Deploy a regional Google-managed certificate with Certificate Authority Service


This tutorial shows you how to use Certificate Manager to deploy a regional Google-managed certificate with Certificate Authority Service to a regional external Application Load Balancer or to a regional internal Application Load Balancer.

If you want to deploy to global external load balancers or cross-region load balancers, see the following:

Objectives

This tutorial shows you how to complete the following tasks:

  • Create a Google-managed certificate with CA Service by using Certificate Manager.
  • Deploy the certificate to a supported load balancer by using a target HTTPS proxy.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine, Certificate Manager, Certificate Authority APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.
  6. To initialize the gcloud CLI, run the following command:

    gcloud init
  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Make sure that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine, Certificate Manager, Certificate Authority APIs.

    Enable the APIs

  10. Install the Google Cloud CLI.
  11. To initialize the gcloud CLI, run the following command:

    gcloud init
  12. Enable the CA Service API.
  13. Create a CA pool. You must create and enable at least one CA in this CA pool.

You need to make a note of the following before you follow the steps of this tutorial:

  • Certificates you create with Certificate Authority Service aren't publicly trusted. To issue publicly trusted certificates, create certificates with DNS authorization or load balancer authorization.
  • If a certificate issuance policy is in effect on the target CA pool, certificate provisioning might fail for any of the following reasons:

    • The certificate issuance policy has blocked the requested certificate. In this case, you aren't billed because the certificate hasn't been issued.
    • The policy has applied changes to the certificate that aren't supported by Certificate Manager. In this case, you are billed because the certificate has been issued, even though it is not fully compatible with Certificate Manager.
  • Google-managed TLS certificates that are issued from a regional CA pool are global and can be be used in any region.

Required roles

Make sure that you have the following roles to complete the tasks in this tutorial:

  • Certificate Manager Owner (roles/certificatemanager.owner): Required to create and manage Certificate Manager resources.
  • Compute Load Balancer Admin (roles/compute.loadBalancerAdmin) or Compute Network Admin (roles/compute.networkAdmin): Required to create and manage HTTPS target proxy.
  • CA Service Admin (roles/privateca.admin): Required to perform actions within CA Service.

For more information, see the following:

Create the load balancer

This tutorial assumes that you've already created and configured the load balancer's backends, health checks, backend services, and URL maps. Make a note of the URL map's name because you need it later in this tutorial.

Configure CA Service integration with Certificate Manager

To integrate CA Service with Certificate Manager, follow these steps:

  1. In the target Google Cloud project, create a Certificate Manager service account:

    gcloud beta services identity create --service=certificatemanager.googleapis.com \
        --project=PROJECT_ID
    

    Replace PROJECT_ID with the ID of the target Google Cloud project.

    The command returns the name of the created service identity. See the following example:

    service-520498234@gcp-sa-certificatemanager.iam.gserviceaccount.com
    
  2. Grant the Certificate Manager service account the CA Service Certificate Requester role (roles/privateca.certificateRequester) within the target CA pool:

    gcloud privateca pools add-iam-policy-binding CA_POOL \
        --location LOCATION \
        --member "serviceAccount:SERVICE_ACCOUNT" \
        --role roles/privateca.certificateRequester
    

    Replace the following:

    • CA_POOL: the ID of the target CA pool.
    • LOCATION: the target Google Cloud location.
    • SERVICE_ACCOUNT: the full name of the service account you created in step 1.
  3. Create a certificate issuance configuration resource for your CA pool:

    Console

    1. In the Google Cloud console, go to the Certificate Manager page.

      Go to Certificate Manager

    2. On the Issuance Configs tab, click Create.

    3. In the Name field, enter a unique name for the certificate issuance configuration.

    4. Optional: In the Description field, enter a description for the issuance configuration.

    5. For Location, select Regional.

      For Region, select the same region as your certificate and CA pool.

    6. Optional: In the Lifetime field, specify the lifetime of issued certificate in days. The value must be between 21 to 30 days (inclusive).

    7. Optional: In the Rotation window percentage, specify the percentage of the certificate's lifetime when its renewal process begins. To find the range of valid values, see Lifetime and Rotation window percentage.

    8. Optional: From the Key algorithm list, select the key algorithm to use when generating the private key.

    9. From the CA pool list, select the name of the CA pool to assign to this certificate issuance configuration resource.

    10. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.

    11. Click Create.

    gcloud

    gcloud certificate-manager issuance-configs create ISSUANCE_CONFIG_NAME \
        --ca-pool=CA_POOL \
        --location=LOCATION
    

    Replace the following:

    • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource.
    • CA_POOL: the full resource path and name of the CA pool that you want to assign to this certificate issuance configuration resource.
    • LOCATION: the target Google Cloud location. You must specify the same location as the CA pool and the certificate.

    For more information about certificate issuance configuration resources, see Manage certificate issuance configuration resources.

Create a Google-managed certificate issued by your CA Service instance

To create a Google-managed certificate issued by your CA Service instance, do the following:

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Regional.

