Stay organized with collections Save and categorize content based on your preferences.

Using Cloud Monitoring with Certificate Authority Service

Cloud Monitoring can be used to monitor operations performed on resources in Certificate Authority Service.

Before you begin

If you haven't already done so, set up a Google Cloud project that has the Certificate Authority Service API enabled. These steps are documented in the CA Service Quickstart.

Viewing metrics in Cloud Monitoring

Console

To use Metrics Explorer to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud console, go to the Metrics Explorer page within Monitoring.
  2. Go to Metrics Explorer

  3. In the toolbar, select the Explorer tab.
  4. Select the Configuration tab.
  5. Expand the Select a metric menu, enter Certificate Authority in the filter bar, and then use the submenus to select a specific resource type and metric:
    1. In the Active resources menu, select Certificate Authority.
    2. To select a metric, use the Active metric categories and Active metrics menus. For a list of metrics, see privateca metrics.
    3. Click Apply.
  6. Optional: To configure how the data is viewed, add filters and use the Group By, Aggregator, and chart-type menus. For example, you can group by resource or metric labels. For more information, see Select metrics when using Metrics Explorer.
  7. Optional: Change the graph settings:
    • For quota and other metrics that report one sample per day, set the time frame to at least one week and set the plot type to Stacked bar chart.
    • For distribution valued metrics, set the plot type to Heatmap chart.

CA Service metrics

The list of metrics can be viewed in Cloud Monitoring documentation.

The monitored resource documentation can be viewed in Monitored resources.

Use the following instructions to enable recommended alerts.

Console

  1. Go to the CA Service Overview page in the Google Cloud console.

    Certificate Authority Service

  2. On the top right of the Overview page, click the + 5 Recommended Alerts.

  3. Enable or disable each alert, reading its description.

    • Some alerts support custom thresholds. For example, you can specify when you want to be alerted for an expiring CA certificate, or the error rate for a high rate of certificate creation failures.
    • All alerts support notification channels.
  4. Click Submit once you have enabled all desired alerts.

Create an alerting policy

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, select Alerting.
  3. If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
  4. From the Alerting page, select Create policy.
  5. To select the metric, expand the Select a metric menu and then do the following:
    1. To limit the menu to relevant entries, enter Certificate Authority into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
    2. For the Resource type, select Certificate Authority.
    3. For the Metric category, select Ca.
    4. For the Metric, select a metric from the list of privateca metrics.
    5. Select Apply.
  6. Click Next.
  7. The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Condition trigger.
  8. Click Next.
  9. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
  10. Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  11. Optional: Click Documentation, and then add any information that you want included in a notification message.
  12. Click Alert name and enter a name for the alerting policy.
  13. Click Create Policy.
For more information, see Alerting policies.

Create Pub/Sub notification channel

A notification channel that publishes events to Pub/Sub can be set up by following these instructions.

Sample alert policies

You can use the following sample alert policies for common CA Service monitoring use cases.

To learn more about alert policies, see the documentation.

CA expiring in 30 days

This alert policy notifies you 30 days before a managed CA expires. This policy creates alert notifications for all managed CAs across all projects whose metrics are visible to the Google Cloud project selected in the Google Cloud console project picker. For information about metric visibility, see Understanding metrics scope.

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Monitoring navigation pane, select Alerting.
  3. If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
  4. From the Alerting page, select Create policy.
  5. To select the metric, expand the Select a metric menu and then do the following:
    1. To limit the menu to relevant entries, enter Certificate Authority into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
    2. For the Resource type, select Certificate Authority.
    3. For the Metric category, select Ca.
    4. For the Metric, select ca/cert_expiration.
    5. Select Apply.
  6. Click Next.
  7. The settings in the Configure alert trigger page determine when the alert is triggered. Complete this page with the settings in the following table.
    Configure alert trigger page
    Field

