Manage certificates

This page describes how to use Certificate Manager to create and manage Transport Layer Security (TLS) (SSL) certificates.

For more information, see Supported certificates.

Create a Google-managed certificate

Certificate Manager lets you create Google-managed certificates in the following ways:

  • Google-managed certificates with load balancer authorization (global)
  • Google-managed certificates with DNS authorization (global, regional, and cross-region)
  • Google-managed certificates with Certificate Authority Service (CA Service) (global, regional, and cross-region)

Load balancer authorization

Load balancer authorization lets you obtain a Google-managed certificate for your domain when traffic is served by the load balancer. This method doesn't require any additional DNS records for certificate provisioning. You can use load balancer authorizations for new environments with no existing traffic. For information about when to use load balancer authorization with a Google-managed certificate, see Domain authorization types for Google-managed certificates.

You can create Google-managed certificates with load balancer authorization only in the global location. The load balancer authorized certificates don't support wildcard domains.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Global.

  6. For Scope, select one of the following options:

    • Default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • Edge cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

    You can't use load balancer authorization with a Regional location or the All regions scope.

  7. For Certificate type, select Create Google-managed certificate.

  8. For Certificate Authority type, select Public.

  9. In the Domain Names field, specify a comma-delimited list of domain names of the certificate. Each domain name must be a fully qualified domain name, such as myorg.example.com.

  10. For Authorization type, select Load balancer authorization.

  11. In the Labels field, specify labels to associate with the certificate. To add a label, click Add label, and specify a key and a value for your label.

  12. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a global Google-managed certificate with load balancer authorization, use the certificate-manager certificates create command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --domains="DOMAIN_NAMES" \
    [--scope=SCOPE]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAMES: a comma-delimited list of the target domains. Each domain name must be a fully qualified domain name, such as myorg.example.com.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Terraform

Use a google_certificate_manager_certificate resource.

resource "google_certificate_manager_certificate" "default" {
  name        = "${local.name}-rootcert-${random_id.tf_prefix.hex}"
  description = "Cert with LB authorization"
  managed {
    domains = [local.domain]
  }
  labels = {
    "terraform" : true
  }
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

Create the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/global/certificates?certificate_id=CERTIFICATE_NAME"
{
 "managed": {
  "domains": ["DOMAIN_NAME"],
  "scope": "SCOPE" //optional
 }
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAMES: a comma-delimited list of the target domains. Each domain name must be a fully qualified domain name, such as myorg.example.com.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

DNS authorization

To use Google-managed certificates before your production environment is ready, you can provision them with DNS authorizations. For information about when to use DNS authorization with a Google-managed certificate, see Domain authorization types for Google-managed certificates.

To independently manage certificates across multiple projects, you can use per-project DNS authorization. For information about creating certificates with per-project DNS authorization, see Create a DNS authorization.

Before you create the certificate, do the following:

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Global or Regional.

    If you've selected Regional, from the Region list, select your region.

  6. For Scope, select one of the following options:

    • Default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • All regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • Edge cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

    The Scope field is not available if you've selected a Regional location.

  7. For Certificate type, select Create Google-managed certificate.

  8. For Certificate Authority type, select Public.

  9. In the Domain Names field, specify a comma-delimited list of domain names of the certificate. Each domain name must be a fully qualified domain name, such as myorg.example.com. The domain name can also be a wildcard domain name, such as *.example.com.

  10. For Authorization type, select DNS authorization.

    The page lists DNS authorizations of the domain names. If a domain name doesn't have an associated DNS authorization, follow these steps to create one:

    1. Click Create missing DNS authorization.
    2. In the DNS authorization name field, specify the name of the DNS authorization. The default DNS authorization type is FIXED_RECORD. To independently manage certificates across multiple projects, select the Per project authorization checkbox.
    3. Click Create DNS authorization.

  11. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.

