Managed resources

Background

Certificate Authorities created through CA Service rely on two secondary resource types:

  • A Cloud KMS key version, used to sign certificates and Certificate Revocation Lists (CRLs) issued by the CA.
  • A Cloud Storage bucket, used to host a CA certificate and/or any CRLs published by the CA, if these are enabled.

Both of these resources must exist for each CA, and cannot be changed after the CA is created.

Management models

CA Service supports two lifecycle management models for these resources: service-managed or user-managed. Both resources don't need to use the same model; for example, the key can be service-managed while the bucket is user-specified, or vice versa.

Service-managed

Resources following this model will be automatically created and configured by the CA Service on CA creation and deleted on CA deletion. Users are not billed separately for these resources.

By default, new CAs will use service-managed Cloud KMS keys and Cloud Storage buckets. You may choose a specific key algorithm for the service-managed Cloud KMS key while creating a CA:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click the Create CA button

  3. Choose the appropriate CA type, tier and location, then click Next.

  4. Choose the appropriate CA subject and resource ID, then click Next.

  5. Under Configure CA key size and algorithm:

    1. Choose the one of the available key algorithms.

gcloud

gcloud beta privateca roots create ca-id \
    --subject "CN=Common Name, O=Organization Name" \
    --key-algorithm key-algorithm

Note that:

  • roots can be replaced with subordinates to create a subordinate CA.
  • key-algorithm can be one of the algorithms described here.
  • If the --key-algorithm flag is omitted, this command will default to:
    • rsa-pkcs1-4096-sha256 for root CAs.
    • rsa-pkcs1-2048-sha256 for subordinate CAs.
  • Most other CA creation options are unchanged.

For more on how to create a CA, see Creating certificate authorities. For guidance on choosing a key algorithm, see Choosing a key algorithm.

User-managed

Resources following this model must be created and configured by a user prior to CA creation and deleted at an appropriate time after the CA is destroyed. Users are billed directly for those resources.

One advantage of this model is that callers have direct control over those resources, and may directly update attributes such as access management to fit their organizational requirements.

To use an existing Cloud KMS key version, you can follow these steps:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click the Create CA button

  3. Under Select CA type:

    1. Choose an appropriate CA type and validity duration.
    2. Choose the Enterprise tier.
    3. Choose an appropriate location.
    4. Click Next.

  4. Choose the appropriate CA subject and resource ID, then click Next.

  5. Under Configure CA key size and algorithm:

    1. Click Customer managed key.

    2. Paste your key version resource name here.

      For instructions on how to find this, see Getting the ID for a key and version.

gcloud

gcloud beta privateca roots create ca-id \
    --subject "CN=Common Name, O=Organization Name" \
    --kms-key-version kms-resource-name

Note that:

  • roots can be replaced with subordinates to create a subordinate CA.
  • kms-resource-name refers to the existing key version resource name. For instructions on how to find this, see Getting the ID for a key and version.
  • Most other CA creation options are unchanged.

To use an existing Cloud Storage bucket, you can follow these steps:

Console

  1. Go to the Certificate Authority Service page in the Google Cloud Console.

    Certificate Authority Service

  2. Click the Create CA button

  3. Under Select CA type:

    1. Choose an appropriate CA type and validity duration.
    2. Choose the Enterprise tier.
    3. Choose an appropriate location.
    4. Click Next.

  4. Choose the appropriate CA subject and resource ID, then click Next.

  5. Choose the appropriate CA key or key algorithm, then click Next.

  6. Under Configure CA artifacts:

    1. Click Customer managed.
    2. Enter your existing Cloud Storage bucket name, or click "Browse" to find it.

gcloud

gcloud beta privateca roots create ca-id \
    --subject "CN=Common Name, O=Organization Name" \
    --bucket bucket-name

Note that:

  • roots can be replaced with subordinates to create a subordinate CA.
  • bucket-name refers to the existing bucket name.
  • Most other CA creation options are unchanged.

What's next