Endpoint TLS certificate renewal

Certificate expiry is one of the main sources of service outages in the industry. Even large established companies have suffered from this in recent years. For example, when certificates on routers expire, users are not able to log in to WiFi networks. Or when a website certificate expires, users will not be able to connect to that website anymore.

This sample provides a script-based certificate lifecycle management solution that scans cloud resources for certificates, and for those that are close to expiry (configurable), automatically issues new certificates from Certificate Authority Service and updates the certificate on the resource. This sample solution is available on GitHub, with the current version scope including Google Cloud internal and external load balancers. An upcoming update will add Istio ingress support.

Overview

The figure below demonstrates the solution architecture:

CA Service cert renewal architecture diagram.

This solution assumes that the reader has created one or more Certificate Authorities (CAs) through Certificate Authority Service. A YAML config file binds between resources on the right (such as load balancer) and a CA that is used to issue TLS certificates for its endpoint name. For example, the following snippet binds a global load balancer called demo-lb-target-proxy with a subordinate CA server-tls-2. The cert_renew_ratio parameter indicates the portion of the certificate validity time remaining before renewal. For example, a value of 70 means that the certificate will be renewed after 70% of its lifespan. That is, if the certificate lifetime is 100 minutes, it will be renewed after 70 minutes.

ssl_resources:
  "load-balancer":
    type: "GLB" #Global Load Balancer
    name: "demo-lb-target-proxy"
    subordinate-ca: "server-tls-2"
    cert_renew_ratio: 70

You should keep this YAML file in a secure location such as Cloud Storage or Secret Manager, protected by an IAM policy. The compute resource that will be running this script (such as Compute Engine or Cloud Functions) should have access to this file through its Service Account.

When this script is executed from a VM or Cloud Function and based on the YAML config file, the script will check each resource's SSL certificate and evaluate the remaining time before expiration. If needed, the script will issue a new certificate from the configured subordinate CA and update the resource with the newly generated certificate.

Each operation performed on the Certificate Authority Service is logged in Cloud Logging where alerts and notifications can be configured based on metrics. For example, a notification can be delivered to Pub/Sub anytime the issuing CA configuration has changed. The script is designed to extend certificate automation for SSL-based resources. We welcome pull requests.