Deploy a regional Google-managed certificate with Certificate Authority Service

This tutorial describes how to use Certificate Manager to deploy a regional Google-managed certificate with CA Service to a regional external Application Load Balancer or to a regional internal Application Load Balancer.

Objectives

This tutorial shows you how to complete the following tasks:

Create a Google-managed certificate with CA Service by using Certificate Manager.
Deploy the certificate to a supported load balancer by using a target HTTPS proxy.

For more information about the certificate deployment process, see Deployment overview.

Before you begin

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that you have the following roles to complete the tasks in this tutorial:
- Certificate Manager Owner: Required to create and manage Certificate Manager resources.
- Compute Load Balancer Admin: Required to create and manage HTTPS target proxy.
- CA Service Admin: Required to perform actions within CA Service.
For more information, see the following:
- Roles and permissions for Certificate Manager
- Compute Engine IAM roles and permissions for Compute Engine
- Permissions and roles for CA Service
Note: If you aren't assigned the permissions or roles, contact the IAM Administrator who has the Project IAM Admin role (roles/resourcemanager.projectIamAdmin) to request the missing roles.
Enable the Certificate Manager API
Enable the CA Service API.
Create a CA pool. You must create and enable at least one CA in this CA pool.

Configure CA Service integration with Certificate Manager

Configure Certificate Manager to integrate with CA Service as follows:

Create a Certificate Manager service account in the target Google Cloud project:
```
gcloud beta services identity create \
    --service=certificatemanager.googleapis.com \
    --project=PROJECT_ID
```
Replace PROJECT_ID with the ID of the target Google Cloud project.

The command returns the name of the created service identity, as shown in the following example:

service-520498234@gcp-sa-certificatemanager.iam.gserviceaccount.com

Grant the Certificate Manager service account the CA Service Certificate Requester role within the target CA pool as follows:
```
gcloud privateca pools add-iam-policy-binding CA_POOL \
    --location LOCATION \
    --member "serviceAccount:SERVICE_ACCOUNT" \
    --role roles/privateca.certificateRequester
```
Replace the following:
- CA_POOL: the ID of the target CA pool.
- LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.
- SERVICE_ACCOUNT: the full name of the service account you created in step 1.
Create a certificate issuance configuration resource for your CA pool:
```
gcloud beta certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \
    --ca-pool=CA_POOL \
    --location=LOCATION> \
    [--lifetime=CERTIFICATE_LIFETIME] \
    [--rotation-window-percentage=ROTATION_WINDOW_PERCENTAGE] \
    [--key-algorithm=KEY_ALGORITHM]
```
Replace the following:
- ISSUANCE_CONFIG_NAME: the unique name of the certificate issuance configuration resource.
- CA_POOL: the full resource path and name of the CA pool you want to assign to this certificate issuance configuration resource.
- LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.
- CERTIFICATE_LIFETIME: the certificate lifetime in days. Valid values are from 21 to 30 days in standard duration format. The default is 30 days (30D). This setting is optional.
- ROTATION_WINDOW_PERCENTAGE: the percentage of the certificate's lifetime at which a renewal triggers. The default is 66 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires. This setting is optional.
- KEY_ALGORITHM: the encryption algorithm used to generate the private key. Valid values are ecdsa-p256 or rsa-2048. The default is rsa-2048. This setting is optional.

For more information about certificate issuance configuration resources, see Manage certificate issuance configs.

Create a regional Google-managed certificate

Create a regional Google-managed certificate issued by your CA Service using the certificate issuance configuration resource created in the preceding step:

Console

In the Google Cloud console, go to the Certificate Manager page.

Go to Certificate Manager
On the page that appears, select the Certificates tab.
Click Add Certificate.
Enter a Name for the certificate.

This name must be unique for the project.
Optional: Enter the Description for the certificate. The description helps you identify a specific certificate later.
For Location, choose Regional.
From the Region list, select a region.
For Certificate type, choose Create Google-managed certificate.
For Certificate Authority type, choose Private.
Specify the Domain Names of the certificate. Enter a comma-delimited list of the target domains. Also, each domain name must be a fully qualified domain name, such as myorg.example.com.
For Certificate Issuance Config, select the name of the certificate issuance configuration resource referencing the target CA pool.
Specify a label to associate to the certificate. You can add more than one label, if needed. To add a label, click the Add label button, and specify a key and a value for your label.
Click Create. Verify that the new certificate appears in the list of certificates.

gcloud

Run the following command:

gcloud beta certificate-manager certificates create CERTIFICATE_NAME \
    --domains="DOMAIN_NAMES" \
    --issuance-config="ISSUANCE_CONFIG_NAME" \
    --location="LOCATION"

Replace the following:

CERTIFICATE_NAME: a unique name of the certificate.
DOMAIN_NAMES: a comma-delimited list of the target domains for this certificate. Each domain name must be a fully qualified domain name, such as myorg.example.com.
ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource referencing the target CA pool.
LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.

