Using Cloud Monitoring with CA Service

Cloud Monitoring can be used to monitor operations performed on resources in Certificate Authority Service.

Before you begin

If you haven't already done so:

  • Set up a Google Cloud project that has the Certificate Authority Service API enabled. These steps are documented in the CA Service Quickstart.

  • Configure a Cloud Monitoring Workspace for your project by doing the following:
    1. In the Cloud Console, select your Google Cloud project.
      Go to Cloud Console
    2. In the navigation pane, select Monitoring.

      If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.

Viewing metrics in Cloud Monitoring

Console

To view the metrics for a monitored resource by using Metrics Explorer, follow these steps:

  1. In the Google Cloud Console, go to the Monitoring page.

    Go to Monitoring

    If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.

  2. In the Monitoring navigation pane, click Metrics Explorer.
  3. Ensure that Metric is the selected tab.
  4. In the Find resource type and metric field, select from the menu or enter the name for the resource and metric. Use the following information to complete the fields:
    1. For the Resource, select or enter Certificate Authority.
    2. For the Metric, select from the menu or enter one from the privateca metrics list.
  5. To modify how the data is displayed, use the Filter, Group By, and Aggregator menus. For example, you can group by resource or metric labels. For more information, see Selecting metrics.

CA Service metrics

The list of metrics can be viewed in Cloud Monitoring documentation.

The monitored resource documentation can be viewed in Monitored resources.

Create an alerting policy

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

To create an alerting policy that monitors one or more Certificate Authority resources, follow these steps:

  1. In the Google Cloud Console, go to Monitoring.

    Go to Monitoring

    If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.

  2. In the Monitoring navigation pane, select Alerting, and then select Create policy.
  3. Click Add condition:
    1. The settings in the Target pane specify the resource and metric to be monitored. In the Find resource type and metric field, select the resource Certificate Authority. Next, select a metric from the privateca metrics list.
    2. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information about the fields in the pane, see Configuration in the Alerting policies documentation.
    3. Click Add.
  4. To advance to the notifications section, click Next.
  5. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.

    If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh, and then select the notification channels to add to the alerting policy.

  6. To advance to the documentation section, click Next.
  7. Click Name and enter a name for the alerting policy.
  8. Optional: Click Documentation, and then add any information that you want included in a notification message.
  9. Click Save.
For more information, see Alerting policies.

Create Pub/Sub notification channel

A notification channel that publishes events to Pub/Sub can be set up by following these instructions.

Sample alert policies

You can use the following sample alert policies for common CA Service monitoring use cases.

To learn more about alert policies, see the documentation.

CA expiring in 30 days

This alert policy will notify you 30 days before a managed CA expires. This policy will create alert notifications for all managed CAs across all projects in the Monitoring workspace.

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

To create an alerting policy that monitors one or more resources, follow these steps:

  1. In the Google Cloud Console, go to Monitoring.

    Go to Monitoring

    If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.

  2. In the Monitoring navigation pane, select Alerting, and then select Create policy.
  3. Click Add condition:
    1. The settings in the Target pane specify the resource and metric to be monitored. In the Find resource type and metric field, select ca/cert_expiration. Leave the resource name empty.
    2. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Complete this pane with the settings in the following table.
      Conditions pane
      Field

      Value
      Condition triggers if Any time series violates
      Condition is below
      Threshold 2592000000 ms
      For most recent value
    3. Click Add.
  4. To advance to the notifications section, click Next.
  5. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.

    If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh, and then select the notification channels to add to the alerting policy.

  6. To advance to the documentation section, click Next.
  7. Click Name and enter a name for the alerting policy.
  8. Optional: Click Documentation, and then add any information that you want included in a notification message.
  9. Click Save.
For more information, see Alerting policies.

gcloud

Paste the following policy into a file named ca-expiration-policy.yaml:

combiner: OR
conditions:
- conditionThreshold:
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_MEAN
    comparison: COMPARISON_LT
    duration: 0s
    filter: metric.type="privateca.googleapis.com/ca/cert_expiration" resource.type="privateca.googleapis.com/CertificateAuthority"
    thresholdValue: 2592000.0
    trigger:
      count: 1
  displayName: CA certificate expiration
displayName: CA expiring in 30 days
enabled: true

Create the alert policy with the following command:

gcloud alpha monitoring policies create --policy-from-file ca-expiration-policy.yaml

After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if desired. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.

High rate of certificate creation failures

This alert policy will notify you when the ratio of certificate creation failures, due to either CA policy or validation failure, exceeds a threshold of 0.2. This policy will create alert notifications for all managed CAs across all projects in the Monitoring workspace.

gcloud

Paste the following policy into a file named cert-create-failure.yaml:

displayName: High rate of certificate creation failures
enabled: true
combiner: OR
conditions:
- conditionThreshold:
    filter: metric.type="privateca.googleapis.com/ca/cert/create_failure_count" resource.type="privateca.googleapis.com/CertificateAuthority"
    aggregations:
    - alignmentPeriod: 300s
      crossSeriesReducer: REDUCE_SUM
      groupByFields:
      - resource.label.resource_container
      - resource.label.location
      - resource.label.certificate_authority_id
      perSeriesAligner: ALIGN_DELTA
    denominatorFilter: metric.type="privateca.googleapis.com/ca/cert/create_request_count"
      resource.type="privateca.googleapis.com/CertificateAuthority"
    denominatorAggregations:
    - alignmentPeriod: 300s
      perSeriesAligner: ALIGN_DELTA
    comparison: COMPARISON_GT
    duration: 0s
    thresholdValue: 0.2
    trigger:
      count: 1
  displayName: 'Ratio: Certificate creation CA policy error count / Total certificate creation request count'

Create the alert policy with the following command:

gcloud alpha monitoring policies create --policy-from-file cert-create-failure.yaml

After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if desired. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.

What this policy does

This policy computes the ratio of failures to total requests. The policy triggers an alert notification if the ratio goes above 20% (that is, the ratio is greater than 0.2) over the 5-minute alignment period.

The filter in the condition selects the number of certificate creation failures, which is the numerator in the ratio. The numerator aggregates by project, location, and CA resource ID, since this metric has additional labels. The denominator filter in the condition selects the number of certificate creation requests.

Once the threshold is reached, the policy triggers the alert notification immediately, since the permitted duration for the condition is 0 seconds. This policy uses a trigger count of 1, which is the number of time series that needs to violate the condition to trigger the alert notification.

Cloud Monitoring cost

There is no cost for monitoring CA Service.

See also