Configure publication and storage

Certificate Authority Service (CA Service) uses Cloud Storage buckets to publish CA certificates and certificate revocation lists (CRLs) for your public key infrastructure (PKI).

This document describes how to configure the Cloud Storage buckets used by CA Service to publish CA certificates and CRLs for your PKI. You can use a Google-managed bucket or a customer-managed bucket for more direct control. For more information about Cloud Storage buckets, see About Cloud Storage buckets. This document also covers managing publication settings, such as enabling or disabling publication and choosing an encoding format.

Use a Google-managed bucket

CA Service automatically manages the lifecycle of the Cloud Storage buckets. You aren't billed separately for these resources.

By default, when you create a CA pool, CA Service creates and manages a Cloud Storage bucket with the following characteristics:

Location: The bucket is in the same project and location as the pool.
Centralized storage: The bucket stores CA certificates and CRLs for all CAs in the CA pool.
Publicly readable: Objects are automatically accessible to clients using Authority Information Access (AIA) and CRL Distribution Point (CDP) extensions.

Advantages of a Google-managed bucket

A Google-managed bucket simplifies management. When you create a CA pool, CA Service automatically creates and manages the bucket for publishing CA certificates and CRLs. You don't need to configure any additional Cloud Storage buckets.

VPC Service Controls considerations

A VPC Service Controls perimeter restricts access to Google-managed Cloud Storage buckets to clients within that perimeter. AIA and CDP URLs for CA certificates and CRLs are not accessible from outside the perimeter. This lack of accessibility can cause certificate validation failures for clients outside the perimeter.

For information about creating a root CA, see Create a root CA. For information about creating a subordinate CA, see Create a subordinate CA. For information about choosing a key algorithm, see Choose a key algorithm.

Use a customer-managed bucket

Customer-managed resources are only available for CAs in the Enterprise tier. You must create and configure these resources before creating your CA, and then delete them when you delete the CA. You're billed directly for these resources.

You can specify existing Cloud Storage buckets in your project for publishing CA certificates and CRLs for a CA pool. This provides direct control over the bucket's configuration, including its location, storage class, lifecycle policies, and access controls.

Advantages of a customer-managed bucket

Using a customer-managed bucket provides direct control over your storage bucket. You can update attributes, such as access management, to meet your organizational requirements.

To create a CA with a customer-managed bucket, you must have administrative access to the bucket to grant the appropriate access to CA Service. For more information, see CA Service Service Agent.

Location of Cloud Storage buckets

Create customer-managed Cloud Storage buckets in the same location as your CA Service resources.

For example, if your CA is in us-west1, you can create the Cloud Storage buckets in any US single region (like us-west1 or us-east1), the NAM4 dual-region, or the US multi-region. For a list of available locations, see Cloud Storage locations.

Before you begin

Ensure that a Cloud Storage bucket exists. See Create a bucket.

Note: For optimal performance and to meet data residency requirements, ensure that the bucket is in the same location as your CA Service CA pool.
Ensure the bucket is accessible to the CA Service service account.

Required roles

To ensure that the service account has the necessary permissions to write and manage objects (specifically, CA certificates and CRLs) and enable monitoring, ask your administrator to grant the following IAM roles to the service account on the customer-managed Cloud Storage bucket:

To write and manage CA certificates and CRLs: Storage Object Admin (roles/storage.objectAdmin)
To allow Cloud Monitoring integration for the bucket: Storage Legacy Bucket Reader (roles/storage.legacyBucketReader)

For more information about granting roles, see Manage access to projects, folders, and organizations.

Your administrator might also be able to give the service account the required permissions through custom roles or other predefined roles.

Configure the CA to use the bucket

To specify a customer-managed Cloud Storage bucket when you create a certificate authority, use the --bucket flag with the gcloud privateca roots create or gcloud privateca subordinates create commands.

For details on creating CAs, see the following:

Manage access to certificates and CRLs

When using a customer-managed bucket, you can control its access permissions. The CA certificates and CRLs published by CA Service inherit the bucket's default object permissions unless you configure them otherwise. To provide public access to the Certificate Authority Information Access (AIA) and CRL Distribution Point (CDP) URLs, make the published objects publicly readable.

By default, CA Service uses HTTP URLs in AIA and CDP extensions for referencing CA certificates and CRLs. Use HTTP URLs for maximum client compatibility. Some clients don't support HTTPS in AIA or CDP extensions. Digital signatures ensure the integrity and authenticity of CA certificates and CRLs.

For more information, see Overview of access control and Setting object permissions in the Cloud Storage documentation.

Manage publication settings

By default, when you create a CA pool, CA Service enables CA certificate and CRL publication to Cloud Storage buckets. You can update these publication settings to enable publication, disable publication, or change the encoding format.

Enable publication for a CA pool

To enable CA certificate and CRL publication for all CAs in a CA pool, do the following:

Console

In the Google Cloud console, go to the Certificate Authority Service page.

Go to Certificate Authority Service
Under the CA pool manager tab, click the name of the CA pool that you want to edit.
On the CA pool page, click Edit.
Under Configure allowed key algorithms and sizes, click Next.
Under Configure accepted certificate request methods, click Next.
Under Configure publishing options, click the toggle for Publish CA certificate to Cloud Storage bucket for CAs in this pool.
Click the toggle for Publish CRL to Cloud Storage bucket for CAs in this pool.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --location LOCATION --publish-crl --publish-ca-cert

Replace the following:

POOL_ID: the name of the CA pool
LOCATION: the location of the CA pool. For a list of available locations, see CA Service locations

For more information about the gcloud privateca pools update command, see gcloud privateca pools update.

To learn more about enabling CRL publication for revoking certificates, see Revoking certificates.

Disable publication for a CA pool

To disable CA certificate and CRL publication for all CAs in a CA pool, do the following:

Console

In the Google Cloud console, go to the Certificate Authority Service page.

Go to Certificate Authority Service
Under the CA pool manager tab, click the name of the CA pool that you want to edit.
On the CA pool page, click Edit.
Under Configure allowed key algorithms and sizes, click Next.
Under Configure accepted certificate request methods, click Next.
Under Configure publishing options, click the toggle for Publish CA certificate to Cloud Storage bucket for CAs in this pool.
Click the toggle for Publish CRL to Cloud Storage bucket for CAs in this pool.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --location LOCATION --no-publish-crl --no-publish-ca-cert

Replace the following:

POOL_ID: the name of the CA pool
LOCATION: the location of the CA pool. For a list of available locations, see CA Service locations

Choose an encoding format

To update the encoding format of published CA certificates and CRLs, do the following:

Console

In the Google Cloud console, go to the Certificate Authority Service page.

Go to Certificate Authority Service
Under the CA pool manager tab, click the name of the CA pool that you want to edit.
On the CA pool page, click Edit.
Under Configure allowed key algorithms and sizes, click Next.
Under Configure accepted certificate request methods, click Next.
Under Configure publishing options, click the Publishing Encoding Format list.
Select the publishing encoding format.

gcloud

Run the following command:

gcloud privateca pools update POOL_ID --location=LOCATION --publishing-encoding-format=PUBLISHING_ENCODING_FORMAT

Replace the following:

POOL_ID: the name of the CA pool
LOCATION: the location of the CA pool. For a list of available locations, see CA Service locations
PUBLISHING_ENCODING_FORMAT: the encoding format can be PEM or DER

For more information about the gcloud privateca pools update command, see gcloud privateca pools update.

What's next

Learn how to Create a CA pool.
Learn how to Create a root CA.
Learn how to Create a subordinate CA.
Learn how to Create a subordinate CA from an external CA.