Google LLC today announced availability of a new, cloud-based Certificate Authority Service in beta testing that makes it easier for companies to set up the digital certificates they need for their public key infrastructure.

Public key infrastructure is used by companies to authenticate their users and devices in the digital world. It refers to a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The basic idea is to have one or more trusted parties digitally sign documents, or certificates, that certify that a particular cryptographic key belongs to a particular user or device.

“Recently, we’ve seen increased interest in using PKI in DevOps and device management, particularly for IoT devices,” Google wrote in a blog post today. “But one of the most fundamental problems with PKI remains — it’s hard to set up Certificate Authorities, and even harder to do it reliably at scale. These issues are front and center for these growing use cases.”

One of the main problems is that traditional digital certificates are issued by a private Certificate Authority that’s usually hosted on-premises and they have an expiration date that’s a long way off in the distant future. And these are usually associated with a device or application-specific certificate enrollment process that happens infrequently.

Although that’s ideal for something such as an “internet of things” device that might be kept in service for several years, Google said it’s not so suitable for emerging workloads, such as using private certificates in DevOps to protect software containers, microservices, virtual machines and service accounts.

The problem is that these kinds of workloads have drastically different requirements from traditional use cases. In most cases, they require short-lived certificates that are renewed frequently, which in turn demands high availability and scalability from the CA. But existing CAs fall short in this regard, Google said.

“For example, a company may have to issue 10 million certificates in one year vs. 10,000 certificates in one year when dealing with IoT devices,” Google said.

In addition, many existing CAs’ certificate enrollment processes do not support modern application programming interface and continuous integration/continuous development toolchains, which means a longer time to market and delays in adoption.

Another problem is that modern organizations that have been cloud-native from day one and have never needed to set up a private CA, have began to see a need for private certificates. “Existing on-prem private CAs are not compatible with cloud platforms and can’t support the scale associated with cloud native businesses and hyperscalers,” Google said.

As a result, the only option for cloud native companies is to build their own private CA, but this can be very expensive to setup and maintain, and requires a very specific skill set that many companies don’t possess.

Google said its new Certificate Authority Service solves these problems as it’s able to simplify and automate the management and deployment of private CAs while meeting the needs of modern developers and software applications. It makes it possible for organizations to set up a private CA in just minutes, as opposed to the months it takes to deploy a traditional private CA.

Furthermore, Google CAS enables organizations to fully automate the acquisition and management of digital certificates using simple, RESTful application programming interfaces that integrate with existing tooling and continuous integration/continuous deployment or CI/CD channels.

Holger Mueller, an analyst with Constellation Research Inc., told SiliconANGLE that most modern workloads these days are secured through digital security certificates. But he said they’re not as scalable with those modern workloads and that software containers especially need more fine-grained security controls that traditional Certificate Authorities haven’t been able to scale up to. “The new service provides a more scalable and easier way to use the security certificate process,” he said.

Google said it has worked with a couple of leading companies in the certificate lifecycle management space to integrate CAS with their products, including the machine identity provider Venafi Inc., and digital certificate management firm AppViewX Inc.

Google said CAS will be priced on a pay-as-you-go basis once it hits general availability, but for now the service is free to use.

Image: Google