Automate certificate lifecycle for load balancers
Learn how to use Certificate Manager (2nd gen) to automate the lifecycle of a Google-managed certificate for a global Application Load Balancer.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . - You need an existing Application Load Balancer with at least one target HTTPS proxy. For more information, see Choose a load balancer .
Required roles
To get the permissions that you need to configure lifecycle management, ask your administrator to grant you the following IAM roles on your project:
- Certificate Manager Editor
(
roles/certificatemanager.editor) - Load Balancer Admin
(
roles/compute.loadBalancerAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations .
These predefined roles contain the permissions required to configure lifecycle management. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to configure lifecycle management:
-
compute.targetHttpsProxies.update -
compute.targetSslProxies.update -
compute.targetHttpsProxies.setCertificateMap -
compute.targetSslProxies.setCertificateMap -
compute.sslCertificates.*
You might also be able to get these permissions with custom roles or other predefined roles .
Configure certificate lifecycle management
To configure lifecycle management for your load balancer certificate:
-
In the Google Cloud console, go to Certificate Manager (2nd gen).
-
In the navigation menu, click Manage Lifecycle.
-
Click the Load balancingtab. A list of your load balancers appears.
-
Expand the load balancer row to see the attached certificates.
-
Click the name of the target proxy.
-
Click Configure lifecycle management. The page displays a list of associated certificates that you can add to and remove from.
-
Click Certificateand then click Add certificate.
-
Select an existing certificate or create a new certificate.
-
Enter the following details for the new certificate:
- Name:Enter a unique name (for example,
my-lb-cert). - Scope:Select the appropriate key distribution scope (for example,
Default). - Certificate type:Select Self-managed or Google-managed certificates. For more information, see certificate types .
- Domain Name:Enter the domain name that this certificate covers (for
example,
app.example.com). This domain must be one that you control. - Issuance Configuration:Select your existing issuance configuration from the list. This configuration dictates the certificate authority, lifetime, and key type.
- Name:Enter a unique name (for example,
-
Click Create. The console adds the new certificate to the list for the target proxy.
-
Review the list of certificates, and then click Updateto apply the changes to the target proxy.
Verify the configuration
To verify the certificate configuration:
-
Check the certificate status. Issuance and provisioning can take from several minutes to a few hours. The certificate starts with a Pendingstatus.
-
Monitor the certificate status on the Certificatestab within Certificate Manager (2nd gen). When the status is Active, the certificate is ready.
-
Ensure your domain's DNS records point to the load balancer IP address.
-
Test the setup by accessing your service using HTTPS (for example,
https://app.example.com).
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
-
Remove the certificate from the target proxy:
- Go to the Manage Lifecycle > Load balancingtab for your target proxy.
- Find the certificate that you created (
my-lb-cert). - Remove the certificate from the list.
- Click Update.
-
Delete the certificate resource:
- Go to the Certificatestab in Certificate Manager (2nd gen).
- Select the certificate (
my-lb-cert). - Click Delete.
You don't need to delete the load balancer, target proxy, or certificate issuance configuration that you created or used in this quickstart.
