Trailhead: Provisioning certificates to a Google Cloud Load Balancer using Venafi Platform and Google Cloud CA Service

You can simplify your enterprise PKI strategy using Google Cloud CA Service with Trust Protection Platform. No need to deploy additional servers; once configuration is complete, simply request a new certificate. As a PKI administrator, you'll have a much simpler method for revoking certificates since extracting from certificate authorities (CAs) in your network can be cumbersome. And of course, to keep things secure, you can keep your root certificates in a local CA.

Because of the relative simplicity of a cloud service solution, you can more easily prevent system outages because renewing certificates before they expire is pretty darn easy.

If you're already a pro at Google Cloud CA Service, this should be a snap. If you're new to Google products, you'll need to know how to create certificate authorities, grant permissions, and create roles. For the Venafi side of the equation, we've got you covered!

IMPORTANT  PKI setup is not only critical but highly unique within each organization. This Trailhead is not intended to prescribe a PKI method. We simply don't know your environment and unique needs and circumstances. But we are showing you how you could use Google Cloud CA with Venafi to better secure and protect Cloud-native applications, such as load balancers.

Integrating Google Cloud CA Service with Venafi

Welcome to the Google Cloud CA Service integration Trailhead. We'll step you through the process from start to finish so that you'll be provisioning certificates from your Google Cloud CA Service to Google Cloud Load Balancer via Venafi in a jiffy. Well, maybe slightly more than a jiffy, especially if you're not familiar with Google or Venafi.

Time Estimate

About 35 mins

Ready to go?

From a high level, here's what we're going to do. Think of these as the waypoints we'll pass on our way to the final the final destination: Google Cloud CA certificate provisioning to via Venafi to your cloud-native application.

  1. Set up the Google side with the correct account, services, roles and permissions.
  2. Set up the Venafi side to connect securely to the Google Cloud CA for requesting and provisioning certificates.
  3. Finally, perform a test tun to make sure it all works and that nothing goes Clank.

So, like this:

NOTE  We suggest you follow all Google documentation to establish your Google Cloud account, if you haven't already.

Doing the Google thing

Google knows their stuff best, so we won't presume to give you all the details when using Google products. We always recommend that you carefully review and follow their documentation. But this is what we did and it worked quite well.

Time Estimate

About 15 mins

First things first

Before you jump in head first, take care of prerequisites right now (if you haven't already, you genius!); you'll be glad you did.




Configuring stuff in Google Cloud Platform

Using the "gcloud" CLI, configure your Cloud account to prepare what's required to integrate with the Venafi Platform. Here's what worked for us:

  1. Create a keyring and asymmetric signing key in KMS:

    gcloud kms keyrings create my-sample-keyring --location us-west1

    gcloud kms keys create my-sample-key --location us-west1 \

    --keyring my-sample-keyring \

    --purpose asymmetric-signing \

    --default-algorithm rsa-sign-pkcs1-4096-sha256 \

    --protection-level software

  2. Enable the Google Cloud CA Service API:

    gcloud service enable

  3. Grant a PKI admin user the ability to manage CAs in the project:

    gcloud projects add-iam-policy-binding my-project \



  4. Grant a PKI admin user access to the key in KMS:

    gcloud kms keys add-iam-policy-binding my-sample-key \


    --keyring my-sample-keyring --location us-west1 \ \


  5. Now the PKI admin can create a root CA:

    gcloud alpha privateca roots create my-sample-root-ca \

    --kms-key-version "projects/my-project/locations/us-west1/keyRings/my-sample-keyring/cryptoKeys/my-sample-key/cryptoKeyVersions/1" \

    --subject "CN=My Sample Root CA, O=My Company" \

    --max-chain-length 2

  6. And a subordinate issuing CA:

    gcloud alpha privateca subordinates create my-sample-issuing-ca \


    --issuer my-sample-root-ca --location us-west1 \

    --kms-key-version "projects/my-project/locations/us-west1/keyRings/my-sample-keyring/cryptoKeys/my-sample-key/cryptoKeyVersions/1" \

