gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
68ca42fef1216d1aa199777f2c99f6ee1c3fa2dd
certctl/docs/reference/connectors/google-cas.md
T
shankar0123 de06141ce5 docs: Phase 4 follow-on batch 2 — 8 remaining issuer per-pages 
Extracts the rest of the issuer per-connector deep-dive pages:

- local-ca.md (170 lines) — Local CA self-signed / sub-CA / tree mode,
  CRL+OCSP endpoints, EKU support, MaxTTL enforcement, L-014 file-on-
  disk threat model carve-out
- acme.md (235 lines) — RFC 8555 v2 client (HTTP-01 / DNS-01 /
  DNS-PERSIST-01), ARI per RFC 9773, EAB + ZeroSSL auto-EAB,
  Let's Encrypt profile selection, revoke-by-serial Top-10 fix #7
- step-ca.md (99 lines) — Smallstep JWK-provisioner synchronous
  issuance with MaxTTL enforcement
- openssl.md (157 lines) — script-based shell-out with full
  threat model (what's accepted, what's not, mitigations, V3-Pro
  forward path)
- sectigo.md (98 lines) — Sectigo SCM REST with bounded async polling
- google-cas.md (89 lines) — GCP managed private CA with OAuth2
  service-account auth + IAM-role guidance
- entrust.md (96 lines) — Entrust CA Gateway mTLS-authenticated with
  approval-pending support and mTLS keypair caching
- globalsign.md (122 lines) — Atlas HVCA dual auth (mTLS + API
  key/secret), region-aware base URLs, mTLS keypair caching

Index forward-list expanded to enumerate all 13 issuer connectors
(including the 5 pages from batch 1) in alphabetical order.

This is part 2 of 4 for the Phase 4 follow-on (per-connector page
extraction) tracked in cowork/docs-overhaul-phase-2-restructure-2026-05-04/log.md.

Net add: 8 files, 1,066 lines. No content removed from index.md.
2026-05-05 03:59:35 +00:00

90 lines
3.3 KiB
Markdown
Raw Blame History

# Google CAS Issuer Connector — Operator Deep-Dive
> Last reviewed: 2026-05-05
>
> Operator-grade documentation for the Google Cloud Certificate
> Authority Service (CAS) issuer connector. For the
> connector-development context (interface contract, registry,
> ports/adapters), see the [connector index](index.md).
## Overview
Google Cloud Certificate Authority Service is a managed private CA
on GCP. Issuance is synchronous via the CAS REST API with OAuth2
service-account auth.
Implementation lives at `internal/connector/issuer/googlecas/`.
## When to use this connector
Use the Google CAS connector when:
- Your workloads are GCP-native and you want the CA to live inside
your GCP project (for blast radius, IAM, and audit reasons).
- You want IAM-bound service-account auth instead of API keys to
rotate.
- You need GCP-native CRL distribution and audit logging served by
Google.
Look elsewhere when:
- You're not on GCP — AWS ACM Private CA or Azure Key Vault are
the cloud-native equivalents on those platforms.
- You need public-trust certificates — CAS is private only.
- You don't already pay for CAS (it has a non-trivial monthly
cost). Vault, step-ca, or the Local CA issuer are free
self-hosted alternatives.
## Configuration
| Setting | Required | Default | Description |
|---|---|---|---|
| `CERTCTL_GOOGLE_CAS_PROJECT` | Yes | — | GCP project ID |
| `CERTCTL_GOOGLE_CAS_LOCATION` | Yes | — | GCP region (e.g. `us-central1`) |
| `CERTCTL_GOOGLE_CAS_CA_POOL` | Yes | — | CA pool name |
| `CERTCTL_GOOGLE_CAS_CREDENTIALS` | Yes | — | Path to service account JSON |
| `CERTCTL_GOOGLE_CAS_TTL` | No | `8760h` | Default certificate TTL |
## Authentication
OAuth2 service account. The connector reads a service account
JSON file, signs a JWT with the private key, and exchanges it for
an access token at Google's token endpoint. Tokens are cached and
refreshed automatically (5 min before expiry) so the connector
doesn't pay token-mint latency on every request.
## Revocation
CRL and OCSP are managed by Google CAS directly. certctl records
revocations locally and notifies Google CAS via the revoke
endpoint. CAS's CRL distribution and audit logging serve the
resulting status to verifying clients.
## Operator playbook
### Service-account key rotation
1. Generate a new service-account key in the GCP IAM console.
2. Distribute the new JSON to the certctl host at the
`CERTCTL_GOOGLE_CAS_CREDENTIALS` path (overwrite or use a new
path).
3. Either restart certctl-server with the new env var or hot-swap
via `PUT /api/v1/issuers/{id}` so the registry's Rebuild path
replaces the connector.
4. Delete the old key in GCP IAM after the next successful
issuance proves the new key works.
### Required IAM roles
The service account needs `roles/privateca.certificateRequester`
(or a custom role with `privateca.certificates.create` and
`privateca.certificates.get`) on the CA pool. Add
`roles/privateca.certificateAuthorityUser` if the connector also
needs to read the issuing CA cert chain.
## Related docs
- [Connector index](index.md) — interface contract, registry, port/adapter wiring
- [AWS ACM PCA](aws-acm-pca.md) — AWS equivalent
- [Async CA polling](../protocols/async-ca-polling.md) — bounded-polling primitive (Google CAS is synchronous so doesn't consume it)
Reference in New Issue View Git Blame Copy Permalink