Introducing Certificate Manager to simplify SaaS scale TLS and certificate management
Product Manager, Core Security
Product Manager, Google Cloud
We’re excited to announce the public preview of Certificate Manager and its integration with External HTTPS Load Balancing. Certificate Manager enables you to use External HTTPS Load Balancing with as many certificates or domains as you need. You can bring your own TLS certificates and keys if you have an existing certificate lifecycle management solution you'd like to use with Google Cloud, or enjoy the convenience of our fully Managed TLS offerings.
Extend the security and performance of the Google network to your customers
Certificate Manager brings support for multiple certificates per customer. When coupled with our global anycast load balancing solution with automated autoscaling and failover, you now have a powerful platform for building robust SaaS and PaaS offerings. This enables custom domain support for your customers with the lowest latency and the highest level of availability.
Alon Kochba, the head of web performance at website-building service Wix, explained how the new features lighten their workload.
“As a SaaS product, we need to terminate SSL for millions of custom domains and certificates. GCP's Certificate Manager and External HTTPS Load Balancing lets us do this at the edge, close to the clients, without having to rely on our own custom solution for terminating SSL,” Kochba said.
This release also now enables you to provision your Google-managed certificates with DNS-based authorizations and have them ready to use before your load-balancing production environment is fully set up. This will help streamline the migration process to Google Cloud, for example. To create a DNS authorization, use the following command:
This command returns the CNAME record for
example.com that you must add to your DNS configuration in the DNS zone of the target domain. This CNAME record points to a special Google Cloud domain, e.g.: "
534959-1a8a-40cf-90b6-b1f5f8d22517.2.authorize.certificatemanager.goog” that is used to verify domain ownership.
When you request a certificate based on the above authorization, Cloud Certificate Manager will work with the Certificate Authority automatically to get and later renew your certificate for that domain.
This DNS-based domain control authorization also allows us to bring you support for wildcard certificates. To configure the use of wildcard certificates you first must configure the DNS authorization as we’ve indicated above. Once that has been completed, you can configure the use of a wildcard certificate using the following command. Our example below is for a top-level registered domain and its wildcard subdomains.
Monitoring for Certificate Expiration
Another new feature that will be enabled with this product is the ability to monitor certificate expiration with Google Cloud Logging. Cloud Logging creates a record of certificate expiration, uses the `
certificatemanager.googleapis.com/Project` monitored resource, and is represented by the following message:
The log message is delivered every hour and contains a sample of the certificates being close to expiry or already expired.
The best part is that there’s no additional charge to use the Certificate Manager for the first 100 certificates. To use more than 100 certificates with the management tools, we will charge on a per-certificate, per-month pricing structure. This empowers you to scale up to as many certificates as you need, and as cost-effectively as possible. The pricing will be enabled when the solution goes to General Availability.
It is our hope that these new features, combined with the programmability offered by Certificate Manager, will enable you to simplify the way you deploy HTTPS and offer a more scalable and secure service to your customers.