This tutorial shows you how to use Certificate Manager to deploy a global Google-managed certificate with Certificate Authority Service .
The following global load balancers support Google-managed certificates with Certificate Authority Service:
- Global external Application Load Balancer
- Classic Application Load Balancer
- Global external proxy Network Load Balancer
If you want to deploy to cross-region load balancers or regional load balancers, see the following:
Objectives
This tutorial shows you how to complete the following tasks:
- Create a Google-managed certificate with CA Service by using Certificate Manager.
- Deploy the certificate to a supported load balancer by using a target HTTPS proxy.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority APIs.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority APIs.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Enable the CA Service API .
- Create a CA pool . You must create and enable at least one CA in this CA pool.
You need to make a note of the following before you follow the steps of this tutorial:
- Certificates you create with Certificate Authority Service aren't publicly trusted. To issue publicly trusted certificates, create certificates with DNS authorization or load balancer authorization .
-
If a certificate issuance policy is in effect on the target CA pool, certificate provisioning might fail for any of the following reasons:
- The certificate issuance policy has blocked the requested certificate. In this case, you aren't billed because the certificate hasn't been issued.
- The policy has applied changes to the certificate that aren't supported by Certificate Manager. In this case, you are billed because the certificate has been issued, even though it is not fully compatible with Certificate Manager.
-
Global Google-managed TLS certificates can be configured to be issued from a CA pool in any region.
Required roles
Make sure that you have the following roles to complete the tasks in this tutorial:
-
Certificate Manager Owner (
roles/certificatemanager.owner)Required to create and manage Certificate Manager resources.
-
Compute Load Balancer Admin (
roles/compute.loadBalancerAdmin) or Compute Network Admin (roles/compute.networkAdmin)Required to create and manage HTTPS target proxy.
-
CA Service Admin (
roles/privateca.admin)Required to perform actions within CA Service.
For more information, see the following:
- Roles and permissions for Certificate Manager.
- Compute Engine IAM roles and permissions for Compute Engine.
- Access control with IAM for CA Service.
Create the load balancer
This tutorial assumes that you've already created and configured the load balancer's backends, health checks, backend services, and URL maps. If you've created an external Application Load Balancer, note the name of the URL map because you need it later in this tutorial.
If you haven't created the load balancer, see the following pages to create one:
-
To create a global external Application Load Balancer, see Set up a global external Application Load Balancer with VM instance group backends .
-
To create a classic Application Load Balancer, see Set up a classic Application Load Balancer with a managed instance group backend .
-
To create a Global external proxy Network Load Balancer (SSL proxy), see Set up a global external proxy Network Load Balancer (SSL proxy) with VM instance group backends .
-
To create a Classic proxy Network Load Balancer (SSL proxy), see Set up a classic proxy Network Load Balancer (SSL proxy) with VM instance group backends .
Configure CA Service integration with Certificate Manager
To integrate CA Service with Certificate Manager, follow these steps:
-
In the target Google Cloud project, create a Certificate Manager service account:
gcloud beta services identity create --service=certificatemanager.googleapis.com \ --project= PROJECT_IDReplace
PROJECT_IDwith the ID of the target Google Cloud project.The command returns the name of the created service identity. See the following example:
service-520498234@gcp-sa-certificatemanager.iam.gserviceaccount.com
-
Grant the Certificate Manager service account the CA Service Certificate Requester role (
roles/privateca.certificateRequester) within the target CA pool:gcloud privateca pools add-iam-policy-binding CA_POOL \ --location LOCATION \ --member "serviceAccount: SERVICE_ACCOUNT " \ --role roles/privateca.certificateRequester
Replace the following:
-
CA_POOL: the ID of the target CA pool. -
LOCATION: the target Google Cloud location. -
SERVICE_ACCOUNT: the full name of the service account you created in step 1.
-
-
Create a certificate issuance configuration resource for your CA pool:
Console
-
In the Google Cloud console, go to the Issuance configstab on the Certificate Managerpage.
-
Click Create. The Create a Certificate Issuance Configpage appears.
-
In the Namefield, enter a unique name for the certificate issuance configuration.
-
Optional: In the Descriptionfield, enter a description for the issuance configuration.
-
For Location, select Global.
-
Optional: In the Lifetimefield, specify the lifetime of issued certificate in days. The value must be between 21 to 30 days (inclusive).
-
Optional: In the Rotation window percentage, specify the percentage of the certificate's lifetime when its renewal process begins. To find the range of valid values, see Lifetime and Rotation window percentage .
-
Optional: From the Key algorithmlist, select the key algorithm to use when generating the private key.
