Google is introducing a Certificate Authority Service for customers of its cloud platform. AWS already has an equivalent, but Microsoft's Azure cloud does not.
Certificate Authorities (CAs) are used for issuing private certificates. These are not trusted outside the private network, but within they are used for securing connections and authenticating machines, users and services.
Google claims that modern application development, based on containers and microservices, along with IoT deployments, is stressing on-premises CAs. "These new use cases require short-lived certificates that are renewed frequently, which in turn require high availability and scalability from the CA," Google said. "Existing private CA solutions fall short. For example, a company may have to issue 10 million certificates in one year vs. 10 thousand when dealing with IoT devices."
Product manager Anoosh Saboori further stated that on-premises CAs "do not support modern APIs" and are "incompatible with cloud providers' built-in CAs". Saboori also noted that startups which are born in the cloud may be only just discovering the value of a private CA.
Google Cloud Platform (GCP) is therefore previewing a new CA Service, currently in private beta. The private keys will be stored in GCP's Cloud Key Management service. Pricing information is not yet announced. The new service has a REST API which the company promises will allow customers "to acquire and manage certificates without being a PKI expert".
AWS already has AWS Certificate Manager Private Certificate Authority, an extension of a core AWS Certificate Manager service used to secure AWS services. An AWS private CA costs $400.00 per month and between $0.75 and $0.001 per certificate issued, depending on the volume. AWS has just announced an enhancement to its service, which is support for PrivateLink endpoints, which let you keep network traffic entirely within the AWS network.
Google for its part recently came up with Private Service Connect, currently in alpha, which similarly keeps traffic on Google's own network, so presuming the new CA Service works with Private Service Connect it might be able to match this feature.
The odd cloud out here is Microsoft Azure. There is a CA service built into Windows Server that can be deployed in an Azure VM but no managed service, though this has been requested by customers. In its guide to finding equivalent Azure services to those on AWS, Microsoft refers customers to the App Service Certificate feature, which is nowhere near the same thing and refers to automated purchase of certificates from GoDaddy.
GCP remains well behind Azure in market share - cloud infrastructure stats for Q2 were out late last week - but in this little area it is Microsoft that now has some catching up to do. ®