The Google Cloud Certificate Authority Service (CAS) is a scalable service for managing and deploying private certificates via automation and managing public key infrastructure (PKI). And last month, Google announced the general availability (GA) of this service.
In August last year, the company launched the cloud-based CAS in public preview to allow customers to set up digital certificates they need for their public key infrastructure. Since then, several customers have used the service in various use-cases like identity management and creating digital signature services. Furthermore, three new members have now joined the CAS partnership program, Keyfactor, Jetstack, and Smallstep, next to the existing partners Venafi and AppViewx.
Source (Screenshot): https://www.youtube.com/watch?v=5Ni0EhJlae8
With the GA release, Google also added a few additional features such as:
- CA rotation – Google added a new feature to GA, called CA pool, which allows for a group of CAs serving the same incoming requests queue. Hence CA rotation can be achieved by adding a new CA to the pool and taking the old one out of it without changes to workloads or client code.
- Enhancement of policies to allow per-user group policies to be defined, meaning admins can define certificate templates that get applied to all issued certificates overriding (some or all) the parameters in the issued certificate.
- A Terraform provider for Google Cloud CAS for configuring and managing the service.
- Integration with cert-manager.io through collaboration with JetStack.
- A Hashicorp Vault plugin that allows it to be the source of policies, and Google Cloud CAS being the certificate issuer.
- A quick setup guide for customers with CAS Qwiklab.
Holger Mueller, principal analyst and vice president at Constellation Research Inc., explains the need for a CAS:
The modern digital economy is connected, and to make connections safe, they need to be validated. Unfortunately, the related certificate authoring is a hassle for enterprises when operated on-premises. It needs to scale, be secure and available 24x7 - so it begs and asks for cloud services, which is what Google is offering with its CAS that is going GA. Now, like with every new cloud service - we need to check and see how adoption will be.
In addition, Ryan Sanders, senior product marketing manager at one of the partners Keyfactor, wrote in a blog post:
To thrive in the era of hybrid and multi-cloud infrastructure, IT and security teams need to seriously rethink how they deploy their PKI and manage digital certificates. The key to success is simple, repeatable processes for certificate management across all platforms and devices.
With the GA release, the service is available in various regions, with more to come. Furthermore, the SLA offers 99.9% availability per region for certificate creation, and pricing has a "pay-as-you-go" model. And lastly, it is compliant with several international standards such as ISO 27001, 27017, 27018, SOC1, SOC2, SOC3, and BSI C5.