-1

I have services running on GCP where the service needs to authenticate itself (as a client) to another non GCP server. This server provides X.509 certificate based authentication. The only requirement is that the client certificate is signed by a (any) CA. It seems like the Service Account Keys (managed by Google) are not signed by anybody. It's just a pair of private- and public-keys.

Is there any option to enable signing those keys? A google managed/provided CA would be sufficient.

I looked into the docs (like https://cloud.google.com/iam/docs/service-account-creds#key-types), but I couldn't find anything helpful.

Edit - add more context to the question: I want to use this with MongoDB Atlas x.509 based authentication. In MongoDB we can limit the access to exactly one CA, and additionally, we have to list down the CN for every client (service account). With this, we can limit access very precisely.

Raman
  • 548
  • 1
  • 7
  • 17
  • The service account JSON contains the key `client_x509_cert_url`. That is the URL to the public certificates for the service account. I have not tried to use the public certificate for client authentication. Let us know the results. You could also use the private key to create your own self-signed CA and generate a signed client certificate. This is easy to do with the OpenSSL command. Note: a server that accepts any certificate from any CA is not secure. Edit your post with more details on what is actually required. – John Hanley Aug 15 '23 at 20:59
  • @JohnHanley I know that the `client_x509_cert_url` links to the public cert. But this public cert is not signed by any CA. I want to use this with MongoDB Atlas x.509 based authentication. In MongoDB we can limit the access to exactly one CA, and additionally, we have to list down the CN for every client (service account). With this, we can limit access very precisely. – Raman Aug 15 '23 at 21:45
  • Those details should have been in your question: https://stackoverflow.com/help/how-to-ask Google has a certificate authority that supports creating client certificates. I use it for mTLS. – John Hanley Aug 15 '23 at 23:34
  • I have edited my question to add the context of the question. Google Certificate Authority Service is not the right fit. I want to sign directly the Service Account Keys - not another, separate certificate. – Raman Aug 15 '23 at 23:43
  • I don't know if it's what you want, but you can create your own public/private key pair, sign it with the certificate your want, and submit the public key to Google Cloud. Use the private key for the authentication: https://cloud.google.com/iam/docs/keys-upload – guillaume blaquiere Aug 16 '23 at 16:55
  • You cannot sign a service account private key. Private keys are used to sign certificates, not themselves. Also, client certificate authorization requires an X.509 certificate. The X.509 CN attribute, sometimes combined attributes (RDN), is used for identity. – John Hanley Aug 16 '23 at 17:14
  • Why is Google Certificate Authority not the right service? It provides the features MongoDB requires. – John Hanley Aug 16 '23 at 17:16
  • Google Certificate Authority is not the issue. But I want to avoid to setup certificate management and PKI. How to generate public/private key pairs? How to distribute them? How to rotate them? How to provision the users on MongoDB? Using the IAM service accounts directly would make it so much easier. Unfortunately, I see that Google IAM service accounts cannot be used for this scenario. – Raman Aug 22 '23 at 03:15

0 Answers0