If you need different certificate authorities to sign workload certificates
on different clusters.
If you need to back your signing keys in a managed HSM.
If you are in a highly regulated industry and are subject to compliance.
If you want to chain up your Cloud Service Mesh CA to a custom enterprise root
certificate to sign workload certificates.
The cost of Cloud Service Mesh certificate authority is included in the
Cloud Service Mesh pricing. The
CA Service isn't included in the base Cloud Service Mesh price and is
charged separately. Additionally,
CA Service comes with an
explicit SLA, but the Cloud Service Mesh certificate authority does not.
Requirements
Enable the required API in the project where the CA pool will be configured.
Create the CA pool
in the tier DevOps and in the same region as the
cluster that it serves to avoid excessive latency issues or potential
cross-region outages. For more information, see Workload-optimized tiers.
Create the CA
to have at least one active certificate authority in the CA pool in the
same project as the GKE cluster. Use subordinate CA's to sign
Cloud Service Mesh workload certificates. Note down the CA pool
corresponding to the subordinate CA.
If it is meant to only service certificates for Cloud Service Mesh workloads, set
up the following issuance policy for the CA pool:
If you are using a certificate template, then configure it now. For more information,
follow the CA Service guide for workload identity certificates.
Ensure the certificate template is created in the same region as the CA pool. If there are multiple regions for CA pools, then create a certificate
template per region.
Roles required to use CA service
For this integration, all workloads in Cloud Service Mesh require the following
IAM roles.
These roles-bindings need to be explicitly applied for Cloud Service Mesh workloads:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Configure Certificate Authority Service for Managed Cloud Service Mesh\n======================================================================\n\nThis guide describes how to configure Certificate Authority Service for managed Cloud Service Mesh.\nFor information on in-cluster Cloud Service Mesh, see\n[Install default features and Certificate Authority (CA) Service](/service-mesh/v1.21/docs/unified-install/install-anthos-service-mesh#install_ca_service).\n| **Note:** Using Certificate Authority Service (CA Service) is not supported when using the [fleet-default configuration](/service-mesh/v1.21/docs/onboarding/provision-control-plane#configure_your_fleet) in GKE Enterprise and registering clusters to the fleet during cluster creation. To use CA Service we recommend that you [configure Cloud Service Mesh per cluster](/service-mesh/v1.21/docs/onboarding/provision-control-plane#configure_per_cluster).\n\nIn addition to [Cloud Service Mesh certificate authority](/service-mesh/v1.21/docs/security/security-overview#features),\nyou can configure Cloud Service Mesh to use\n[Certificate Authority Service](/certificate-authority-service/docs). This\nguide provides you an opportunity to integrate with CA Service,\nwhich is recommended for the following use cases:\n\n- If you need different certificate authorities to sign workload certificates on different clusters.\n- If you need to back your signing keys in a [managed HSM](/kms/docs/hsm).\n- If you are in a highly regulated industry and are subject to compliance.\n- If you want to chain up your Cloud Service Mesh CA to a custom enterprise root certificate to sign workload certificates.\n\nThe cost of Cloud Service Mesh certificate authority is included in the\n[Cloud Service Mesh pricing](/service-mesh/pricing). The\nCA Service isn't included in the base Cloud Service Mesh price and is\n[charged separately](/certificate-authority-service/pricing). Additionally,\nCA Service comes with an\n[explicit SLA](/certificate-authority-service/sla), but the Cloud Service Mesh certificate authority does not.\n\n### Requirements\n\nEnable the required API in the project where the CA pool will be configured. \n\n gcloud services enable privateca.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e\n\n### Configure CA Service\n\n1. Create the [CA pool](/certificate-authority-service/docs/creating-ca-pool) in the tier `DevOps` and in the same region as the cluster that it serves to avoid excessive latency issues or potential cross-region outages. For more information, see [Workload-optimized tiers](/certificate-authority-service/docs/tiers).