  12. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a Google-managed certificate with DNS authorization, run the certificate-manager certificates create command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --domains="DOMAIN_NAME, *.DOMAIN_NAME" \
    --dns-authorizations="AUTHORIZATION_NAMES" \
    [--location=LOCATION] \
    [--scope=SCOPE]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com, or a wildcard domain, such as *.myorg.example.com. The asterisk dot prefix (*.) signifies a wildcard certificate.
  • AUTHORIZATION_NAMES: a comma-delimited list of names of the DNS authorizations.
  • LOCATION: the target Google Cloud location. The default is global.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Terraform

Use a google_certificate_manager_certificate resource.

resource "google_certificate_manager_certificate" "root_cert" {
  name        = "${local.name}-rootcert-${random_id.tf_prefix.hex}"
  description = "The wildcard cert"
  managed {
    domains = [local.domain, "*.${local.domain}"]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.default.id
    ]
  }
  labels = {
    "terraform" : true
  }
}

API

Create the certificate by making a POST request to the certificates. create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificates?certificate_id=CERTIFICATE_NAME"
{
 "managed": {
  "domains": ["DOMAIN_NAME"],
  "issuanceConfig": "ISSUANCE_CONFIG_NAME",
  "scope": "SCOPE" //optional
 }
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Issued by CA Service

You can integrate Certificate Manager with CA Service to issue Google-managed certificates. To issue global Google-managed certificates, you use a regional CA pool in any region. To issue regional Google-managed certificates, you use a CA pool in the same region as your certificate.

Before you create the certificate, configure CA Service integration with Certificate Manager.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Global or Regional.

    If you've selected Regional, from the Region list, select your region.

  6. For Scope, select one of the following options:

    • Default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • All regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • Edge cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

    The Scope field is not available if you've selected a Regional location.

  7. For Certificate type, select Create Google-managed certificate.

  8. For Certificate Authority type, select Private.

  9. In the Domain Names field, specify a comma-delimited list of domain names of the certificate. Each domain name must be a fully qualified domain name, such as myorg.example.com.

  10. For Select a certificate issuance config, select the name of the certificate issuance configuration resource referencing the target CA pool.

  11. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.

  12. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a Google-managed certificate with Certificate Authority Service, use the certificate-manager certificates create command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --domains="DOMAIN_NAMES" \
    --issuance-config=ISSUANCE_CONFIG_NAME \
    [--location="LOCATION"] \
    [--scope=SCOPE]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com, or a wildcard domain, such as *.myorg.example.com. The asterisk dot prefix (*.) signifies a wildcard certificate.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • LOCATION: the target Google Cloud location. The default is global.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

API

Create the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificates?certificate_id=CERTIFICATE_NAME"
{
 "managed": {
  "domains": ["DOMAIN_NAME"],
  "issuanceConfig": "ISSUANCE_CONFIG_NAME",
  "scope": "SCOPE" //optional
 }
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Upload a self-managed certificate

To upload a self-managed certificate, upload the certificate (CRT) file and the corresponding private key (KEY) file. You can upload global and regional X.509 TLS (SSL) certificates of the following types:

  • Certificates generated by third-party certificate authorities (CAs) of your choice.
  • Certificates generated by certificate authorities that you control.
  • Self-signed certificates, as described in Create a private key and certificate.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Global or Regional.

    If you've selected Regional, from the Region list, select your region.

  6. For Scope, select one of the following options:

    • Default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • All regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • Edge cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

    The Scope field is not available if you've selected a Regional location.

  7. For Certificate type, select Create self-managed certificate.

  8. For the Certificate field, do either of the following:

    • Click the Upload button and select your PEM-formatted certificate file.
    • Copy and paste the contents of a PEM-formatted certificate. The contents must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  9. For the Private key certificate field, do either of the following:

    • Click the Upload button and select your private key. Your private key must be PEM-formatted and not protected with a passphrase.
    • Copy and paste the contents of a PEM-formatted private key. The private keys must start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----.

  10. In the Labels field, specify labels to associate with the certificate. To add a label, click Add label, and specify a key and a value for your label.

  11. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a self-managed certificate, use the certificate-manager certificates create command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --certificate-file="CERTIFICATE_FILE" \
    --private-key-file="PRIVATE_KEY_FILE" \
    [--location="LOCATION"] \
    [--scope=SCOPE]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • CERTIFICATE_FILE: the path and filename of the CRT certificate file.
  • PRIVATE_KEY_FILE: the path and filename of the KEY private key file.
  • LOCATION: the target Google Cloud location. The default is global.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Terraform

To upload a self-managed certificate, you can use a google_certificate_manager_certificate resource with the self_managed block.

