Background
Certificate Authorities created through CA Service rely on two secondary resource types:
- A Cloud KMS key version, used to sign certificates and Certificate Revocation Lists (CRLs) issued by the CA.
- A Cloud Storage bucket, used to host a CA certificate and/or any CRLs published by the CA, if these are enabled.
Both of these resources must exist for each CA, and cannot be changed after the CA is created.
Management models
CA Service supports two lifecycle management models for these resources: service-managed or user-managed. Both resources don't need to use the same model; for example, the key can be service-managed while the bucket is user-specified, or vice versa.
Service-managed
Resources following this model will be automatically created and configured by the CA Service on CA creation and deleted on CA deletion. Users are not billed separately for these resources.
By default, new CAs will use service-managed Cloud KMS keys and Cloud Storage buckets. You may choose a specific key algorithm for the service-managed Cloud KMS key while creating a CA:
Console
Go to the Certificate Authority Service page in the Google Cloud Console.
Click the Create CA button
Choose the appropriate CA type, tier and location, then click Next.
Choose the appropriate CA subject and resource ID, then click Next.
Under Configure CA key size and algorithm:
- Choose the one of the available key algorithms.
gcloud
gcloud beta privateca roots create ca-id \
--subject "CN=Common Name, O=Organization Name" \
--key-algorithm key-algorithm
Note that:
roots
can be replaced withsubordinates
to create a subordinate CA.- key-algorithm can be one of the algorithms described here.
- If the
--key-algorithm
flag is omitted, this command will default to:rsa-pkcs1-4096-sha256
for root CAs.rsa-pkcs1-2048-sha256
for subordinate CAs.
- Most other CA creation options are unchanged.
For more on how to create a CA, see Creating certificate authorities. For guidance on choosing a key algorithm, see Choosing a key algorithm.
User-managed
Resources following this model must be created and configured by a user prior to CA creation and deleted at an appropriate time after the CA is destroyed. Users are billed directly for those resources.
One advantage of this model is that callers have direct control over those resources, and may directly update attributes such as access management to fit their organizational requirements.
To use an existing Cloud KMS key version, you can follow these steps:
Console
Go to the Certificate Authority Service page in the Google Cloud Console.
Click the Create CA button
Under Select CA type:
- Choose an appropriate CA type and validity duration.
- Choose the Enterprise tier.
- Choose an appropriate location.
- Click Next.
Choose the appropriate CA subject and resource ID, then click Next.
Under Configure CA key size and algorithm:
- Click Customer managed key.
Paste your key version resource name here.
For instructions on how to find this, see Getting the ID for a key and version.
gcloud
gcloud beta privateca roots create ca-id \
--subject "CN=Common Name, O=Organization Name" \
--kms-key-version kms-resource-name
Note that:
roots
can be replaced withsubordinates
to create a subordinate CA.- kms-resource-name refers to the existing key version resource name. For instructions on how to find this, see Getting the ID for a key and version.
- Most other CA creation options are unchanged.
To use an existing Cloud Storage bucket, you can follow these steps:
Console
Go to the Certificate Authority Service page in the Google Cloud Console.
Click the Create CA button
Under Select CA type:
- Choose an appropriate CA type and validity duration.
- Choose the Enterprise tier.
- Choose an appropriate location.
- Click Next.
Choose the appropriate CA subject and resource ID, then click Next.
Choose the appropriate CA key or key algorithm, then click Next.
Under Configure CA artifacts:
- Click Customer managed.
- Enter your existing Cloud Storage bucket name, or click "Browse" to find it.
gcloud
gcloud beta privateca roots create ca-id \
--subject "CN=Common Name, O=Organization Name" \
--bucket bucket-name
Note that:
roots
can be replaced withsubordinates
to create a subordinate CA.- bucket-name refers to the existing bucket name.
- Most other CA creation options are unchanged.