mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-13 23:28:59 +00:00
docs: Phase 4 follow-on batch 2 — 8 remaining issuer per-pages
Extracts the rest of the issuer per-connector deep-dive pages: - local-ca.md (170 lines) — Local CA self-signed / sub-CA / tree mode, CRL+OCSP endpoints, EKU support, MaxTTL enforcement, L-014 file-on- disk threat model carve-out - acme.md (235 lines) — RFC 8555 v2 client (HTTP-01 / DNS-01 / DNS-PERSIST-01), ARI per RFC 9773, EAB + ZeroSSL auto-EAB, Let's Encrypt profile selection, revoke-by-serial Top-10 fix #7 - step-ca.md (99 lines) — Smallstep JWK-provisioner synchronous issuance with MaxTTL enforcement - openssl.md (157 lines) — script-based shell-out with full threat model (what's accepted, what's not, mitigations, V3-Pro forward path) - sectigo.md (98 lines) — Sectigo SCM REST with bounded async polling - google-cas.md (89 lines) — GCP managed private CA with OAuth2 service-account auth + IAM-role guidance - entrust.md (96 lines) — Entrust CA Gateway mTLS-authenticated with approval-pending support and mTLS keypair caching - globalsign.md (122 lines) — Atlas HVCA dual auth (mTLS + API key/secret), region-aware base URLs, mTLS keypair caching Index forward-list expanded to enumerate all 13 issuer connectors (including the 5 pages from batch 1) in alphabetical order. This is part 2 of 4 for the Phase 4 follow-on (per-connector page extraction) tracked in cowork/docs-overhaul-phase-2-restructure-2026-05-04/log.md. Net add: 8 files, 1,066 lines. No content removed from index.md.
This commit is contained in:
shankar0123
@@ -0,0 +1,89 @@
|
||||
# Google CAS Issuer Connector — Operator Deep-Dive
|
||||
|
||||
> Last reviewed: 2026-05-05
|
||||
>
|
||||
> Operator-grade documentation for the Google Cloud Certificate
|
||||
> Authority Service (CAS) issuer connector. For the
|
||||
> connector-development context (interface contract, registry,
|
||||
> ports/adapters), see the [connector index](index.md).
|
||||
|
||||
## Overview
|
||||
|
||||
Google Cloud Certificate Authority Service is a managed private CA
|
||||
on GCP. Issuance is synchronous via the CAS REST API with OAuth2
|
||||
service-account auth.
|
||||
|
||||
Implementation lives at `internal/connector/issuer/googlecas/`.
|
||||
|
||||
## When to use this connector
|
||||
|
||||
Use the Google CAS connector when:
|
||||
|
||||
- Your workloads are GCP-native and you want the CA to live inside
|
||||
your GCP project (for blast radius, IAM, and audit reasons).
|
||||
- You want IAM-bound service-account auth instead of API keys to
|
||||
rotate.
|
||||
- You need GCP-native CRL distribution and audit logging served by
|
||||
Google.
|
||||
|
||||
Look elsewhere when:
|
||||
|
||||
- You're not on GCP — AWS ACM Private CA or Azure Key Vault are
|
||||
the cloud-native equivalents on those platforms.
|
||||
- You need public-trust certificates — CAS is private only.
|
||||
- You don't already pay for CAS (it has a non-trivial monthly
|
||||
cost). Vault, step-ca, or the Local CA issuer are free
|
||||
self-hosted alternatives.
|
||||
|
||||
## Configuration
|
||||
|
||||
| Setting | Required | Default | Description |
|
||||
|---|---|---|---|
|
||||
| `CERTCTL_GOOGLE_CAS_PROJECT` | Yes | — | GCP project ID |
|
||||
| `CERTCTL_GOOGLE_CAS_LOCATION` | Yes | — | GCP region (e.g. `us-central1`) |
|
||||
| `CERTCTL_GOOGLE_CAS_CA_POOL` | Yes | — | CA pool name |
|
||||
| `CERTCTL_GOOGLE_CAS_CREDENTIALS` | Yes | — | Path to service account JSON |
|
||||
| `CERTCTL_GOOGLE_CAS_TTL` | No | `8760h` | Default certificate TTL |
|
||||
|
||||
## Authentication
|
||||
|
||||
OAuth2 service account. The connector reads a service account
|
||||
JSON file, signs a JWT with the private key, and exchanges it for
|
||||
an access token at Google's token endpoint. Tokens are cached and
|
||||
refreshed automatically (5 min before expiry) so the connector
|
||||
doesn't pay token-mint latency on every request.
|
||||
|
||||
## Revocation
|
||||
|
||||
CRL and OCSP are managed by Google CAS directly. certctl records
|
||||
revocations locally and notifies Google CAS via the revoke
|
||||
endpoint. CAS's CRL distribution and audit logging serve the
|
||||
resulting status to verifying clients.
|
||||
|
||||
## Operator playbook
|
||||
|
||||
### Service-account key rotation
|
||||
|
||||
1. Generate a new service-account key in the GCP IAM console.
|
||||
2. Distribute the new JSON to the certctl host at the
|
||||
`CERTCTL_GOOGLE_CAS_CREDENTIALS` path (overwrite or use a new
|
||||
path).
|
||||
3. Either restart certctl-server with the new env var or hot-swap
|
||||
via `PUT /api/v1/issuers/{id}` so the registry's Rebuild path
|
||||
replaces the connector.
|
||||
4. Delete the old key in GCP IAM after the next successful
|
||||
issuance proves the new key works.
|
||||
|
||||
### Required IAM roles
|
||||
|
||||
The service account needs `roles/privateca.certificateRequester`
|
||||
(or a custom role with `privateca.certificates.create` and
|
||||
`privateca.certificates.get`) on the CA pool. Add
|
||||
`roles/privateca.certificateAuthorityUser` if the connector also
|
||||
needs to read the issuing CA cert chain.
|
||||
|
||||
## Related docs
|
||||
|
||||
- [Connector index](index.md) — interface contract, registry, port/adapter wiring
|
||||
- [AWS ACM PCA](aws-acm-pca.md) — AWS equivalent
|
||||
- [Async CA polling](../protocols/async-ca-polling.md) — bounded-polling primitive (Google CAS is synchronous so doesn't consume it)
|
||||
Reference in New Issue
Block a user