Setup Google Cloud Certificate Authority - Part 2

2021-01-17
Share on:

IMPORTANT: It should be noted that this service is currently a beta offering, so while interesting to look at, it's not something I'd likely use in an enterprise until it's fully released. Google has the following statement:

CAs and certificates created in Beta will be deleted once Certificate Authority Service becomes generally available.

Standing up an Issuing Certificate Authority

In this post, we're going to stand up the issuing CA. There's no rule that says your issuing CA needs to be the child of a Root CA owned by Google. If you already have an internal Root CA, you could submit the certificate request to that root, however that is outside of the scope of this post.

First, I'm going to log back into the Google Cloud Console and return to the Certificate Authority Services. If you need to reminder how to do this, refer back to Part 1 of this series. Once I'm there, I'll click on the Create CA button.

Create CA (Subordinate)

Step 1 - CA Type

For my CA Type, I'll select subordinate CA, choose that the CA is within Google Cloud, and browse to the CA created in part 1. I'm going to set my validity period to 10 years (like I did with my Microsoft Issuing CA). Like in part 1 of this series, I'll set my tier to Enterprise and my regionalization to us-east-1.

For my reusable configuration, I'll select subordinate-unconstrained-pathlen-0 which will allow this CA to issue any type of certificate.

Google Subordinate CA Details

Step 2 - CA Subject Name

Your subject details will show up in your certificate (as outlined in our Microsoft Series) and can be configured similar to how to configured our Root CA in the previous post in this series. Below is how I will configure my issuing CA.

Google Issuing CA Subject

Step 3 - CA Key Size

This step requires you have an idea about what will be required for your environment. As the RSA PKCS 2014 key advertises itself as one that is "widely supported by browsers and other clients", it will be the one I select for my lab.

Google Issuing CA Key Size

Step 4 - Certificate Artifacts

Like with my Root CA in the previous post, I'll let Google manage the CRL & AIA.

Google Issuing CA Artifacts

Step 5 - Google Cloud Labels

As with the previous post, we're asked about labels. Labels are key value pairs that you can assign to resources within the Google Cloud platform to help organize your resources. This isn't important for my lab, so I'll skip this step.

Step 6 - Review

And we're done! You now have an issuing CA. Unfortunately, this is as far as the Beta program will take us for now. It doesn't seem possible to view/export the certificates yet, and without being able to trust them, doing any actual issuing doesn't have much value.


No comments