If you need different certificate authorities to sign workload certificates
on different clusters.
If you need to back your signing keys in a Cloud HSM.
If you are in a highly regulated industry and are subject to compliance.
If you want to chain up your Cloud Service Mesh CA to a custom enterprise root
certificate to sign workload certificates.
The cost of Cloud Service Mesh certificate authority is included in the
Cloud Service Mesh pricing. The
CA Service isn't included in the base Cloud Service Mesh price and is
charged separately. Additionally,
CA Service comes with an
explicit SLA, but the Cloud Service Mesh certificate authority does not.
Prerequisites
As a starting point, this guide assumes that you have:
One or more clusters with a
supported version of GKE,
in one of the supported regions.
To learn how to create a Google Kubernetes Engine cluster with Cloud Service Mesh enabled, see the per cluster configuration in the
Provision a managed Cloud Service Mesh control plane on Google Kubernetes Engine document.
Enabling managed Cloud Service Mesh as a default configuration for your fleet and registering clusters to the fleet during cluster creation only supports
Mesh CA. You must configure Cloud Service Mesh per cluster and enable CA Service
explicitly for each cluster.
Requirements
Enable the required API in the project where the CA pool will be configured.
Create the CA pool
in the tier DevOps and in the same region as the
cluster that it serves to avoid excessive latency issues or potential
cross-region outages. For more information, see Workload-optimized tiers.
Create the CA
to have at least one active certificate authority in the CA pool in the
same project as the GKE cluster. Use subordinate CA's to sign
Cloud Service Mesh workload certificates. Note down the CA pool
corresponding to the subordinate CA.
If it is meant to only service certificates for Cloud Service Mesh workloads, set
up the following issuance policy for the CA pool:
If you are using a certificate template, then configure it now. For more information,
follow the CA Service guide for workload identity certificates.
Ensure the certificate template is created in the same region as the CA pool. If there are multiple regions for CA pools, then create a certificate
template per region.
Roles required to use CA service
For this integration, all workloads in Cloud Service Mesh require the following
IAM roles.
These roles-bindings need to be explicitly applied for Cloud Service Mesh workloads:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Configure Certificate Authority Service for Managed Cloud Service Mesh\n\nConfigure Certificate Authority Service for Managed\nCloud Service Mesh\n======================================================================\n\nThis guide describes how to configure Certificate Authority Service for managed\nCloud Service Mesh. For information on in-cluster Cloud Service Mesh, see\n[Install default features and Certificate Authority (CA) Service](/service-mesh/v1.24/docs/unified-install/install-anthos-service-mesh#install_ca_service).\n| **Note:** Using Certificate Authority Service (CA Service) is not supported when using the [fleet-default configuration](/service-mesh/v1.24/docs/onboarding/provision-control-plane#configure_your_fleet) in GKE Enterprise and registering clusters to the fleet during cluster creation. To use CA Service we recommend that you [configure Cloud Service Mesh per cluster](/service-mesh/v1.24/docs/onboarding/provision-control-plane#configure_per_cluster).\n\nIn addition to [Cloud Service Mesh certificate authority](/service-mesh/v1.24/docs/security/security-overview#features),\nyou can configure Cloud Service Mesh to use\n[Certificate Authority Service](/certificate-authority-service/docs). This\nguide provides you an opportunity to integrate with CA Service,\nwhich is recommended for the following use cases:\n\n- If you need different certificate authorities to sign workload certificates on different clusters.\n- If you need to back your signing keys in a [Cloud HSM](/kms/docs/hsm).\n- If you are in a highly regulated industry and are subject to compliance.\n- If you want to chain up your Cloud Service Mesh CA to a custom enterprise root certificate to sign workload certificates.\n\nThe cost of Cloud Service Mesh certificate authority is included in the\n[Cloud Service Mesh pricing](/service-mesh/pricing). The\nCA Service isn't included in the base Cloud Service Mesh price and is\n[charged separately](/certificate-authority-service/pricing). Additionally,\nCA Service comes with an\n[explicit SLA](/certificate-authority-service/sla), but the Cloud Service Mesh certificate authority does not.\n\nPrerequisites\n-------------\n\nAs a starting point, this guide assumes that you have:\n\n- [A Cloud project](/resource-manager/docs/creating-managing-projects)\n- [A Cloud Billing account](/billing/docs/how-to/manage-billing-account)\n- Obtained the [required permissions](/service-mesh/v1.24/docs/onboarding/provision-control-plane#roles-required) to provision Cloud Service Mesh\n- Enabled [Workload Identity Federation for GKE](/kubernetes-engine/docs/how-to/workload-identity) on your clusters and node pools.\n-\n One or more clusters with a\n [supported version of GKE](/service-mesh/v1.24/docs/managed/supported-features-mcp#environments),\n in one of the supported [regions](/service-mesh/v1.24/docs/managed/supported-features-mcp#regions).\n To learn how to create a Google Kubernetes Engine cluster with Cloud Service Mesh enabled, see the per cluster configuration in the\n [Provision a managed Cloud Service Mesh control plane on Google Kubernetes Engine](/service-mesh/v1.24/docs/onboarding/provision-control-plane#configure_per_cluster) document.