", err)
	}
	defer caClient.Close()

	caPool := &privatecapb.CaPool{
		// Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
		Tier: privatecapb.CaPool_ENTERPRISE,
	}

	locationPath := fmt.Sprintf("projects/%s/locations/%s", projectId, location)

	// See https://pkg.go.dev/cloud.google.com/go/security/privateca/apiv1/privatecapb#CreateCaPoolRequest.
	req := &privatecapb.CreateCaPoolRequest{
		Parent:   locationPath,
		CaPoolId: caPoolId,
		CaPool:   caPool,
	}

	op, err := caClient.CreateCaPool(ctx, req)
	if err != nil {
		return fmt.Errorf("CreateCaPool failed: %w", err)
	}

	if _, err = op.Wait(ctx); err != nil {
		return fmt.Errorf("CreateCaPool failed during wait: %w", err)
	}

	fmt.Fprintf(w, "CA Pool created")

	return nil
}

Java

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.


import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPool;
import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy;
import com.google.cloud.security.privateca.v1.CaPool.Tier;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
import com.google.cloud.security.privateca.v1.CreateCaPoolRequest;
import com.google.cloud.security.privateca.v1.LocationName;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCaPool {

  public static void main(String[] args)
      throws InterruptedException, ExecutionException, IOException {
    // TODO(developer): Replace these variables before running the sample.
    // location: For a list of locations, see:
    // https://cloud.google.com/certificate-authority-service/docs/locations
    // poolId: Set a unique poolId for the CA pool.
    String project = "your-project-id";
    String location = "ca-location";
    String poolId = "ca-pool-id";
    createCaPool(project, location, poolId);
  }

  // Create a Certificate Authority Pool. All certificates created under this CA pool will
  // follow the same issuance policy, IAM policies,etc.,
  public static void createCaPool(String project, String location, String poolId)
      throws InterruptedException, ExecutionException, IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the `certificateAuthorityServiceClient.close()` method on the client to safely
    // clean up any remaining background resources.
    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
        CertificateAuthorityServiceClient.create()) {

      IssuancePolicy issuancePolicy = IssuancePolicy.newBuilder()
          .setIdentityConstraints(CertificateIdentityConstraints.newBuilder()
              .setAllowSubjectPassthrough(true)
              .setAllowSubjectAltNamesPassthrough(true)
              .build())
          .build();

      /* Create the pool request
        Set Parent which denotes the project id and location.
        Set the Tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
      */
      CreateCaPoolRequest caPoolRequest =
          CreateCaPoolRequest.newBuilder()
              .setParent(LocationName.of(project, location).toString())
              .setCaPoolId(poolId)
              .setCaPool(
                  CaPool.newBuilder()
                      .setIssuancePolicy(issuancePolicy)
                      .setTier(Tier.ENTERPRISE)
                      .build())
              .build();

      // Create the CA pool.
      ApiFuture<Operation> futureCall =
          certificateAuthorityServiceClient.createCaPoolCallable().futureCall(caPoolRequest);
      Operation response = futureCall.get();

      if (response.hasError()) {
        System.out.println("Error while creating CA pool !" + response.getError());
        return;
      }

      System.out.println("CA pool created successfully: " + poolId);
    }
  }
}

Python

To authenticate to CA Service, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import google.cloud.security.privateca_v1 as privateca_v1


def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
    """
    Create a Certificate Authority pool. All certificates created under this CA pool will
    follow the same issuance policy, IAM policies,etc.,

    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
        ca_pool_name: a unique name for the ca pool.
    """

    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

    ca_pool = privateca_v1.CaPool(
        # Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
        tier=privateca_v1.CaPool.Tier.ENTERPRISE,
    )
    location_path = caServiceClient.common_location_path(project_id, location)

    # Create the pool request.
    request = privateca_v1.CreateCaPoolRequest(
        parent=location_path,
        ca_pool_id=ca_pool_name,
        ca_pool=ca_pool,
    )

    # Create the CA pool.
    operation = caServiceClient.create_ca_pool(request=request)

    print("Operation result:", operation.result())

REST API

  1. Create a CA pool.

    HTTP method and URL:

    POST https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/caPools\?ca_pool_id=POOL_ID

    Request JSON body:

    {
    "tier": "ENTERPRISE"
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": false
    }
    

  2. Poll the operation until it is complete.

    The operation is complete when the long-running operation's done property is set to true.

    HTTP method and URL:

    GET https://privateca.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
     "name": "projects/PROJECT_ID/locations/LOCATION/operations/operation-UUID",
     "metadata": {...},
     "done": true,
     "response": {
       "@type": "type.googleapis.com/google.cloud.security.privateca.v1.CaPool",
       "name": "...",
       "tier": "ENTERPRISE"
     }
    }
    

Add or update labels on a CA pool

A label is a key-value pair that helps you organize your CA Service resources. You can filter your resources based on their labels.

To add or update labels on a CA pool, do the following:

Console

To add a label, do the following:

  1. Go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the CA pool manager tab, select the CA pool.

  3. Click Labels.

  4. Click Add label.

  5. Add a key-value pair.

  6. Click Save.

    Add a label to an existing CA pool.

To edit an existing label, do the following:

  1. Go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. In the CA pool manager tab, select the CA pool.

  3. Click Labels.

  4. Edit the value of the label.

  5. Click Save.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --update-labels foo=bar

Replace POOL_ID with the name of the CA pool.

What's next