-
From the CA poollist, select the name of the CA pool to assign to this certificate issuance configuration resource.
-
In the Labelsfield, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.
-
Click Create.
gcloud
gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \ --ca-pool= CA_POOL
Replace the following:
-
ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource. -
CA_POOL: the full resource path and name of the CA pool that you want to assign to this certificate issuance configuration resource.
For more information about certificate issuance configuration resources, see Manage certificate issuance configuration resources .
-
Create a Google-managed certificate issued by your CA Service instance
To create a Google-managed certificate issued by your CA Service instance, do the following:
Console
-
In the Google Cloud console, go to the Certificate Managerpage.
-
On the Certificatestab, click Add Certificate.
-
In the Certificate namefield, enter a unique name for the certificate.
-
Optional: In the Descriptionfield, enter a description for the certificate. The description lets you identify the certificate.
-
For Location, select Global.
-
For Scope, select Default.
-
For Certificate type, select Create Google-managed certificate.
-
For Certificate Authority type, select Private.
-
In the Domain Namesfield, specify a comma-delimited list of domain names of the certificate. Each domain name must be a fully qualified domain name, such as
myorg.example.com. -
For Select a certificate issuance config, select the name of the certificate issuance configuration resource referencing the target CA pool.
-
In the Labelsfield, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.
-
Click Create.
The new certificate appears in the list of certificates.
gcloud
To create a global Google-managed certificate with Certificate Authority Service,
use the certificate-manager certificates create
command
with the issuance-config
flag:
gcloud certificate-manager certificates create CERTIFICATE_NAME \ --domains=" DOMAIN_NAMES " \ --issuance-config= ISSUANCE_CONFIG_NAME
Replace the following:
-
CERTIFICATE_NAME: the name of the certificate. -
DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such asmyorg.example.com. -
ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
API
Create the certificate by making a POST
request to the certificates.create
method as follows:
POST /v1/projects/ PROJECT_ID /locations/global/certificates?certificate_id= CERTIFICATE_NAME " { "managed": { "domains": [" DOMAIN_NAME "], "issuanceConfig": " ISSUANCE_CONFIG_NAME ", } }
Replace the following:
-
PROJECT_ID: the ID of the Google Cloud project. -
CERTIFICATE_NAME: the name of the certificate. -
DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such asmyorg.example.com. -
ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
Verify the status of the certificate
Before deploying a certificate to a load balancer, verify that it's active. It
can take several minutes for the certificate state to change to ACTIVE
.
Console
-
In the Google Cloud console, go to the Certificate Managerpage.
-
On the Certificatestab, check the Statuscolumn for the certificate.
gcloud
To verify the status of the certificate, run the following command:
gcloud certificate-manager certificates describe CERTIFICATE_NAME
Replace CERTIFICATE_NAME
with the name of the target
Google-managed certificate.
The output is similar to the following:
createTime: '2021-10-20T12:19:53.370778666Z' expireTime: '2022-05-07T05:03:49Z' managed: domains: - myorg.example.com issuanceConfig: projects/myproject/locations/global/issuanceConfigs/myissuanceConfig state: ACTIVE name: projects/myproject/locations/global/certificates/mycertificate pemCertificate: | -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- sanDnsnames: - myorg.example.com updateTime: '2021-10-20T12:19:55.083385630Z'
For more troubleshooting steps, see Troubleshoot Certificate Manager .
Deploy the certificate to a load balancer
To deploy the global Google-managed certificate, use a certificate map.
Create a certificate map
Create a certificate map that references the certificate map entry associated with your certificate:
gcloud
To create a certificate map, use the gcloud certificate-manager maps create
command
:
gcloud certificate-manager maps create CERTIFICATE_MAP_NAME
Replace CERTIFICATE_MAP_NAME
with the name of the target
certificate map.
Terraform
To create a certificate map, you can use a google_certificate_manager_certificate_map
resource
.
Create a certificate map entry
Create a certificate map entry and associate it with your certificate and certificate map:
gcloud
To create a certificate map entry, use the gcloud certificate-manager maps entries create
command
:
gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \ --map=" CERTIFICATE_MAP_NAME " \ --certificates=" CERTIFICATE_NAME " \ --hostname=" HOSTNAME "
Replace the following:
-
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry. -
CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached. -
CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry. -
HOSTNAME: the hostname that you want to associate with the certificate map entry.If you want to create a certificate that covers both a wildcard domain and a root domain, then specify the hostname with a root and a wildcard, such as
example.comand*.example.com. In addition, you must specify two certificate map entries - one forexample.comand the other for*.example.com.
