Stay organized with collectionsSave and categorize content based on your preferences.
Integration with third-party tools
This document provides an overview of the third-party tools that have an
integration with Certificate Authority Service.
Hashicorp Vault
Hashicorp Vaultlets you
manage and store secrets on-premises. You can configure Hashicorp Vault CA to
act as a proxy that forwards all certificate issuance requests to Certificate Authority Service.
TheVault plugin for CA Serviceissues certificates through Hashicorp Vault by generating the private key and
certificate signing request (CSR), or by receiving a user-provided CSR. The
plugin doesn't perform create and delete CA operations, or manage other aspects
of the certificate authority (CA) lifecycle.
At a high level, the plugin acts as a proxy to issue certificates.
Using the Vault plugin has the following advantages:
Administrators can use a familiar workflow and the existing access-control
list (ACL) permissions in the Vault.
The administrator can define who gets to request certificates and what
specifications and limits those certificates have.
Jetstack Cert-Manageris an open source Kubernetes
add-on that automates the management and issuance of TLS certificates from various
issuing sources.
Cert-Manager manages the lifecycle of certificates issued by CA pools that are
created using Certificate Manager. Cert-Manager ensures certificates are
valid and duly renewed before they expire.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page overviews third-party tools, specifically Hashicorp Vault and Jetstack Cert-Manager, that integrate with Google Cloud's Certificate Authority Service (CA Service).\u003c/p\u003e\n"],["\u003cp\u003eHashicorp Vault can act as a proxy to forward certificate issuance requests to CA Service, enabling administrators to use familiar workflows and access-control lists for managing certificate requests.\u003c/p\u003e\n"],["\u003cp\u003eThe Vault plugin for CA Service generates private keys and certificate signing requests (CSRs) but does not retain generated keys or certificates, requiring the requester to manage them.\u003c/p\u003e\n"],["\u003cp\u003eJetstack Cert-Manager, an open-source Kubernetes add-on, automates TLS certificate management and issuance from CA pools created with Certificate Manager, ensuring certificate validity and timely renewal.\u003c/p\u003e\n"],["\u003cp\u003eCA Service is also integrated with Google Cloud's Certificate Manager for use with global load balancers.\u003c/p\u003e\n"]]],[],null,["# Integration with third-party tools\n==================================\n\n| This page contains a sample provided for demonstration purposes. Google does not officially support this sample. Carefully evaluate any solution before deploying it in your production environment.\n\nThis document provides an overview of the third-party tools that have an\nintegration with Certificate Authority Service.\n\nHashicorp Vault\n---------------\n\n[Hashicorp Vault](https://www.vaultproject.io/) lets you\nmanage and store secrets on-premises. You can configure Hashicorp Vault CA to\nact as a proxy that forwards all certificate issuance requests to Certificate Authority Service.\n\nThe [Vault plugin for CA Service](https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca)\nissues certificates through Hashicorp Vault by generating the private key and\ncertificate signing request (CSR), or by receiving a user-provided CSR. The\nplugin doesn't perform create and delete CA operations, or manage other aspects\nof the certificate authority (CA) lifecycle.\n\nAt a high level, the plugin acts as a proxy to issue certificates.\n| **Note:** The Vault plugin doesn't retain any public or private key that is generated during certificate issuance. The certificate requester should retain the certificate and keys that the Vault plugin generates.\n\nUsing the Vault plugin has the following advantages:\n\n- Administrators can use a familiar workflow and the existing access-control list (ACL) permissions in the Vault.\n- The administrator can define who gets to request certificates and what specifications and limits those certificates have.\n\nFor more information about setting up and using the plugin, see the [README:\nVault Plugin for CA Service](https://github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca/blob/master/README.md).\n\nCert-Manager\n------------\n\n[Jetstack Cert-Manager](https://cert-manager.io) is an open source Kubernetes\nadd-on that automates the management and issuance of TLS certificates from various\nissuing sources.\n\nCert-Manager manages the lifecycle of certificates issued by CA pools that are\ncreated using Certificate Manager. Cert-Manager ensures certificates are\nvalid and duly renewed before they expire.\n\nFor instructions on using Cert-Manager with Certificate Manager, see\n[README: Certificate Authority Service Issuer for\nCert-Manager](https://github.com/jetstack/google-cas-issuer/blob/main/README.md).\n| **Note:** CA Service has a built-in integration with Google Cloud's Certificate Manager for global load balancers.\n\nFor more information, see [Use CA Service with Certificate Manager](/certificate-manager/docs/certificates#cert-cas).\n\nWhat's next\n-----------\n\n- [Prepare your environment for Certificate Authority Service](/certificate-authority-service/docs/prepare-environment).\n- Get started with [CA Service](/certificate-authority-service/docs/create-certificate)."]]
