Certificate Authority API

Name: Certificate Authority API API
Brand: Certificate Authority API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth225 EndpointsREST

For Agents

Issue, revoke, and manage X.509 certificates from private certificate authorities on Google Cloud, including CA pool and template lifecycle operations.

Quickstart

Get started with Certificate Authority API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"issue a private x509 certificate on google cloud"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Certificate Authority API API.

Create CA pools and provision root or subordinate certificate authorities under a Google Cloud project

Issue private X.509 certificates against a CA pool using configurable certificate templates

Revoke previously issued certificates and fetch the resulting certificate revocation lists

Activate, disable, enable, and undelete certificate authorities through dedicated lifecycle endpoints

GET STARTED

Start building with Certificate Authority API API

Explore with Jentic

View OpenAPI Document

Use for: I need to issue a private TLS certificate from a Google Cloud CA pool, Revoke a compromised certificate from our internal certificate authority, List all certificates issued by a specific CA pool in the last 30 days, Create a new subordinate certificate authority under an existing root CA

Not supported: Does not handle public browser-trusted certificate issuance, ACME account binding, or key generation in HSMs — use for Google Cloud private certificate authority operations only.

The Google Cloud Certificate Authority Service API lets you provision, manage, and operate private certificate authorities (CAs) at scale on Google Cloud. It supports CA pools, root and subordinate CAs, certificate templates, issuance policies, and lifecycle operations such as activate, disable, enable, and revoke. The API also exposes certificate revocation lists, audit-friendly resource hierarchies, and IAM-based access control so private PKI can be automated alongside other Google Cloud workloads.

Use Cases

Patterns agents use Certificate Authority API API for, with concrete tasks.

★ Internal Service mTLS

Issue short-lived X.509 certificates for mutual TLS between microservices on Google Cloud without operating bespoke CA software. Certificate Authority Service handles key protection, audit logging, and CRL publication while certificate templates pin key usages and SANs to internal naming conventions.

Create a CA pool in DevOps tier, then issue a 90-day certificate for service.internal.example.com using a template that enforces serverAuth and clientAuth extended key usages.

Device and IoT PKI

Provision unique device certificates for fleets of IoT or edge devices using a private CA hierarchy hosted on Google Cloud. The API supports template-based issuance and revocation so devices can be rotated, retired, or quarantined without rebuilding the trust chain.

Issue a certificate with a device serial number embedded as the subject CN, then later revoke it with reason key_compromise when the device is decommissioned.

Compliance and Audit Reporting

Generate periodic compliance reports on certificate issuance, expiry, and revocation across all CA pools in an organization. The API exposes structured certificate metadata and CA state so audit pipelines can verify issuance policy enforcement and detect drift.

List all certificates issued by ca-pool projects/p/locations/us-central1/caPools/prod where state is ENABLED, then export issuer, subject, and notAfter fields for the audit team.

Agent-Driven CA Lifecycle Management

An AI operations agent uses Jentic to discover and call Certificate Authority Service operations on behalf of platform engineers — provisioning new CAs, rotating subordinate CAs, and revoking certificates in response to security alerts without needing direct console access.

Search Jentic for revoke a certificate, load the schema for projects.locations.caPools.certificates.revoke, and call it for the certificate referenced in a SOC alert.

Key Endpoints

25 endpoints — the google cloud certificate authority service api lets you provision, manage, and operate private certificate authorities (cas) at scale on google cloud.

METHOD

PATH

DESCRIPTION

POST

/v1/{+caPool}:fetchCaCerts

Fetch CA chain certificates for a CA pool

POST

/v1/{+name}:activate

Activate a subordinate certificate authority

POST

/v1/{+name}:disable

Disable a certificate authority

POST

/v1/{+name}:enable

Enable a certificate authority

POST

/v1/{+name}:revoke

Revoke a previously issued certificate

POST

/v1/{+name}:undelete

Undelete a certificate authority within its retention window

POST

/v1/{+caPool}:fetchCaCerts

Fetch CA chain certificates for a CA pool

POST

/v1/{+name}:activate

Activate a subordinate certificate authority

POST

/v1/{+name}:disable

Disable a certificate authority

POST

/v1/{+name}:enable

Enable a certificate authority

POST

/v1/{+name}:revoke

Revoke a previously issued certificate

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 client secrets and refresh tokens are stored encrypted in the Jentic vault. Agents receive scoped, short-lived access tokens with the cloud-platform scope at call time, so long-lived secrets never enter the agent context.

Intent-based discovery

Agents search Jentic by intent (e.g., issue a certificate, revoke a certificate, list CA pools) and Jentic returns the matching Certificate Authority Service operation along with its input schema, so the agent can build a correct request without browsing Google Cloud docs.

Time to first call

Direct integration with Certificate Authority Service typically takes 2-4 days for OAuth setup, IAM bindings, and request schema modelling. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Public Certificate Authority API

Public CA for ACME-issued, browser-trusted certificates instead of private PKI

Choose Public CA when you need certificates trusted by public browsers; choose Certificate Authority Service for internal mTLS and private device PKI.

Complementary

Cloud Key Management Service API

Manages the cryptographic keys that back private CAs

Use Cloud KMS to provision and rotate the HSM-backed keys that CA pools reference for signing certificates.

Complementary

Secret Manager API

Stores private keys, CA chains, and credentials issued alongside certificates

Use Secret Manager to distribute issued private keys and certificate chains to workloads that need them at runtime.

FAQs

Specific to using Certificate Authority API API through Jentic.

What authentication does the Certificate Authority API use?

The API uses Google OAuth 2.0 with the cloud-platform scope, sent as a Bearer token in the Authorization header. Through Jentic the OAuth credentials are stored in the vault and short-lived access tokens are injected at call time, so the raw refresh token never enters the agent context.

Can I issue certificates for arbitrary domains with this API?

No, this API issues certificates from your own private CAs, so issuance is constrained by the CA pool issuance policy and any certificate template attached to the call. It is not a public CA and the certificates it issues are not trusted by browsers by default.

What are the rate limits for the Certificate Authority API?

Quotas are enforced per Google Cloud project and are configurable in the Cloud console under IAM and admin quotas. Default per-minute write quotas apply to certificate issuance and CA mutation operations, and bulk issuance should batch requests rather than fire them in tight loops.

How do I revoke a certificate through Jentic?

Search Jentic for revoke a certificate, load the schema for the projects.locations.caPools.certificates.revoke operation which maps to POST /v1/{+name}:revoke, then execute it with the full certificate resource name and a reason such as KEY_COMPROMISE.

Is the Certificate Authority API free?

No, Certificate Authority Service is billed per CA per month based on tier (DevOps or Enterprise) plus a per-certificate issuance fee. Pricing is published on the Google Cloud pricing page and applies whether the API is called directly or via Jentic.

How do I fetch the trust chain CA certificates for a CA pool?

Call POST /v1/{+caPool}:fetchCaCerts with the full CA pool resource name. The response contains the PEM-encoded CA certificates that relying parties need to trust certificates issued by the pool.