Google GCP CAS vs Smallstep Certificate Manager

Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Google CAS capabilities and a side-by-side comparison to Smallstep Certificate Manager.

Create an Authority

Overview of capabilities

Google Certificate Authority Service (CAS) is a hosted certificate authority designed to work well with other Google services. It is new but has the potential to a good option if all your workloads and services run inside GCP. It’s integrated with and can provide automated certificates for load balancers and a few core GCP services. However, once you step outside of GCP things, get difficult. It lacks automation around authenticated issuance (more on that below) and instead relies on partners to help close that gap (including Smallstep). Google CAS is licensed by the number of CAs and certificates with discounted certificate charges at higher volumes. Google CAS is also available in a DevOps or Enterprise configuration. As you would expect, Enterprise costs more and brings a UI for certificates and active revocation.

From a technology perspective, Google’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used to avoid busy work in the future. Per certificate charges also extend certificate lifetimes, providing another incentive towards poor security practices. With smallstep, we provide end-to-end certificate management for developers and operators. We authorize and automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.

Detailed comparison

CategoryItemCertificate ManagerGoogle CAS
GeneralForm FactorSaaS or On-PremiseSaaS only
GeneralManaged BySmallstepGoogle
GeneralAdministrationUI / CLIUI / CLI
GeneralHighly-available Certificate Authority
GeneralShort-lived certificates with automated renewal
GeneralPrivate keys in cloud KMS
GeneralPrivate Keys in dedicated in HSM
GeneralOpen source certificate authority
GeneralCloud managed, on-prem signing CA
GeneralRun anywhere Registration Authority
Authenticated IssuanceAuthenticated certificate issuance
Authenticated IssuanceACME DNS, HTTP, ALPN, IP, and EAB challenges
Authenticated IssuanceOIDC - bind user email to SAN/name for developer access
Authenticated IssuanceOIDC - Admin user create any SAN/name for custom certificate
Authenticated IssuanceOIDC - SSO identity token or device auth grant workflows
Authenticated IssuanceAWS, GCP, Azure instance identity docs for cloud infrastructure
Authenticated IssuanceExisting valid certificate for derived credentials
Authenticated IssuanceJWK for password, one-time token, or multi-use token authentication
Authenticated IssuanceAPI for a certificate
Authenticated IssuanceIssue cert via UIComing Soon
Authorize & CustomizeTemplatized customization of certificates
Authorize & CustomizeTemplate customization - UIComing Soon
Authorize & CustomizeTemplate customization - CLI
Authorize & CustomizeInventories - metadata enrichment or access controlComing Soon
Authorize & CustomizeUse metadata to authorize certificate issuanceComing Soon
Authorize & CustomizeEnrich CSR metadata with 3rd party directoryComing Soon
Authorize & CustomizeName constraints on Authority
Authorize & CustomizeAllow / deny lists on provisioners
ObservabilityIssued certificates details in UI
ObservabilityExpiry events via webhook event
ObservabilityExpiry events via email
ObservabilityExport to webhook / SIEM
ObservabilityAbility to renew certificate
Renewalsingle command renewal
RenewalSystemD timers
RenewalStand-alone daemon
RenewalCron Jobs
RenewalACME Challenges
RenewalOIDC - Single Sign-on flow
RenewalConfiguration Management
RenewalAPI for renewal
RenewalRenew after expiry
RenewalManual renewal by Admin
Revocation Passive Revocation
Revocation Active Revocation - CRL
Revocation Active Revocation - OCSP
Revocation Validation Authority

Data as of July 1st, 2021

Smallstep logo

Create your private hosted Certificate Authority in less than five minutes

Sign up