You can use the Public Certificate Authority CA to provision and deploy widely trusted X.509 certificates after validating that the certificate requester controls the domains. Public CA lets you directly and programmatically request publicly trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic.
Public CA lets you manage high volume use cases that traditional CAs have been unable to support. If you are a Google Cloud customer, you can request TLS certificates for your domains directly from Public CA.
Most certificate-related problems are due to human error or oversight, so we recommend automating certificate lifecycles. Public CA uses the Automatic Certificate Management Environment (ACME) protocol for the automated provisioning, renewal, and revocation of certificates. Automated certificate management reduces downtime that expired certificates can cause and minimizes operational costs.
Public CA provisions TLS certificates for several Google Cloud services, such as App Engine, Cloud Shell, Google Kubernetes Engine and Cloud Load Balancing.
Who should use Public CA
You can use Public CA for the following reasons:
- If you are looking for a TLS provider with high ubiquity, scalability, security, and reliability.
- If you want most, if not all, TLS certificates for your infrastructure, including on-premises workloads and cross-cloud provider setups, from a single cloud provider.
- If you need control and flexibility over the TLS certificate management to customize it to your infrastructure requirements.
- If you want to automate the TLS certificate management but cannot use managed certificates in Google Cloud services, such as GKE or Cloud Load Balancing.
We recommend that you only use publicly trusted certificates when your business requirements do not allow another option. Given the historical cost and complexity of maintaining public key infrastructure (PKI) hierarchies, many enterprises use public PKI hierarchies even when a private hierarchy makes more sense.
Maintaining public and private hierarchies has become much simpler with multiple Google Cloud offerings. We recommend that you carefully choose the right type of PKI for your use case.
For non-public certificate requirements, Google Cloud offers two easy-to-manage solutions:
Anthos Service Mesh: Cloud Service Mesh includes fully automated mTLS certificate provisioning for workloads running in GKE Enterprise using Cloud Service Mesh certificate authority (Cloud Service Mesh certificate authority).
Certificate Authority Service: Certificate Authority Service lets you deploy, manage and secure custom private CAs efficiently without managing infrastructure.
Benefits of Public CA
Public CA provides the following benefits:
Automation: As internet browsers aim for fully encrypted traffic and the reduction of certificate validity periods, there is a risk of using expired TLS certificates. Certificate expiration can lead to website errors, and can cause service outages. Public CA avoids the problem of certificate expiration by letting you set up your HTTPS server to automatically obtain and renew the necessary TLS certificates from our ACME endpoint.
Compliance: Public CA undergoes regular rigorous independent audits of security, privacy, and compliance controls. The Webtrust seals granted as a result of these annual audits demonstrate Public CA's conformity with all relevant industry standards.
Security: The architecture and operations of Public CA are designed to the highest level of security standards and regularly runs independent assessments to confirm the security of the underlying infrastructure. Public CA either meets or exceeds all the controls, operational practices, and security measures mentioned in the Google Security whitepaper.
Public CA's focus on security extends to features such as multi-perspective domain validation. Public CA's infrastructure is globally distributed. Therefore, Public CA requires a high degree of agreement across geographically diverse perspectives, which provides protection against Border Gateway Protocol (BGP) hijacking and Domain Name Server (DNS) hijacking attacks.
Reliability: The use of Google's proven technical infrastructure makes Public CA a highly available and scalable service.
Ubiquity: The strong browser ubiquity of Google Trust Services helps ensure that services using certificates that Public CA issues work on the widest possible range of devices and operating systems.
Streamlined TLS solutions for hybrid setups: Public CA lets you build a custom TLS certificate solution that uses the same CA for diverse scenarios and use cases. Public CA effectively serves the use cases where workloads are running on-premises or in a cross-cloud provider environment.
Scale: Certificates have often been costly to obtain and difficult to provision and maintain. By offering access to large volumes of certificates, Public CA lets you utilize and manage certificates in ways that were previously considered impractical.
Limitations of Public CA
This release of Public CA does not support punycode domains.