GCP – Introducing Certificate Authority Service: Securing Applications with Private CAs and Certificates
Digital certificates underpin identity and authentication for many networked devices and services. Recently, we’ve seen increased interest in using public key infrastructure (PKI) in DevOps and device management, particularly for IoT devices. But one of the most fundamental problems with PKI remains—it’s hard to set up Certificate Authorities (CA), and even harder to do it reliably at scale. To help, we’re announcing Certificate Authority Service (CAS), now in beta, from Google Cloud—a highly scalable and available service that simplifies and automates the management and deployment of private CAs while meeting the needs of modern developers and applications.
To see how CAS can help, let’s look a bit deeper at the challenges surrounding certificate use. As we mentioned, private certificates are one of the most common ways to authenticate users, machines, or services over networks. Digital certificates help make many interactions more secure, including when a user connects to an enterprise-owned website over HTTPS, when a laptop tries to connect to a WiFi access point, or when a user tries to sign into their email account. These certificates are normally issued from a private Certificate Authority (CA) that is hosted on-premises, and they tend to have an expiry date that is in the distant future (i.e., long-lived) with a device/application-specific certificate enrollment process that happens infrequently.
An emerging scenario for using private certificates is in DevOps environments to protect containers, microservices, VMs, and service accounts. These emerging private certificate use cases, however, have drastically different requirements. As a result, organizations with an on-premise private CA quickly realize the limitations of their existing private CAs to support these emerging scenarios:
-
These new use cases require short-lived certificates that are renewed frequently, which in turn require high availability and scalability from the CA. Existing private CA solutions fall short. For example, a company may have to issue 10 million certificates in one year vs. 10 thousand when dealing with IoT devices.
-
Certificate enrollment processes do not support modern APIs expected in modern applications and CI/CD toolchains, which result in longer time to market, and delays in adoption and revenue.
-
They are incompatible with cloud providers’ built-in CAs, resulting in customers losing a single point for management and monitoring for certificates.
Moreover, organizations that leapfrogged building on-premise infrastructure and were cloud native from day one—i.e., they never had to set up a private CA—started seeing a need for private certificates. Existing on-prem private CAs are not compatible with cloud platforms and can’t support the scale associated with cloud native businesses and hyperscalers. The only option these organizations have is to build their own private CA.
Thus, they realize the high cost of setting up and running a private CA (infrastructure, licensing, and operations costs) in addition to the high skill set required to successfully manage a private CA, which is not tied to their core business and only lengthens their go to market timeline. Often, it’s easier and more cost effective to offload this task to a trusted provider—ideally a cloud provider.
Certificate Authority Service is designed to meet both traditional and emerging needs. With CAS, you can set up a private CA in minutes, rather than the months it would take to deploy a traditional private CA.
CAS also lets you leverage simple, descriptive RESTful APIs to fully automate the acquisition and management of certificates without being a PKI expert. You can use these APIs for integration with your existing tooling and CI/CD channels. Moreover, you can manage, automate, and integrate private CAs in whichever way is most convenient for you: via APIs, the gcloud command-line, or cloud console.
CAS is an enterprise-ready service that enables you to:
-
Store the private CA keys in a Cloud HSM that is FIPS 140-2 Level 3 validated and available in several regions across the Americas, Europe, and Asia Pacific. You can select a subordinate CA’s region independent of its root CA’s region
-
Obtain logs and gain visibility into who did what, when, and where with Cloud Audit Logs
-
Define granular access controls and virtual security perimeters with Cloud IAM and VPC Service Controls
-
Scale with confidence knowing that the service supports up to 25 queries per second (QPS) per instance (in DevOps mode), which means it can issue millions of certificates. And it comes with an enterprise-grade SLA (at GA)
-
Have assurance that CA private keys are protected by FIPS 140-2 Level 3 validated HSMs
-
Bring your own root: This will allow CAs to chain up to an existing root running on-premise or anywhere else outside Google Cloud
Integration with the certificate management ecosystem
We also understand that the most important requirement for deploying a new service at an enterprise level is compatibility, with ease-of-use being a close second. After all, security measures that are hard to use end up going unused. We worked with leading partners in the certificate lifecycle management (CLM) space to make sure CAS is integrated with their solutions:
-
Venafi is a leading vendor in machine identity protection with more than 400 worldwide customers and 20-plus years of cybersecurity research and innovation. Venafi’s role has been cited in industry research like Gartner’s 2020 Hype Cycle for IAM and Forester’s 2020 Now Tech report on Zero Trust Solution Providers. For more information on their integration with CAS see their blog.
-
AppViewX CERT+ is a certificate management suite that lets you automate key and certificate lifecycles across multi-cloud environments. It also protects keys, delivers compliance, allows for role-based self-servicing of PKI, and enables hyper scalability and cryptographic agility. For more information on their integration with CAS see their blog.
Getting started with CAS
With CAS, you can offload time-consuming tasks associated with operating a private CA, like hardware provisioning, infrastructure security, software deployment, high-availability configuration, disaster recovery, backups, and more to the cloud. This will lower your total cost of ownership (TCO) and shorten time to market for your products. CAS also simplifies licensing with pay-as-you-go pricing and zero capital expenditures (CapEx)—you pay only for what you use.
During beta availability, you can use CAS at no charge; visit the sign up form to register. Pricing will go into effect once the product is generally available. For more information, check out our product videos and the CAS home page. If you have any questions, just email us at cas-support@google.com.
Read More for the details.