Skip to main content
banner image
venafi logo

Introducing Google Cloud’s Certificate Authority Service

Introducing Google Cloud’s Certificate Authority Service

Google Cloud's Certificate Authority Service
August 4, 2020 | Anoosh Saboor and Dr. Anton Chuvakin, Google Cloud

Google, Venafi, and the Linguae Franca of TLS Certificates

Digital certificates – specifically SSL/TLS certificates – are both the backbone and the lifeblood of digital transformation. That sounds a bit like hyperbole, but let’s think about it for a second:  

  • “Backbone?” As the foundation for authenticating that vast numbers of machines talking to each other in networks of all types, TLS certificates establish the internet's backbone of trust  

  • “Lifeblood?” As the majority of applications, services, APIs and raw data sources move to the cloud, TLS certificates are the lifeblood that allows commerce, information, and personal communication to be understood and decoded 

We need them. But still we tend to dislike them.  

Why is this? Because SSL/TLS certificates are complex concoctions of cryptography, permissions and critical metadata that need to be carefully configured, tracked and maintained. If we get them even a little bit wrong, outages occur and our businesses stop. 

These outages are more frequent than we imagine and routinely affect large and well-resourced organizations.


Find unknown and rogue TLS certificates before they expire. Try OutagePREDICT now.

A Machine Identity Language

Part of the inherent complexity of TLS has to do with the way digital certificates “talk” to different elements of the integrated systems they enable. Certificates need to “understand” encryption algorithms and signature hash algorithms, as well as different extensions like .pem (Privacy-enhanced Electronic Mail) and .p12 (PKCS #12, a Public-Key Cryptography Standard published by RSA). They need to “differentiate” between private and public Certificate Authorities (CAs) and “comprehend” concepts like roots and intermediates and endpoints.   

Attending this complexity, the number of TLS certificates protecting sites and services has exploded in the world at large. A recent survey by Tech Validate showed that IT security professionals who started using Venafi found, on average, 57,420 additional SSL/TLS keys and certificates that were previously unknown to them. Another current Venafi customer recently commented, “We’ve had a 10x growth in certificates” in the last two years.  

Along with that, the uses and configurations for these certificates are rapidly evolving:   

  • They are becoming ephemeral and much shorter-lived 

  • They need to be issued and managed by fast, fully human-free systems  

  • They need to be injected dynamically, through APIs, into just-in-time development cycles 

According to recent research by Gartner and Forrester (complimentary copies available through these links), Venafi leads the industry in rethinking how machine identities are managed in the melee that is digital transformation.  

To sum all that up: Venafi helps over 400 of the world’s largest companies protect millions and millions of TLS-based machine identities every day. These identities come from over 40 public and private CAs and are consumed by hundreds and hundreds of different technologies: from load balancers to firewalls, from inspection devices to WAFs, and from CI/CD tools to application servers and more.  

The Linguae Franca 

Venafi is able to do this important work is by providing a common language – a linguae franca – that translates the complex “language” of machine identities across certificate authorities, technical standards, identity-consuming devices or systems, and across cloud platforms. 

One of the most common sources of TLS certificates is internal or “private” CAs. But choices on how to prop up and manage a private CA are limited time consuming and expensive. To help us solve that, we now have Google Cloud’s Certificate Authority Service (CAS).  

Google Cloud’s introduction of a new CAS lets developers and application teams eliminate many of the challenges that come from running and maintaining PKIs. Google Cloud’s new CAS is highly available and scalable on Google Cloud Platform (GCP). The service is designed to be simpler to deploy, tailored for your needs and enterprise ready – all part of Venafi’s vision for Machine Identity Management.   

This is great news for security, network operations, DevOps, and cloud engineering teams that use the Venafi Trust Protection Platform to secure their business-critical applications. Now any organization using Venafi can integrate Venafi’s speed, ease of use, and powerful automation with hundreds of applications, cloud services, and security systems through an agile, cloud-based PKI. Whether you use  F5NGINXKubernetesAnsibleVaultTerraform or any combination of these technologies, you’ll be able to merge the power of Venafi’s ecosystem with Google Cloud’s  CAS immediately. 

The Venafi Platform and Google Cloud’s CAS work together to simplify and automate Machine Identity Management at any scale. Security, DevOps, cloud engineering, and operations teams can now: 

  • Seamlessly use Google Cloud CAS as part of their Machine Identity Management service offered throughout your business  

  • Scale, adapt, and drive new levels of speed everywhere the business needs machine identities  

  • Consolidate or migrate old PKIs 

  • Gain full visibility into the demand, usage and workflow of certificate services 

  • Automate certificate lifecycle immediately with hundreds of integrated products and services in the Venafi Ecosystem  

  • Reduce risk with intelligent policies that makes it easy for security operations to provide consistent service, automated workflow, configurable approval and authorization, and detailed logging 

  • Support the full certificate lifecycle from request, issuance and renewal to revocation 

“These are times of rapid change,” says Kevin Bocek, Venafi’s Vice President of Security Strategy & Threat Intelligence. “Security teams need a modern, cloud-delivered PKI as part of their Machine Identity Management strategy. From Kubernetes to mobile devices, Venafi customers have the speed and agility with the new Google Cloud CA Service they need to succeed.”  

Venafi provides a common language that helps the Google Cloud CAS translate across the diverse languages of machines, certificates, governance policies and applications. And best of all, they do it easily and seamlessly, at the blinding speed digital transformation requires.      

Read Google’s blog post about their new Google Cloud CAS and its integration with Venafi.

Related posts


Like this blog? We think you will love this.
Featured Blog

Modern Workload Identity with SPIFFE & Trust Domains

A workload is a running instance of an application.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anoosh Saboor and Dr. Anton Chuvakin, Google Cloud
Anoosh Saboor and Dr. Anton Chuvakin, Google Cloud
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more