Google GCP CAS vs Smallstep Certificate Manager
Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Google CAS capabilities and a side-by-side comparison to Smallstep Certificate Manager.
Overview of capabilities
Google Certificate Authority Service (CAS) is a hosted certificate authority designed to work well with other Google services. It is new but has the potential to a good option if all your workloads and services run inside GCP. It’s integrated with and can provide automated certificates for load balancers and a few core GCP services. However, once you step outside of GCP things, get difficult. It lacks automation around authenticated issuance (more on that below) and instead relies on partners to help close that gap (including Smallstep). Google CAS is licensed by the number of CAs and certificates with discounted certificate charges at higher volumes. Google CAS is also available in a DevOps or Enterprise configuration. As you would expect, Enterprise costs more and brings a UI for certificates and active revocation.
From a technology perspective, Google’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used to avoid busy work in the future. Per certificate charges also extend certificate lifetimes, providing another incentive towards poor security practices. With smallstep, we provide end-to-end certificate management for developers and operators. We authorize and automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.
Detailed comparison
| Category | Item | Certificate Manager | Google CAS |
|---|---|---|---|
| General | Form Factor | SaaS or On-Premise | SaaS only |
| General | Managed By | Smallstep | |
| General | Administration | UI / CLI | UI / CLI |
| General | Highly-available Certificate Authority | ||
| General | Short-lived certificates with automated renewal | ||
| General | Private keys in cloud KMS | ||
| General | Private Keys in dedicated in HSM | ||
| General | Open source certificate authority | ||
| General | Cloud managed, on-prem signing CA | ||
| General | Run anywhere Registration Authority | ||
| Authenticated Issuance | Authenticated certificate issuance | ||
| Authenticated Issuance | ACME DNS, HTTP, ALPN, IP, and EAB challenges | ||
| Authenticated Issuance | OIDC - bind user email to SAN/name for developer access | ||
| Authenticated Issuance | OIDC - Admin user create any SAN/name for custom certificate | ||
| Authenticated Issuance | OIDC - SSO identity token or device auth grant workflows | ||
| Authenticated Issuance | AWS, GCP, Azure instance identity docs for cloud infrastructure | ||
| Authenticated Issuance | Existing valid certificate for derived credentials | ||
| Authenticated Issuance | JWK for password, one-time token, or multi-use token authentication | ||
| Authenticated Issuance | API for a certificate | ||
| Authenticated Issuance | Issue cert via UI | Coming Soon | |
| Authorize & Customize | Templatized customization of certificates | ||
| Authorize & Customize | Template customization - UI | Coming Soon | |
| Authorize & Customize | Template customization - CLI | ||
| Authorize & Customize | Inventories - metadata enrichment or access control | Coming Soon | |
| Authorize & Customize | Use metadata to authorize certificate issuance | Coming Soon | |
| Authorize & Customize | Enrich CSR metadata with 3rd party directory | Coming Soon | |
| Authorize & Customize | Name constraints on Authority | ||
| Authorize & Customize | Allow / deny lists on provisioners | ||
| Observability | Issued certificates details in UI | ||
| Observability | Expiry events via webhook event | ||
| Observability | Expiry events via email | ||
| Observability | Export to webhook / SIEM | ||
| Observability | Ability to renew certificate | ||
| Renewal | single command renewal | ||
| Renewal | SystemD timers | ||
| Renewal | Stand-alone daemon | ||
| Renewal | Cron Jobs | ||
| Renewal | ACME Challenges | ||
| Renewal | OIDC - Single Sign-on flow | ||
| Renewal | Configuration Management | ||
| Renewal | API for renewal | ||
| Renewal | Renew after expiry | ||
| Renewal | Manual renewal by Admin | ||
| Revocation | Passive Revocation | ||
| Revocation | Active Revocation - CRL | ||
| Revocation | Active Revocation - OCSP | ||
| Revocation | Validation Authority |
Data as of July 1st, 2021
Create your private hosted Certificate Authority in less than five minutes