\n Enabling managed Cloud Service Mesh as a default configuration for your fleet and registering clusters to the fleet during cluster creation only supports\n [Mesh CA](/service-mesh/v1.24/docs/security/security-overview#features). You must configure Cloud Service Mesh per cluster and enable CA Service\n explicitly for each cluster.\n\nRequirements\n------------\n\nEnable the required API in the project where the CA pool will be configured. \n\n gcloud services enable privateca.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e\n\nConfigure CA Service\n--------------------\n\n1. Create the [CA pool](/certificate-authority-service/docs/creating-ca-pool) in the tier `DevOps` and in the same region as the cluster that it serves to avoid excessive latency issues or potential cross-region outages. For more information, see [Workload-optimized tiers](/certificate-authority-service/docs/tiers).\n2. [Create the CA](/certificate-authority-service/docs/creating-certificate-authorities) to have at least one active certificate authority in the CA pool in the same project as the GKE cluster. Use subordinate CA's to sign Cloud Service Mesh workload certificates. Note down the [CA pool](/certificate-authority-service/docs/ca-pool) corresponding to the subordinate CA.\n3. If it is meant to only service certificates for Cloud Service Mesh workloads, set\n up the following issuance policy for the CA pool:\n\n ### policy.yaml\n\n ```\n baselineValues:\n keyUsage:\n baseKeyUsage:\n digitalSignature: true\n keyEncipherment: true\n extendedKeyUsage:\n serverAuth: true\n clientAuth: true\n caOptions:\n isCa: false\n identityConstraints:\n allowSubjectPassthrough: false\n allowSubjectAltNamesPassthrough: true\n celExpression:\n expression: subject_alt_names.all(san, san.type == URI && san.value.startsWith(\"spiffe://PROJECT_ID.svc.id.goog/ns/\") )\n ```\n | **Note:** As a best practice for multi-cluster meshes, set one subordinate CA pool per unique cluster region. All the subordinate CA pools should chain to the same root CA pool.\n4. To update the CA pool's issuance policy, use the following command:\n\n ```\n gcloud privateca pools update CA_POOL --location ca_region --issuance-policy policy.yaml\n ```\n\n For information on setting a policy on a pool, see [Using a certificate issuance policy](/certificate-authority-service/docs/use-issuance-policy).\n5. If you are using a [certificate template](/certificate-authority-service/docs/certificate-template), then configure it now. For more information,\n follow the [CA Service guide](/certificate-authority-service/docs/creating-certificate-template#workload-identity) for workload identity certificates.\n Ensure the certificate template is created in the same region as the CA pool. If there are multiple regions for CA pools, then create a certificate\n template per region.\n\n### Roles required to use CA service\n\nFor this integration, all workloads in Cloud Service Mesh require the following\n[IAM roles](/certificate-authority-service/docs/reference/permissions-and-roles).\nThese roles-bindings need to be explicitly applied for Cloud Service Mesh workloads: \n\n WORKLOAD_IDENTITY=\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.svc.id.goog:/allAuthenticatedUsers/\"\n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e \\\n --project \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.workloadCertificateRequester\"\n\n gcloud privateca pools add-iam-policy-binding \u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e \\\n --project \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.auditor\"\n\nIf using certificate templates: \n\n gcloud privateca templates add-iam-policy-binding \u003cvar translate=\"no\"\u003eCERT_TEMPLATE_ID\u003c/var\u003e \\\n --member \"group:${WORKLOAD_IDENTITY}\" \\\n --role \"roles/privateca.templateUser\"\n\nLimitations\n-----------\n\n- Configure and pick the CA before provisioning your Cloud Service Mesh control plane. Changing CA is not supported.\n\nConfigure managed Cloud Service Mesh to use CA Service\n------------------------------------------------------\n\n| **Note:** Make sure to complete all the following steps before you [enable automatic management](/service-mesh/v1.24/docs/onboarding/provision-control-plane#enable_automatic_management).\n\n1. Verify that the `istio-system` namespace exists, or create it if it is\n missing:\n\n kubectl create ns istio-system\n\n2. Check if `asm-options` configmap exists in the `istio-system` namespace:\n\n kubectl get configmap/asm-options -n istio-system\n\n3. Create the configmap if it does not exist:\n\n kubectl create configmap -n istio-system asm-options\n\n4. Patch the configmap to add CAS configuration:\n\n kubectl patch configmap/asm-options -n istio-system --type merge \\\n -p '{\"data\":{\"ASM_OPTS\": \"CA=PRIVATECA;CAAddr=projects/\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/caPools/\u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e\"}}'\n\n If a certificate template is needed, append the template ID to the CA Pool\n address using `:` as a separator: \n\n kubectl patch configmap/asm-options -n istio-system --type merge \\\n -p '{\"data\":{\"ASM_OPTS\": \"CA=PRIVATECA;CAAddr=projects/\u003cvar translate=\"no\"\u003eCA_PROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/caPools/\u003cvar translate=\"no\"\u003eCA_POOL\u003c/var\u003e:projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eca_region\u003c/var\u003e/certificateTemplates/\u003cvar translate=\"no\"\u003eCERT_TEMPLATE_ID\u003c/var\u003e\"}}'\n\nAfter completing the configuration steps, continue the installation of managed Cloud Service Mesh by [enabling automatic management](/service-mesh/v1.24/docs/onboarding/provision-control-plane#enable_automatic_management)."]]