Known limitations

This page documents the known limitations of Certificate Authority Service.

Revocation support

Certificate revocation is only supported through Certificate Revocation Lists (CRLs). Online Certificate Status Protocol (OCSP) isn't supported by CA Service, but you can implement and run a delegated OCSP responder.

For more information on implementing an OCSP responder, see OCSP support.

Client-generated keys

The Cloud SDK and Google Cloud Console surfaces support automatically generating an asymmetric key-pair when issuing certificates for added convenience. Keys generated using Cloud SDK are limited to RSA-2048, while keys generated using Google Cloud Console support a wider selection of algorithms.

What's next