Stay organized with collections
Save and categorize content based on your preferences.
Determine certificate authority settings
This page provides information about the various settings of a certificate authority (CA).
Permanent settings
You cannot change the settings mentioned in this section after creating the CA.
Service-specific settings
Type of CA
CA Service lets you create both root CAs and subordinate CAs.
| Root CA |
Subordinate CA |
A root CA is a self-signed CA.
Parties that need to authenticate
certificates created from a root CA
(a relying party) must know its CA
certificate in advance. The root CA
certificate is often referred to as
a trust anchor.
Frequently
changing a root CA is difficult. To
change the root CA, you must first
update all relying parties about the
new trust anchor. Otherwise, they
won't be able to authenticate
certificates from the new root
CA.
Root CAs cannot be
revoked using the CRLs of the
issuing CA because root CAs are
self-signed. To revoke a root CA,
you must remove it from the trust
store of every single client that
trusts it. This process can be long
and tedious. Hence, we recommend
protecting the root CAs. |
A subordinate CA is a CA that is
signed by a root CA or another
subordinate CA. Following a chain of
subordinate CAs, the chain always
ends with a root CA.
A relying
party that only knows about a root CA
can also implicitly trust a
subordinate CA that chains to the
explicitly trusted root CA
certificate. The subordinate CA can
be trusted only if the relying party
is able to cryptographically validate
the certificate chain that forms a
path to the root CA
certificate.
A chain
containing a root and one or more
subordinate CAs can include CAs that
are managed in CA Service
and CAs that aren't.
|
Cloud KMS key
By default, new CAs use a Google-managed Cloud Key Management Service (Cloud KMS) key.
You can choose a specific key algorithm for the
Google-managed Cloud KMS key. Alternatively, you can grant CA Service
access to a key that already exists. For more information, see
Choose a key algorithm.
For more information about the management models for Cloud KMS keys and
Cloud Storage buckets, see Manage resources.
Cloud Storage bucket
By default, CA Service creates a new Google-managed Cloud Storage bucket
in the same location as the CA. You can also choose to use an existing self-managed
bucket or create a new bucket. To minimize latency while publishing CRLs, we
recommend creating the Cloud Storage bucket in the same location as your CA.
For more information, see Manage resources.
CA certificate settings
The following settings are directly reflected in the CA's own certificate:
| Setting |
Description |
| Lifetime
|
Specifies a CA's lifetime. Lifetime is the amount of time, starting
from the CA's creation, that the CA is valid for. |
| Subject
|
A CA can specify a distinguished name and subject alternative
names. In many cases, these fields are purely informational.
However, a relying party can choose to treat certificates issued
from a CA with particular subject attributes differently.
If you want to specify a subject alternative name for your CA's
certificate, you must use the Google Cloud CLI. |
Optional CA settings
The following CA settings are optional. You can change the following setting
after creating the CA.
| Setting |
Description |
| Label
|
A CA can have one or more user labels attached to it. Labels have
no semantic meaning to CA Service. |
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eCA Service allows the creation of both root CAs, which are self-signed and require prior knowledge by relying parties, and subordinate CAs, which are signed by a root or another subordinate CA and form a chain back to a trusted root.\u003c/p\u003e\n"],["\u003cp\u003eNew CAs use a Google-managed Cloud KMS key by default, but you can also select a specific key algorithm or utilize an existing key, providing flexibility in key management.\u003c/p\u003e\n"],["\u003cp\u003eWhile CA Service automatically creates a new Google-managed Cloud Storage bucket, users have the option to utilize a pre-existing or create a new, self-managed bucket, allowing for customized storage management.\u003c/p\u003e\n"],["\u003cp\u003eCA certificate settings such as lifetime and subject are reflected in the CA's own certificate, impacting its validity period and how it's identified.\u003c/p\u003e\n"],["\u003cp\u003eOptional CA settings, including user labels, can be modified post-creation, providing flexibility for organization and management without impacting core functionality.\u003c/p\u003e\n"]]],[],null,["# Determine certificate authority settings\n========================================\n\nThis page provides information about the various settings of a certificate authority (CA).\n\nPermanent settings\n------------------\n\nYou cannot change the settings mentioned in this section after creating the CA.\n\n### Service-specific settings\n\n**Type of CA**\n\nCA Service lets you create both root CAs and subordinate CAs.\n\n**Cloud KMS key**\n\nBy default, new CAs use a Google-managed Cloud Key Management Service (Cloud KMS) key.\nYou can choose a specific key algorithm for the\nGoogle-managed Cloud KMS key. Alternatively, you can grant CA Service\naccess to a key that already exists. For more information, see\n[Choose a key algorithm](/certificate-authority-service/docs/choosing-key-algorithm).\n\nFor more information about the management models for Cloud KMS keys and\nCloud Storage buckets, see [Manage resources](/certificate-authority-service/docs/managed-resources).\n\n**Cloud Storage bucket**\n\nBy default, CA Service creates a new Google-managed Cloud Storage bucket\nin the same location as the CA. You can also choose to use an existing self-managed\nbucket or [create a new bucket](/storage/docs/creating-buckets). To minimize latency while publishing CRLs, we\nrecommend creating the Cloud Storage bucket in the same location as your CA.\nFor more information, see [Manage resources](/certificate-authority-service/docs/managed-resources).\n\nCA certificate settings\n-----------------------\n\nThe following settings are directly reflected in the CA's own certificate:\n\nOptional CA settings\n--------------------\n\nThe following CA settings are optional. You can change the following setting\nafter creating the CA.\n\nWhat's next\n-----------\n\n- Learn how to [create a root CA](/certificate-authority-service/docs/creating-certificate-authorities).\n- Learn how to [create a subordinate CA](/certificate-authority-service/docs/create-subordinate-ca).\n- Learn how to [create a subordinate CA from an external CA](/certificate-authority-service/docs/create-sub-ca-from-external-ca)."]]