\n2. [Create the CA](/certificate-authority-service/docs/creating-certificate-authorities) to have at least one active certificate authority in the CA pool in the same project as the GKE cluster. Use subordinate CA's to sign Cloud Service Mesh workload certificates. Note down the [CA pool](/certificate-authority-service/docs/ca-pool) corresponding to the subordinate CA.\n3. If it is meant to only service certificates for Cloud Service Mesh workloads, set\n up the following issuance policy for the CA pool:\n\n ### policy.yaml\n\n ```\n baselineValues:\n keyUsage:\n baseKeyUsage:\n digitalSignature: true\n keyEncipherment: true\n extendedKeyUsage:\n serverAuth: true\n clientAuth: true\n caOptions:\n isCa: false\n identityConstraints:\n allowSubjectPassthrough: false\n allowSubjectAltNamesPassthrough: true\n celExpression:\n expression: subject_alt_names.all(san, san.type == URI && san.value.startsWith(\"spiffe://PROJECT_ID.svc.id.goog/ns/\") )\n ```\n | **Note:** As a best practice for multi-cluster meshes, set one subordinate CA pool per unique cluster region. All the subordinate CA pools should chain to the same root CA pool.\n4. To update the CA pool's issuance policy, use the following command:\n\n ```\n gcloud privateca pools update CA_POOL --location ca_region --issuance-policy policy.yaml\n ```\n\n For information on setting a policy on a pool, see [Using a certificate issuance policy](/certificate-authority-service/docs/use-issuance-policy).\n5. If you are using a [certificate template](/certificate-authority-service/docs/certificate-template), then configure it now. For more information,\n follow the [CA Service guide](/certificate-authority-service/docs/creating-certificate-template#workload-identity) for workload identity certificates.\n Ensure the certificate template is created in the same region as the CA pool. If there are multiple regions for CA pools, then create a certificate\n template per region.\n\n### Roles required to use CA service\n\nFor this integration, all workloads in Cloud Service Mesh require the following\n[IAM roles](/certificate-authority-service/docs/reference/permissions-and-roles).\nThese roles-bindings need to be explicitly applied for Cloud Service Mesh workloads: \n\n WORKLOAD_IDENTITY=\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.svc.id.goog:/allAuthenticatedUsers/\"\n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e \\\n --project \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.workloadCertificateRequester\"\n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e \\\n --project \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.auditor\"\n\nIf using certificate templates: \n\n gcloud privateca templates add-iam-policy-binding \u003cvar translate=\"no\"\u003eCERT_TEMPLATE_ID\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.templateUser\"\n\n### Limitations\n\n- Configure and pick the CA before provisioning your Cloud Service Mesh control plane. Changing CA is not supported.\n\n### Configure managed Cloud Service Mesh to use CA Service\n\n| **Note:** Make sure to complete all the following steps before you [enable automatic management](/service-mesh/v1.21/docs/onboarding/provision-control-plane#enable_automatic_management).\n\n1. Verify that the `istio-system` namespace exists, or create it if it is\n missing:\n\n kubectl create ns istio-system\n\n2. Check if `asm-options` configmap exists in the `istio-system` namespace:\n\n kubectl get configmap/asm-options -n istio-system\n\n3. Create the configmap if it does not exist:\n\n kubectl create configmap -n istio-system asm-options\n\n4. Patch the configmap to add CAS configuration:\n\n kubectl patch configmap/asm-options -n istio-system --type merge \\\n -p '{\"data\":{\"ASM_OPTS\": \"CA=PRIVATECA;CAAddr=projects/\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/caPools/\u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e\"}}'\n\n If a certificate template is needed, append the template ID to the CA Pool\n address using `:` as a separator: \n\n kubectl patch configmap/asm-options -n istio-system --type merge \\\n -p '{\"data\":{\"ASM_OPTS\": \"CA=PRIVATECA;CAAddr=projects/\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/caPools/\u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e:projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/certificateTemplates/\u003cvar translate=\"no\"\u003eCERT_TEMPLATE_ID\u003c/var\u003e\"}}'\n\nAfter completing the configuration steps, continue the installation of managed Cloud Service Mesh by [enabling automatic management](/service-mesh/v1.21/docs/onboarding/provision-control-plane#enable_automatic_management)."]]