shankar0123
de06141ce5
Extracts the rest of the issuer per-connector deep-dive pages: - local-ca.md (170 lines) — Local CA self-signed / sub-CA / tree mode, CRL+OCSP endpoints, EKU support, MaxTTL enforcement, L-014 file-on- disk threat model carve-out - acme.md (235 lines) — RFC 8555 v2 client (HTTP-01 / DNS-01 / DNS-PERSIST-01), ARI per RFC 9773, EAB + ZeroSSL auto-EAB, Let's Encrypt profile selection, revoke-by-serial Top-10 fix #7 - step-ca.md (99 lines) — Smallstep JWK-provisioner synchronous issuance with MaxTTL enforcement - openssl.md (157 lines) — script-based shell-out with full threat model (what's accepted, what's not, mitigations, V3-Pro forward path) - sectigo.md (98 lines) — Sectigo SCM REST with bounded async polling - google-cas.md (89 lines) — GCP managed private CA with OAuth2 service-account auth + IAM-role guidance - entrust.md (96 lines) — Entrust CA Gateway mTLS-authenticated with approval-pending support and mTLS keypair caching - globalsign.md (122 lines) — Atlas HVCA dual auth (mTLS + API key/secret), region-aware base URLs, mTLS keypair caching Index forward-list expanded to enumerate all 13 issuer connectors (including the 5 pages from batch 1) in alphabetical order. This is part 2 of 4 for the Phase 4 follow-on (per-connector page extraction) tracked in cowork/docs-overhaul-phase-2-restructure-2026-05-04/log.md. Net add: 8 files, 1,066 lines. No content removed from index.md.
3.3 KiB
Google CAS Issuer Connector — Operator Deep-Dive
Last reviewed: 2026-05-05
Operator-grade documentation for the Google Cloud Certificate Authority Service (CAS) issuer connector. For the connector-development context (interface contract, registry, ports/adapters), see the connector index.
Overview
Google Cloud Certificate Authority Service is a managed private CA on GCP. Issuance is synchronous via the CAS REST API with OAuth2 service-account auth.
Implementation lives at internal/connector/issuer/googlecas/.
When to use this connector
Use the Google CAS connector when:
- Your workloads are GCP-native and you want the CA to live inside your GCP project (for blast radius, IAM, and audit reasons).
- You want IAM-bound service-account auth instead of API keys to rotate.
- You need GCP-native CRL distribution and audit logging served by Google.
Look elsewhere when:
- You're not on GCP — AWS ACM Private CA or Azure Key Vault are the cloud-native equivalents on those platforms.
- You need public-trust certificates — CAS is private only.
- You don't already pay for CAS (it has a non-trivial monthly cost). Vault, step-ca, or the Local CA issuer are free self-hosted alternatives.
Configuration
| Setting | Required | Default | Description |
|---|---|---|---|
CERTCTL_GOOGLE_CAS_PROJECT |
Yes | — | GCP project ID |
CERTCTL_GOOGLE_CAS_LOCATION |
Yes | — | GCP region (e.g. us-central1) |
CERTCTL_GOOGLE_CAS_CA_POOL |
Yes | — | CA pool name |
CERTCTL_GOOGLE_CAS_CREDENTIALS |
Yes | — | Path to service account JSON |
CERTCTL_GOOGLE_CAS_TTL |
No | 8760h |
Default certificate TTL |
Authentication
OAuth2 service account. The connector reads a service account JSON file, signs a JWT with the private key, and exchanges it for an access token at Google's token endpoint. Tokens are cached and refreshed automatically (5 min before expiry) so the connector doesn't pay token-mint latency on every request.
Revocation
CRL and OCSP are managed by Google CAS directly. certctl records revocations locally and notifies Google CAS via the revoke endpoint. CAS's CRL distribution and audit logging serve the resulting status to verifying clients.
Operator playbook
Service-account key rotation
- Generate a new service-account key in the GCP IAM console.
- Distribute the new JSON to the certctl host at the
CERTCTL_GOOGLE_CAS_CREDENTIALSpath (overwrite or use a new path). - Either restart certctl-server with the new env var or hot-swap
via
PUT /api/v1/issuers/{id}so the registry's Rebuild path replaces the connector. - Delete the old key in GCP IAM after the next successful issuance proves the new key works.
Required IAM roles
The service account needs roles/privateca.certificateRequester
(or a custom role with privateca.certificates.create and
privateca.certificates.get) on the CA pool. Add
roles/privateca.certificateAuthorityUser if the connector also
needs to read the issuing CA cert chain.
Related docs
- Connector index — interface contract, registry, port/adapter wiring
- AWS ACM PCA — AWS equivalent
- Async CA polling — bounded-polling primitive (Google CAS is synchronous so doesn't consume it)