Deploy a Google-managed certificate with DNS authorization

Create a Google-managed certificate with DNS authorization

Complete the steps in this section to create a DNS authorization and a Google-managed certificate that references that DNS authorization.

Create a DNS authorization

Before completing the steps in this section, make sure you have created a public DNS zone.

Create the DNS authorization as follows:

gcloud certificate-manager dns-authorizations create AUTHORIZATION_NAME \
  --domain="DOMAIN_NAME"
gcloud certificate-manager dns-authorizations describe AUTHORIZATION_NAME

createTime: '2022-01-14T13:35:00.258409106Z'
dnsResourceRecord:
data: 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog.
name: _acme-challenge.example.com.
type: CNAME
domain: example.com
name: projects/myProject/locations/global/dnsAuthorizations/myAuthorization
updateTime: '2022-01-14T13:35:01.571086137Z'

resource "google_certificate_manager_dns_authorization" "default" {
  name        = "${local.name}-dnsauth-${random_id.tf_prefix.hex}"
  description = "The default dns auth"
  domain      = local.domain
  labels = {
    "terraform" : true
  }
}

Add the CNAME record to your DNS configuration

When you create a DNS authorization, the gloud command returns the corresponding CNAME record. You must add this CNAME record to your DNS configuration in the DNS zone of the target domain as follows:

resource "google_dns_record_set" "cname" {
  name         = google_certificate_manager_dns_authorization.default.dns_resource_record[0].name
  managed_zone = google_dns_managed_zone.default.name
  type         = google_certificate_manager_dns_authorization.default.dns_resource_record[0].type
  ttl          = 300
  rrdatas      = [google_certificate_manager_dns_authorization.default.dns_resource_record[0].data]
}

Create a Google-managed certificate referencing the DNS authorization

To create a Google-managed certificate that references the DNS authorization you created in the previous steps, do the following:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
  --domains=DOMAIN_NAME --dns-authorizations=AUTHORIZATION_NAME

resource "google_certificate_manager_certificate" "root_cert" {
  name        = "${local.name}-rootcert-${random_id.tf_prefix.hex}"
  description = "The wildcard cert"
  managed {
    domains = [local.domain, "*.${local.domain}"]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.default.id
    ]
  }
  labels = {
    "terraform" : true
  }
}

Verify that the certificate is active

Use the following command to verify that the certificate itself is active before deploying it to your load balancer. It can take up to several hours for the certificate state to change to ACTIVE.

gcloud certificate-manager certificates describe CERTIFICATE_NAME

Replace CERTIFICATE_NAME with the name of the target Google-managed certificate.

The gcloud tool returns output similar to the following:

certificatePem: myPEM
createTime: '2021-10-20T12:19:53.370778666Z'
expireTime: '2022-05-07T05:03:49Z'
managed:
  authorizationAttemptInfo:
  - domain: example.com
    state: AUTHORIZED
  dnsAuthorizations:
  - projects/my-project/locations/global/dnsAuthorizations/myAuth
  domains:
  - example.com
  state: ACTIVE
name: projects/myProject/locations/global/certificates/myCert
scope: myScope
sanDnsnames:
- example.com
updateTime: '2021-10-20T12:19:55.083385630Z'

Deploy the certificate to a load balancer

Complete the steps in this section to deploy the Google-managed certificate you created in the previous steps to a load balancer.

Create a certificate map

Create a certificate map that references the certificate map entry associated with your certificate:

gcloud certificate-manager maps create CERTIFICATE_MAP_NAME

resource "google_certificate_manager_certificate_map" "certificate_map" {
  name        = "${local.name}-certmap-${random_id.tf_prefix.hex}"
  description = "${local.domain} certificate map"
  labels = {
    "terraform" : true
  }
}

Create a certificate map entry

Create a certificate map entry and associate it with your certificate as well as your certificate map:

gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \
  --map="CERTIFICATE_MAP_NAME" \
  --certificates="CERTIFICATE_NAME" \
  --hostname="HOSTNAME"

resource "google_certificate_manager_certificate_map_entry" "first_entry" {
  name        = "${local.name}-first-entry-${random_id.tf_prefix.hex}"
  description = "example certificate map entry"
  map         = google_certificate_manager_certificate_map.certificate_map.name
  labels = {
    "terraform" : true
  }
  certificates = [google_certificate_manager_certificate.root_cert.id]
  hostname     = local.domain
}

Verify that the certificate map entry is active

Use the following command to verify that the certificate map entry is active before attaching its corresponding certificate map to the target proxy:

gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \
    --map="CERTIFICATE_MAP_NAME"

Replace the following:

• CERTIFICATE_MAP_ENTRY_NAME is the name of the target certificate map entry.
• CERTIFICATE_MAP_NAME is the name of the certificate map to which this certificate map entry attaches.

The gcloud tool returns output similar to the following:

 createTime: '2021-09-06T10:01:56.229472109Z'
 name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntry
 state: ACTIVE
 updateTime: '2021-09-06T10:01:58.277031787Z'

Attach the certificate map to the target proxy

Attach the configured certificate map to the desired target proxy:

If there are any existing TLS (SSL) certificates attached directly to the proxy, the proxy gives preference to the certificates referenced by the certificate map over the directly attached TLS (SSL) certificates.

Clean up

To revert the changes you have made in this tutorial, complete the following steps:

1. Detach the certificate map from the proxy:

   gcloud compute target-https-proxies update PROXY_NAME \
      --clear-certificate-map
   

   Replace PROXY_NAME with the name of the target proxy.

   Keep the following in mind:

   • If there were any TLS (SSL) certificates attached directly to the proxy, detaching the certificate map causes the proxy to resume using those directly attached TLS (SSL) certificates.
   • If there were no TLS (SSL) certificates attached directly to the proxy, the certificate map cannot be detached from the proxy. You must first attach at least one TLS (SSL) certificate directly to the proxy before you can detach the certificate map.

2. Delete the certificate map entry from the certificate map:

   gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \
     --map="CERTIFICATE_MAP_NAME"
   

   Replace the following:

   • CERTIFICATE_MAP_ENTRY_NAME with the name of the target certificate map entry.
   • CERTIFICATE_MAP_NAME with the name of the target certificate map.

3. Delete the certificate map:

   gcloud certificate-manager maps delete CERTIFICATE_MAP_NAME
   

   Replace CERTIFICATE_MAP_NAME with the name of the target certificate map.

4. Delete the Google-managed certificate:

   gcloud certificate-manager certificates delete CERTIFICATE_NAME
   

   Replace CERTIFICATE_NAME with the name of the target certificate.

5. Delete the DNS authorization:

   gcloud certificate-manager dns-authorizations delete AUTHORIZATION_NAME
   

   Replace AUTHORIZATION_NAME with the name of the target DNS authorization.