    Value
    Condition type Threshold
    Alert trigger Any time series violates
    Threshold position Below threshold
    Threshold value 2592000000 ms
    Advanced Options: Retest window No retest
  8. Click Next.
  9. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
  10. Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  11. Optional: Click Documentation, and then add any information that you want included in a notification message.
  12. Click Alert name and enter a name for the alerting policy.
  13. Click Create Policy.
For more information, see Alerting policies.

gcloud

Paste the following policy into a file named ca-expiration-policy.yaml:

combiner: OR
conditions:
- conditionThreshold:
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_MEAN
    comparison: COMPARISON_LT
    duration: 0s
    filter: metric.type="privateca.googleapis.com/ca/cert_expiration" resource.type="privateca.googleapis.com/CertificateAuthority"
    thresholdValue: 2592000.0
    trigger:
      count: 1
  displayName: CA certificate expiration
displayName: CA expiring in 30 days
enabled: true

Create the alert policy with the following command:

gcloud alpha monitoring policies create --policy-from-file ca-expiration-policy.yaml

After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if desired. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.

High rate of certificate creation failures

This alert policy notifies you when the ratio of certificate creation failures, due to either CA policy or validation failure, exceeds a threshold of 0.2. This policy creates alert notifications for all managed CAs across all projects whose metrics are visible to the Google Cloud project selected in the Google Cloud console project picker. For information about metric visibility, see Understanding metrics scope.

gcloud

Paste the following policy into a file named cert-create-failure.yaml:

displayName: High rate of certificate creation failures
enabled: true
combiner: OR
conditions:
- conditionThreshold:
    filter: metric.type="privateca.googleapis.com/ca/cert/create_failure_count" resource.type="privateca.googleapis.com/CertificateAuthority"
    aggregations:
    - alignmentPeriod: 300s
      crossSeriesReducer: REDUCE_SUM
      groupByFields:
      - resource.label.resource_container
      - resource.label.location
      - resource.label.certificate_authority_id
      perSeriesAligner: ALIGN_DELTA
    denominatorFilter: metric.type="privateca.googleapis.com/ca/cert/create_request_count"
      resource.type="privateca.googleapis.com/CertificateAuthority"
    denominatorAggregations:
    - alignmentPeriod: 300s
      perSeriesAligner: ALIGN_DELTA
    comparison: COMPARISON_GT
    duration: 0s
    thresholdValue: 0.2
    trigger:
      count: 1
  displayName: 'Ratio: Certificate creation CA policy error count / Total certificate creation request count'

Create the alert policy with the following command:

gcloud alpha monitoring policies create --policy-from-file cert-create-failure.yaml

After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if desired. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.

What this policy does

This policy computes the ratio of failures to total requests. The policy triggers an alert notification if the ratio goes above 20% (that is, the ratio is greater than 0.2) over the 5-minute alignment period.

The filter in the condition selects the number of certificate creation failures, which is the numerator in the ratio. The numerator aggregates by project, location, and CA resource ID, since this metric has additional labels. The denominator filter in the condition selects the number of certificate creation requests.

Once the threshold is reached, the policy triggers the alert notification immediately, since the permitted duration for the condition is 0 seconds. This policy uses a trigger count of 1, which is the number of time series that needs to violate the condition to trigger the alert notification.

Monitoring gauge metrics

Gauge metrics measure a value at a specific instant in time. For example, privateca.googleapis.com/ca/resource_state or privateca.googleapis.com/kms/key_issue are gauge metrics. These metrics use a boolean value, while using labels to provide additional information. For example, privateca.googleapis.com/ca/resource_state uses a boolean for whether the CA state is enabled, but uses a label, state, for the actual resource state.

When monitoring gauge metrics that use boolean values, we recommend that you use the COUNT aggregator to build alert thresholds. The SUM aggregator only sums the boolean values, whereas the COUNT aggregator sums the number of time series. For example, if you want to determine the number of CAs that are in the DISABLED state, you should create a filter for state=DISABLED. Use the COUNT aggregator to determine the number of CAs that match this condition.

Cloud Monitoring cost

There is no cost for monitoring CA Service.

What's next