API

Upload the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificates?certificate_id=CERTIFICATE_NAME
{
  self_managed: {
    pem_certificate: "PEM_CERTIFICATE",
    pem_private_key: "PEM_KEY",
    scope: SCOPE
  }
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • CERTIFICATE_NAME: the name of the certificate.
  • PEM_CERTIFICATE: the certificate PEM.
  • PEM_KEY: the key PEM.
  • SCOPE: enter one of the following options:
    • default: if you plan to use the certificate with global external Application Load Balancer or global external proxy Network Load Balancer.
    • all-regions: if you plan to use the certificate with cross-region internal Application Load Balancer.
    • edge-cache: if you plan to use the certificate with Media CDN and specify multiple domains in the certificate.

Update a certificate

You can update an existing certificate without modifying its assignments to domain names within the corresponding certificate map. When you update a certificate, make sure that the SANs in the new certificate exactly match the SANs in the existing certificate.

Google-managed certificates

For Google-managed certificates, you can only update the certificate's description and labels.

Console

You can't update a certificate from the Google Cloud console. Use the Google Cloud CLI instead.

gcloud

To update a Google-managed certificate, use the certificate-manager certificates update command:

gcloud certificate-manager certificates update CERTIFICATE_NAME \
    [--description="DESCRIPTION"] \
    [--update-labels="LABELS"]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DESCRIPTION: a unique description of the certificate.
  • LABELS: a comma-separated list of labels applied to this certificate.

API

Update the certificate by making a PATCH request to the certificates.patch method as follows:

PATCH /v1/projects/PROJECT_ID/certificates/CERTIFICATE_NAME?updateMask=self_managed,labels,description
{
  "description": "DESCRIPTION",
  "labels": {
    "LABEL_KEY": "LABEL_VALUE",
  }

}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • CERTIFICATE_NAME: the name of the certificate.
  • DESCRIPTION: a description of the certificate.
  • LABEL_KEY: a label key applied to the certificate.
  • LABEL_VALUE: a label value applied to the certificate.

Self-managed certificates

To update a self-managed certificate, you must upload the following PEM-encoded files:

  • The certificate CRT file

  • The corresponding private key KEY file

Console

You can't update a certificate from the Google Cloud console. Use the Google Cloud CLI instead.

gcloud

To update a self-managed certificate, use the certificate-manager certificates update command:

gcloud certificate-manager certificates update CERTIFICATE_NAME \
    --certificate-file="CERTIFICATE_FILE" \
    --private-key-file="PRIVATE_KEY_FILE" \
    --description="DESCRIPTION" \
    --update-labels="LABELS" \
    [--location="LOCATION"]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • CERTIFICATE_FILE: the path and filename of the CRT certificate file.
  • PRIVATE_KEY_FILE: the path and filename of the KEY private key file.
  • DESCRIPTION: a unique description value for this certificate.
  • LABELS: a comma-separated list of labels applied to this certificate.
  • LOCATION: the target Google Cloud location. This flag is optional. Specify this flag for regional certificates only.

API

Update the certificate by making a PATCH request to the certificates.patch method as follows:

PATCH /v1/projects/PROJECT_ID/locations/[LOCATION]/certificates/CERTIFICATE_NAME?updateMask=self_managed,labels,description
{
   self_managed: { // Self-managed certificates only
    pem_certificate: "PEM_CERTIFICATE",
    pem_private_key: "PEM_KEY",
  }
  "description": "DESCRIPTION",
  "labels": {
    "LABEL_KEY": "LABEL_VALUE",
  }

}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location. This flag is optional. Specify this flag for regional certificates only.
  • CERTIFICATE_NAME: the name of the certificate.
  • PEM_CERTIFICATE: the certificate PEM.
  • PEM_KEY: the key PEM.
  • DESCRIPTION: a meaningful description of the certificate.
  • LABEL_KEY: a label key applied to the certificate.
  • LABEL_VALUE: a label value applied to the certificate.

List certificates

You can see all certificates of your project and their details, such as region, hostnames, expiration date, and type.

Console

The Certificate Manager page in the Google Cloud console can display a maximum of 10,000 certificates. If your project contains more than 10,000 certificates that are managed by Certificate Manager, use the gcloud CLI command.

To see certificates provisioned by Certificate Manager:

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. Click the Certificates tab.