API

Create the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificates?certificate_id=CERTIFICATE_NAME"
{
 name: "/projects/example-project/locations/LOCATION/certificates/my-cert",
 "managed": {
  "domains": ["DOMAIN_NAME"],
  "issuanceConfig": "ISSUANCE_CONFIG_NAME",
 },
}

Replace the following:

PROJECT_ID: the ID of the target Google Cloud project.
LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.
CERTIFICATE_NAME: a unique name of the certificate.
DOMAIN_NAME: the target domain for this certificate. The domain name must be a fully qualified domain name, such as example.com, www.example.com.
ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource referencing the target CA pool.

For an overview of the certificate deployment process, see Deployment overview.

Verify that the certificate is active

Use the following command to verify that the certificate itself is active before deploying it to your load balancer. It can take several minutes for the certificate state to change to ACTIVE.

gcloud beta certificate-manager certificates describe CERTIFICATE_NAME \
    --location=LOCATION

Replace the following:

CERTIFICATE_NAME: a unique name of the certificate.
LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.

The command returns output that is similar to the following:

createTime: '2021-10-20T12:19:53.370778666Z'
expireTime: '2022-05-07T05:03:49Z'
managed:
domains:
-   myorg.example.com
issuanceConfig: projects/myproject/locations/mylocation/issuanceConfigs/myissuanceConfig
state: ACTIVE
name: projects/myproject/locations/mylocation/certificates/mycertificate
pemCertificate: |
  -----BEGIN CERTIFICATE-----
  [...]
  -----END CERTIFICATE-----
sanDnsnames:
  -   myorg.example.com
updateTime: '2021-10-20T12:19:55.083385630Z'

Deploy the regional Google-managed certificate to a load balancer

To deploy the regional Google-managed certificate, create an HTTPS target proxy and attach the certificate to it.

Create the HTTPS target proxy

To create the HTTPS target proxy and attach the certificate, run the following command:

gcloud compute target-https-proxies create PROXY_NAME \
    --url-map=URL_MAP \
    --region=REGION \
    --certificate-manager-certificates=CERTIFICATE_NAME

Replace the following:

PROXY_NAME: a unique name of the proxy.
URL_MAP: the name of the URL map. You created the URL map when you created the load balancer.
REGION: the region where you are creating the HTTPS target proxy.
CERTIFICATE_NAME: the name of the certificate.

To verify whether the target proxy is created, run the following command:

gcloud compute target-https-proxies list

Create a forwarding rule

Set up a forwarding rule and finish setting up the load balancer.

If you're using a regional external Application Load Balancer, see Set up a regional external Application Load Balancer with VM instance group backends.
If you're using a regional internal Application Load Balancer, see Set up an regional internal Application Load Balancer with VM instance group backends.

Clean up

To revert the changes you have made in this tutorial, complete the following steps:

Delete the Google-managed certificate:
Console
1. In the Google Cloud console, go to the Certificate Manager page.
  
  Go to Certificate Manager
2. On the Certificates tab, select the checkbox of the certificate.
3. Click Delete.
4. In the dialog that appears, click Delete to confirm.
gcloud
```
gcloud certificate-manager certificates delete CERTIFICATE_NAME \
    --location=LOCATION
```
Replace the following:
- CERTIFICATE_NAME: the name of the certificate
- LOCATION: the target Google Cloud location
Delete the certificate issuance configuration resource:
Console
1. In the Google Cloud console, go to the Certificate Manager page.
  
  Go to Certificate Manager
2. On the Issuance Configs tab, select the checkbox of the issuance config.
3. Click Delete.
4. In the dialog that appears, click Delete to confirm.
gcloud
```
gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME \
    --location=LOCATION
```
Replace the following:
- ISSUANCE_CONFIG_NAME: the name of the issuance config
- LOCATION: the target Google Cloud location
Delete the CA pool as described in Delete a CA pool.

Keep in mind that to disable the last CA you enabled in the CA pool referenced in the certificate issuance configuration resource, or to delete the referenced CA pool altogether, you must first delete every certificate issuance configuration resource that references that CA pool.

Troubleshooting

For troubleshooting steps, see Problems related to certificates issued by a CA Service instance.

Deploy a regional Google-managed certificate with Certificate Authority Service

Objectives

Before you begin

Configure CA Service integration with Certificate Manager

Create a regional Google-managed certificate

Console

gcloud

API

Verify that the certificate is active

Deploy the regional Google-managed certificate to a load balancer

Create the HTTPS target proxy

Create a forwarding rule

Clean up

Console

gcloud

Console

gcloud

Troubleshooting

What's next