Terraform
To create a certificate map entry with a root domain, use a google_certificate_manager_certificate_map_entry
resource
.
To create a certificate map entry with a wildcard domain, use a google_certificate_manager_certificate_map_entry
resource
.
Verify that the certificate map entry is active
Verify that the certificate map entry is active before attaching its corresponding certificate map to the target proxy.
To verify the certificate map entry, use the gcloud certificate-manager maps entries describe
command
:
gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \ --map=" CERTIFICATE_MAP_NAME "
Replace the following:
-
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry. -
CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.
The output is similar to the following:
certificates: createTime: '2021-09-06T10:01:56.229472109Z' hostname: example.com name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntry state: ACTIVE updateTime: '2021-09-06T10:01:58.277031787Z'
Attach the certificate map to the target proxy
You can attach the certificate map to a new target proxy or an existing target proxy.
gcloud
To attach the certificate map to a new target proxy, use the gcloud compute target-https-proxies create
command
:
gcloud compute target-https-proxies create PROXY_NAME \ --certificate-map=" CERTIFICATE_MAP_NAME " \ --url-map=" URL_MAP " \ --global
Replace the following:
-
PROXY_NAME: the name of the target proxy. -
CERTIFICATE_MAP_NAME: the name of the certificate map referencing the certificate map entry and the associated certificate. -
URL_MAP: the name of the URL map
To attach the certificate map to an existing target HTTPS proxy, use the gcloud compute target-https-proxies update
command
. If you don't know the name of the existing
target proxy, go to the Target proxies
page and note the name of the
target proxy.
gcloud compute target-https-proxies update PROXY_NAME \ --certificate-map=" CERTIFICATE_MAP_NAME " \ --global
After creating or updating the target proxy, run the following command to verify it:
gcloud compute target-https-proxies list
Terraform
To attach the certificate map to the target proxy, you can use a google_compute_target_https_proxy
resource
.
When configuring a target proxy, if you attach TLS (SSL) certificates directly and also through a certificate map, the proxy uses the certificates referenced by the certificate map and ignores the directly attached TLS (SSL) certificates.
Troubleshooting certificates issued by CA Service
For troubleshooting steps, see Problems related to certificates issued by a CA Service instance .
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, delete them.
-
Delete the load balancer and its resources.
-
Delete or detach the certificate map from the proxy.
To delete the certificate map, run the following command:
gcloud compute target-https-proxies delete PROXY_NAMEIf you want to keep the target HTTPS proxy, then detach the certificate map from the proxy. Before you detach the certificate map, note the following:
- If there are any TLS (SSL) certificates attached directly to the proxy, detaching the certificate map causes the proxy to resume using those directly attached TLS (SSL) certificates.
- If there are no TLS (SSL) certificates attached directly to the proxy, the certificate map can't be detached from the proxy. You must first attach at least one TLS (SSL) certificate directly to the proxy before you can detach the certificate map.
To detach the certificate map, run the following command:
gcloud compute target-https-proxies update PROXY_NAME \ --clear-certificate-map
Replace
PROXY_NAMEwith the name of the target proxy. -
Delete the certificate map entry from the certificate map:
gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \ --map=" CERTIFICATE_MAP_NAME "
Replace the following:
-
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry. -
CERTIFICATE_MAP_NAME: the name of the certificate map.
-
-
Delete the certificate map:
gcloud certificate-manager maps delete CERTIFICATE_MAP_NAMEReplace
CERTIFICATE_MAP_NAMEwith the name of the certificate map. -
Delete the Google-managed certificate:
Console
-
In the Google Cloud console, go to the Certificate Managerpage.
-
On the Certificatestab, select the checkbox of the certificate.
-
Click Delete.
-
In the dialog that appears, click Deleteto confirm.
gcloud
gcloud certificate-manager certificates delete CERTIFICATE_NAMEReplace
CERTIFICATE_NAMEwith the name of the target certificate. -
-
Delete the certificate issuance configuration resource:
Console
-
In the Google Cloud console, go to the Issuance configstab on the Certificate Managerpage.
-
Select the checkbox of the issuance configuration resource that you want to delete.
-
Click Delete.
-
In the dialog that appears, click Deleteto confirm.
gcloud
gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAMEReplace
ISSUANCE_CONFIG_NAMEwith the name of the target certificate issuance configuration resource. -
-
Delete the CA pool.
To delete the CA pool, or to disable the last enabled CA in a CA pool referenced by a certificate issuance configuration resource, delete all certificate issuance configuration resources that reference the CA pool. For more information, see Delete a CA pool .
