Policy controls

This topic describes the scenarios when you should use various policy controls.

Policy controls enable you to control the type of certificates that can be issued from your certificate authority (CA) pool. Policy controls are of two types: coarse-grained and fine-grained. Coarse-grained policies apply CA pool-specific constraints. Fine-grained policies determine the operations a particular user can perform on a CA pool.

Certificate templates

You can use a certificate template when you have a well-defined certificate issuance scenario. You can use certificate templates to enable consistency across certificates issued from different CA pools. You can also use a certificate template to restrict the kinds of certificates that different individuals can issue. For more information, see Certificate templates.

For information about creating certificate templates, see Creating certificate templates.

Certificate issuance policies

A CA Manager can attach a certificate issuance policy to a CA pool to define restrictions on the kind of certificates that the CAs in the CA pool can issue. An issuance policy can define restrictions on certificate identities, certificate lifetimes, key types, certificate request modes, and X.509 extensions. The issuance policy can also contain a set of X.509 extensions that are applied to all incoming certificate requests.

Issuance policies let you apply certain restrictions on the entire CA pool. For example, a policy may enforce that all issued certificates have O=My organization in their subject, or that all DNS names end with .my-org-domain.com, or that only Server TLS certificates can be issued from the CA pool.

We recommend using an issuance policy if one or both of these cases apply:

  1. Your CA pool is intended to issue certificates according to a single, well-defined profile.
  2. You want to define a common baseline for X.509 extensions and additional restrictions that apply to all the certificate issuance profiles.

For more information about issuance policies, see Using an issuance policy.

IAM policies

It is important to implement the security principle of least privilege to protect the integrity of CA Service resources. Through the implementation of discrete Identity and Access Management (IAM) roles, organizations can better manage the security of the CA pool and the overall PKI itself.

General IAM policies

CA Service lets you grant IAM roles to users or service accounts for creating and managing resources. You can add these role bindings at the following levels:

  • CA pool-level to manage access for a specific CA pool and for the CAs in that CA pool.
  • Project or organization-level to grant access to all CA pools in that scope.

Roles are inherited, if granted at a higher resource-level. For example, a user who is granted the Auditor (roles/privateca.auditor) role at the project-level is able to view all resources under the project.

For the complete list of predefined IAM roles for CA Service, see Predefined roles.

Conditional IAM policies

If you have a shared CA pool that might be used by multiple users who are authorized to request different types of certificates, you can implement controls through conditional IAM policies to limit the per-user permissions to perform certain operations on a CA pool.

IAM conditional bindings help control the permissions a specific user or group is allowed under a set of conditions. For example, if the Certificate Requester role is bound to the user alice@joonix.net on a CA pool with the condition that the requested DNS SANs are a subset of ['alice@joonix.net', 'bob@joonix.net'], then that user is able to request certificates from the same CA pool only if the requested SAN is is one of those two allowed values. You can set conditions on IAM bindings using Common Expression Language (CEL) expressions. These conditions can help you further restrict the type of certificates a user is able to request. For information on using CEL expressions for IAM conditions, see Common Expression Language (CEL) dialect for IAM policies.

For information on configuring IAM policies, see Configuring IAM policies.

Policy conflicts

When using different policy control mechanisms in conjunction, there is a possibility that policies on different levels can conflict. This section describes how policy controls get enforced and provides guidance on avoiding policy conflicts.

Policy enforcement

When requesting certificates, policy controls are evaluated at different layers.

IAM conditional bindings for request attributes are evaluated first to ensure the caller has the required permissions for creating certificates or using certificate templates.

During certificate creation the CA pool and the certificate template issuance policy are validated against the normalized certificate request. X.509 extensions from the CA pool's certificate issuance policy and the certificate template are added to the certificate, and certain values can be dropped based on those same policies.

Issuance policy conflicts

The following is a non-comprehensive lists of errors where the issuance policy of a certificate template can conflict with the issuance policy of a CA pool.

  • A certificate template contains predefined values that are prohibited by the CA pool, or vice versa.
  • A certificate template contains different X.509 values than the CA pool baseline values, or vice versa.

In all these cases, the API returns an invalid argument error.

CEL conflicts

CEL provides the ability to implement diverse expressions. There can be situations where the CEL expressions on the CA pool's issuance policy and on the certificate template conflict. These conflicts disallow certificates to be issued from the CA pool. For example, consider the situation that a CA pool had a CEL expression enforcing the common name of a certificate to end in .joonix.net and the certificate template had a CEL expression enforcing the common name of a certificate to end in .joonix.com. Since these two CEL expressions place different restrictions on the same field, all certificate issuance requests fail.

If you are using both certificate issuance policies and certificate templates, we recommend that you ensure that their CEL expressions do not conflict.

What's next