Setting up Venafi for use with Google Cloud CA Service

Make sure you've already configured Google before continuing. Your Google account must be up and operational for Venafi to connect and do its thing.

For Google Cloud Private CA, if you are upgrading from 21.1 or earlier, be sure you have the correct version. Support for Google Cloud Private CA ends sometime in Q2 of 2021. You must upgrade to Version 1.0 or greater. After the Google upgrade:

  • You should either re-validate existing CA Templates or create new ones.

  • Your existing certificates can not be managed by Google anymore. So, you must use the new or updated CA Template to re-issue certificates.

Creating a Google Credential

A Google credential object is used by Venafi Trust Protection Platform to store your Google Cloud Service Account Key file (JSON format). That's so that Trust Protection Platform can use your Google Service Account to access your Google Cloud CA and Google Cloud Load Balancer.

To create a new Google credential

  1. From the Platform menu bar, click Policy Tree.

  2. From the Policy tree, select the folder where you want to create the Google credential, and then click Add > Credential > Google Credential
  3. In Credential Name, type a name for the new credential. 
  4. Click Upload Google Service Account Key File (near the top of the page), locate the json file, and then click Upload.
  5. Click Save.

Create and configure a Google Cloud CA template

To enable Trust Protection Platform to manage certificates installed anywhere, including on Google Cloud-native applications such as Google Cloud Load Balancer, you must configure a Google Cloud CA application object. This object provides the information Trust Protection Platform needs to request, renew, and revoke certificates while also enabling automated provisioning of the certificate to associated devices.

To create and configure a new Google Cloud CA template

  1. Log in to Policy Tree, or use the Product Switcher if you're in Aperture.

  2. From the Policy tree, select the folder where you want to create the Google Cloud CA template, click Add > CA Template > Google Cloud CA

    TIP  Consider these concepts about organizing folders in the Policy tree to maximize ease of use. 

  3. In CA Name, type a name for the new template. 

  4. (Optional) If you find it helpful, type a Description for the new template.

    This might help other users who might want to work with your template. 

  5. (Optional) In Contacts, click  and select other users who should receive email notifications related to your Google Cloud CA.

    TIP  If another system administrator manages this new CA, it can be helpful to add them as contacts so they'll get notified about changes to this object's settings, when they occur.

  6. In the Connection box, click  and select the Google credential you created previously.

  7. The Project ID is populated using the project from the valid Google Credential. This provides a way to specify in which project the Private CA is placed. The value of the field is extracted from the Google Credential, which the user has the option to edit.
  1. Click Validate.

Trust Protection Platform retrieves all regions (locations) and all CAs for each of them and then selects the first region that has at least one CA. Certificate Authority ID is populated with the CAs for the selected region. If a region list can't be retrieved, Trust Protection Platform defaults to the current region.

For Google Cloud Private CA, you can see the Certificate Authority ID with additional pool information.

TIP  Trust Protection Platform remembers the last saved ID; so you only need to validate again if you need to update the CA template to use a different ID. 

  1. Under Configuration, do the following: 
    1. Select the Region where your Google Cloud CA application resides.
    2. (Optional) Select the Certificate Authority ID and corresponding CA Pool information. If there are no values, select another Region that includes a CA.
    4. (Optional) Select Subject Alt Name Enabled if you want this CA object to support CSRs with DNS-based subject alt name (SAN) values.

      If you do not select this option, the current CA template object will not accept CSRs with SAN values. If Trust Protection Platform attempts to submit a CSR with SAN values, the CA Template object returns the following error:

      Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

      For additional information on defining SAN values in a certificate, see Subject Alt Name in About certificate object settings.


    5. (Optional) Select Allow Users to Specify End Date if you want this CA object to allow users to specify expiration (end) dates for certificates requested from the CA so that they do not expire during your known freeze periods.

      Renewing certificates that expire during freeze periods can be challenging. But you can avoid potential interruptions by setting expiration dates that fall outside of the freeze period.

      DID YOU KNOW?  This option is disabled automatically after successful enrollment so that the validity period takes effect thereafter.

    6. In Validity Period, type a number (in days) that certificates are valid. This setting is used when enrolling certificates. You can enter any positive integer. The default is 365 (days).

      TIP  If you need to define multiple validity periods, create additional CA objects that differ only in the validity period assignment.

  2. (Optional) To see additional attributes, review the settings on the Support tab.
  3. When you're finished, click Save

What's next?

After you create a CA object, you can select it from the Policy tree, and then view important information and manage various settings.

  • Click the General tab to view and modify log and permissions settings.

    • Click the Log sub-tab to view any logged events that are triggered by the template object.

      IMPORTANT  You must have the Read permission to view the Log tab.

      For more information about options found on the Log tab, see Viewing log events.

    • On the Permissions sub-tab, you can configure the users or groups to whom you want to grant permissions to the new template object.

      Consider managing object permissions via parent objects so that you can take advantage of inheritance. For more information, see Permission inheritance and flow down.