    This tab lists all of the certificates managed by Certificate Manager in the selected project.

To see certificates provisioned through Cloud Load Balancing:

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. Click the Classic Certificates tab.

    Classic certificates are not managed by Certificate Manager. For more information about how to manage them, see the following:

gcloud

To list certificates, use the certificate-manager certificates list command:

gcloud certificate-manager certificates list \
    [--location="LOCATION"] \
    --filter="FILTER" \
    --page-size="PAGE_SIZE" \
    --limit="LIMIT" \
    --sort-by="SORT_BY"

Replace the following:

  • LOCATION: the target Google Cloud location. To list certificates from all regions, use - as the value. The default is global. This flag is optional.

  • FILTER: an expression that constrains the returned results to specific values.

    For example, you can filter the results by the following criteria:

    • Expiration time: --filter='expire_time >= "2021-09-01T00:00:00Z"'
    • SAN DNS names: --filter='san_dnsnames:"example.com"'
    • Certificate state: --filter='managed.state=FAILED'
    • Certificate type: --filter='managed:*'
    • Labels and creation time: --filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

    For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.

  • PAGE_SIZE: the number of results to return per page.

  • LIMIT: the maximum number of results to return.

  • SORT_BY: a comma-delimited list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

API

List the certificates by making a LIST request to the certificates.list method as follows:

GET /v1/projects/PROJECT_ID/locations/LOCATION/certificates?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location. To list certificates from all regions, use - as the value.

  • FILTER: an expression that constrains the returned results to specific values.

    For example, you can filter the results by the following criteria:

    • Expiration time: --filter='expire_time >= "2021-09-01T00:00:00Z"'
    • SAN DNS names: --filter='san_dnsnames:"example.com"'
    • Certificate state: --filter='managed.state=FAILED'
    • Certificate type: --filter='managed:*'

    • Labels and creation time: --filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'

      For more filtering examples that you can use with Certificate Manager, see Sorting and filtering list results in the Cloud Key Management Service documentation.

  • PAGE_SIZE: the number of results to return per page.

  • SORT_BY: a comma-delimited list of name fields by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the field with a tilde (~).

View the state of a certificate

You can view the state of an existing certificate, including its provisioning state and other detailed information.

Console

If your project contains more than 10,000 certificates that are managed by Certificate Manager, the Certificate Manager page in the Google Cloud console won't list them. Instead, use the gcloud CLI command. However, if you have a direct link to the certificate's Details page, you can view its details in the Google Cloud console.

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the page that appears, select the Certificates tab.

  3. On the Certificates tab, go to the target certificate, and then click the certificate's name.

    The Certificate details page displays detailed information about the selected certificate.

  4. Optional: To view the REST response from the Certificate Manager API for this certificate, click Equivalent REST.

  5. Optional: If the certificate has an associated certificate issuance configuration that you want to view, then in the Issuance config field, click the name of the associated certificate issuance configuration resource.

    The Google Cloud console displays the full configuration of the certificate issuance configuration.

gcloud

To view the status of a certificate, use the certificate-manager certificates describe command:

gcloud certificate-manager certificates describe CERTIFICATE_NAME \
    [--location="LOCATION"]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • LOCATION: the target Google Cloud location. The default location is global. This flag is optional.

API

View the certificate state by making a GET request to the certificates.get method as follows:

GET /v1/projects/PROJECT_ID/locations/LOCATION/certificates/CERTIFICATE_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • CERTIFICATE_NAME: the name of the certificate.

Delete a certificate

Before you delete a certificate, remove it from all certificate map entries that reference it; otherwise, the deletion fails. For more information, see Delete a certificate map entry.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, select the checkbox of the certificate that you want to delete.

  3. Click Delete.

  4. In the dialog that appears, click Delete to confirm.

gcloud

To delete a certificate, use the certificate-manager certificates delete command:

gcloud certificate-manager certificates delete CERTIFICATE_NAME \
    [--location="LOCATION"]

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • LOCATION: the target Google Cloud location. The default location is global. This flag is optional.

API

Delete the certificate by making a DELETE request to the certificates.delete method as follows:

DELETE /v1/projects/PROJECT_ID/locations/LOCATION/certificates/CERTIFICATE_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location.
  • CERTIFICATE_NAME: the name of the certificate.

What's next