    --subject "CN=My Sample Issuing CA, O=My Company" \

    --reusable-config "subordinate-server-tls-pathlen-0"

  7. Create a service account in IAM and create a key for the Google Credential in Trust Protection Platform:

    gcloud iam service-accounts create svc-acct-venafi \

    --display-name "Venafi Trust Protection Platform"


    gcloud iam service-accounts keys create \

    --iam-account venafi-tpp-key.json

  8. Grant the service account permissions to use the CA:

    gcloud iam roles create venafiGoogleCloudCADriver --project=my-project \

    --title="Venafi Google Cloud CA Driver" \

    --description="Google CA least privilege for Venafi Trust Protection Platform" \ --permissions=privateca.certificateAuthorities.list,privateca.certificateAuthorities.get,privateca.certificates.get,privateca.certificates.create,privateca.certificates.update \



    gcloud projects add-iam-policy-binding my-project \ \


Doing the Venafi thing

We know Venafi products and machine identity. So just relax while we walk you through this.

Time Estimate

About 20 mins

First things first

Let's take care of a couple of prerequisites first.

  • Make sure you have the right permissions to the Policy folder in WebAdmin where you'll be doing some configuration stuff. Specifically, you'll need
    • View/Read/Write permissions for uploading your Google Service Account Key File
  • Make sure you have your Google Service Account Key File ready for uploading to Venafi. You'll need it!

TIP  Not sure how to set permissions on Policy folder? Look here, and then come back when you're ready.

Creating a Google Credential

A Google credential object is used by Venafi Trust Protection Platform to store your Google Cloud Service Account Key file. Your Google Service Account is used by Venafi Trust Protection Platform to access your Google Cloud CA and Google Cloud Load Balancer.

TIP  If you're a developer, you might be interested in knowing that the Google credential is defined in the Venafi schema using the Google Credential class and implemented in Venafi.Drivers.GoogleCredential: CredentialObject.

To create a new Google Credential

  1. From the TLS Protect menu bar, click Policy Tree.

  2. From the Policy tree, select the folder where you want to create the Google Credential, and then click Add > Credential > Google Credential.
  3. In Credential Name, type a name for the new credential.
  4. Click Upload Google Service Account Key File (button near the top of the page), locate the JSON file, and then click Upload.
  5. Click Save.

Create and configure a Google Cloud CA object

To enable Trust Protection Platform to manage certificates installed on Cloud-native applications such as Google Cloud Load Balancer, you must configure a Google Cloud CA application object. This object provides the information Trust Protection Platform needs to monitor, enroll, or provision certificates on its associated Google devices.

BEST PRACTICE  Consider managing CA object settings using a policy. For more information, see Managing CA templates using policies.

To create and configure a new Google Cloud CA object

  1. From the TLS Protect menu bar, click Policy Tree.

  2. From the Policy tree, select the folder where you want to create the Google Cloud CA template, click Add > CA Template > Google Cloud CA.
  3. In the CA Name field, type a name for the new template.
  4. (Optional) If you find it helpful, type a description for the new template. This might not help you, but it might help other users who might need to use or edit your template later.
  5. (Optional) Click and select other users who should receive email notifications related to your Google Cloud CA.
  6. Under Connection, click and select the Google credential you created previously, and then click Validate.
  7. Under Options, do the following:
    1. (Optional) Select Subject Alt Name Enabled if you want this CA object to support CSRs with DNS-based subject alt name (SAN) values.

      DID YOU KNOW?  Today, you can specify SANs on your CSR, but only if the CSR has no embedded SANs. Not all CAs support adding additional SANs (additive SANs); so to allow maximum compatibility across many CAs, Trust Protection Platform prevents the use of additive SANs.

    2. (Optional) Select Allow Users to Specify End Date if you want this CA object to allow users to specify expiration (end) dates for certificates requested from the CA so that they do not expire during your known freeze periods.

  8. In Validity Period, type the number of days until certificates should expire.
  9. When you're finished, click Save.