Known limitations

This page documents the known limitations of Certificate Authority Service.

Revocation support

Certificate revocation is only supported through Certificate Revocation Lists (CRLs). Online Certificate Status Protocol (OCSP) isn't supported by CA Service, but you can implement and run a delegated OCSP responder.

For more information on implementing an OCSP responder, see OCSP support.

Client-generated keys

The Google Cloud CLI and Google Cloud console surfaces support automatically generating an asymmetric key-pair when issuing certificates for added convenience. Keys generated using Google Cloud CLI are limited to RSA-2048, while keys generated using Google Cloud console support a wider selection of algorithms.

Certificate subject

CA Service only supports the following attribute types in the subject of a certificate:

  • Common Name (CN)
  • Country Code (C)
  • Organization (O)
  • Organizational Unit (OU)
  • Locality (L)
  • Province (ST)
  • Street Address
  • Postal Code

This limitation applies to the subject field in both CA certificates and end-entity certificates. Each of these attribute types is limited to only one value.

For more information, see the Subject message in the REST API documentation.

What's next