  6. From the Region list, select your region.

  7. For Certificate type, select Create Google-managed certificate.

  8. For Certificate Authority type, select Private.

  9. In the Domain Names field, specify a comma-delimited list of domain names of the certificate. Each domain name must be a fully qualified domain name, such as myorg.example.com.

  10. For Select a certificate issuance config, select the name of the certificate issuance configuration resource referencing the target CA pool.

  11. In the Labels field, specify labels to associate to the certificate. To add a label, click Add label, and specify a key and a value for your label.

  12. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a regional Google-managed certificate with Certificate Authority Service, use the certificate-manager certificates create command with the issuance-config flag:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --domains="DOMAIN_NAMES" \
    --issuance-config="ISSUANCE_CONFIG_NAME" \
    --location="LOCATION"

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
  • LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.

API

Create the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/LOCATION/certificates?certificate_id=CERTIFICATE_NAME"
{
 name: "/projects/example-project/locations/LOCATION/certificates/my-cert",
 "managed": {
  "domains": ["DOMAIN_NAME"],
  "issuanceConfig": "ISSUANCE_CONFIG_NAME",
 },
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • LOCATION: the target Google Cloud location. You must specify the same location as the CA pool, certificate issuance configuration resource, and managed certificate.
  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.

Verify the status of the certificate

Before deploying a certificate to a load balancer, verify that it's active. It can take several minutes for the certificate state to change to ACTIVE.

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, check the Status column for the certificate.

gcloud

To verify the status of the certificate, run the following command:

gcloud certificate-manager certificates describe CERTIFICATE_NAME \
    --location=LOCATION

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • LOCATION: the target Google Cloud location where you created the Google-managed certificate.

The output is similar to the following:

createTime: '2021-10-20T12:19:53.370778666Z'
expireTime: '2022-05-07T05:03:49Z'
managed:
  domains:
  - myorg.example.com
  issuanceConfig: projects/myproject/locations/LOCATION/issuanceConfigs/myissuanceConfig
  state: ACTIVE
name: projects/myproject/locations/LOCATION/certificates/mycertificate
pemCertificate: |
  -----BEGIN CERTIFICATE-----
  [...]
  -----END CERTIFICATE-----
sanDnsnames:
  - myorg.example.com
updateTime: '2021-10-20T12:19:55.083385630Z'

For more troubleshooting steps, see Troubleshoot Certificate Manager.

Deploy the regional Google-managed certificate to a load balancer

To deploy the regional Google-managed certificate, attach it directly to the target proxy.

Attach the certificate directly to the target proxy

You can attach the certificate to a new target proxy or an existing target proxy.

To attach the certificate to a new target proxy, use the gcloud compute target-https-proxies create command:

gcloud compute target-https-proxies create PROXY_NAME \
    --certificate-manager-certificates=CERTIFICATE_NAME \
    --url-map=URL_MAP \
    --region=LOCATION

Replace the following:

  • PROXY_NAME: the name of the target proxy.
  • CERTIFICATE_NAME: the name of the certificate.
  • URL_MAP: the name of the URL map. You created the URL map when you created the load balancer.
  • LOCATION: the target Google Cloud location where you want to create the HTTPS target proxy.

To attach certificate to an existing target HTTPS proxy, use the gcloud compute target-https-proxies update command. If you don't know the name of the existing target proxy, go to the Target proxies page and note the name of the target proxy.

gcloud compute target-https-proxies update PROXY_NAME \
    --region=LOCATION \
    --certificate-manager-certificates=CERTIFICATE_NAME

After creating or updating the target proxy, run the following command to verify it:

gcloud compute target-https-proxies list

Troubleshooting certificates issued by CA Service

For troubleshooting steps, see Problems related to certificates issued by a CA Service instance.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, delete them.

  1. Delete the load balancer and its resources.

    See Clean up a load balancing setup.

  2. Delete the Google-managed certificate:

    Console

    1. In the Google Cloud console, go to the Certificate Manager page.

      Go to Certificate Manager

    2. On the Certificates tab, select the checkbox of the certificate.

    3. Click Delete.

    4. In the dialog that appears, click Delete to confirm.

    gcloud

    gcloud certificate-manager certificates delete CERTIFICATE_NAME \
        --location=LOCATION
    

    Replace the following:

    • CERTIFICATE_NAME: the name of the certificate.
    • LOCATION: the target Google Cloud location.
  3. Delete the certificate issuance configuration resource:

    Console

    1. In the Google Cloud console, go to the Certificate Manager page.

      Go to Certificate Manager

    2. On the Issuance Configs tab, select the checkbox of the issuance configuration resource.

    3. Click Delete.

    4. In the dialog that appears, click Delete to confirm.

    gcloud

    gcloud certificate-manager issuance-configs delete ISSUANCE_CONFIG_NAME \
        --location=LOCATION
    

    Replace the following:

    • ISSUANCE_CONFIG_NAME: the name of the certificate issuance configuration resource that references the target CA pool.
    • LOCATION: the target Google Cloud location.
  4. Delete the CA pool.

    To delete the CA pool, or to disable the last enabled CA in a CA pool referenced by a certificate issuance configuration, delete all certificate issuance configurations that reference the CA pool. For more information, see Delete a CA pool.

What's next