This tutorial walks you through the certificate deployment process using a Google-managed certificate with DNS authorization as an example.
For a comparison of the supported types of domain authorization, see Domain authorization.
If you want to migrate an existing certificate to Certificate Manager, follow the steps in Migrate certificates to Certificate Manager instead.
Objectives
- Create a Google-managed certificate issued by a publicly trusted CA with DNS authorization using Certificate Manager.
- Deploy the certificate to a classic external HTTP(S) load balancer using a target HTTPS proxy.
For more information about the certificate deployment process, see Deployment overview.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that you have the following roles to complete the tasks in this tutorial:
- Certificate Manager Owner
- Cloud DNS Administrator (if using Cloud DNS as your DNS solution)
- Compute Load Balancer Admin
For more information, see the following:
- Roles and permissions for Certificate Manager
- Access control with IAM for Cloud DNS
- Compute Engine IAM roles and permissions for Compute Engine
Create a Google-managed certificate with DNS authorization
Complete the steps in this section to create a DNS authorization and a Google-managed certificate that references that DNS authorization.
Create a DNS authorization
Before completing the steps in this section, make sure you have created a public DNS zone.
Create the DNS authorization as follows:
gcloud
gcloud certificate-manager dns-authorizations create AUTHORIZATION_NAME \ --domain="DOMAIN_NAME" gcloud certificate-manager dns-authorizations describe AUTHORIZATION_NAME
Replace the following:
AUTHORIZATION_NAME
is a unique name that describes this DNS authorization.DOMAIN_NAME
is the name of the domain for which you are creating this DNS authorization.
This command returns the CNAME record that you must add to your DNS configuration. For example:
createTime: '2022-01-14T13:35:00.258409106Z'
dnsResourceRecord:
data: 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog.
name: _acme-challenge.example.com.
type: CNAME
domain: example.com
name: projects/myProject/locations/global/dnsAuthorizations/myAuthorization
updateTime: '2022-01-14T13:35:01.571086137Z'
Terraform
To create a DNS authorization, you can use a google_certificate_manager_dns_authorization
resource.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Add the CNAME record to your DNS configuration
When you create a DNS authorization, the gloud
command returns the
corresponding CNAME record. You must add this CNAME record to your DNS
configuration in the DNS zone of the target domain as follows:
gcloud
Initiate the DNS record transaction:
gcloud dns record-sets transaction start --zone="DNS_ZONE_NAME"
Replace the following:
DNS_ZONE_NAME
is the name of the target DNS zone.
Add the CNAME record to the target DNS zone:
gcloud dns record-sets transaction add CNAME_RECORD \ --name="_acme-challenge.DOMAIN_NAME." \ --ttl="30" \ --type="CNAME" \ --zone="DNS_ZONE_NAME"
Replace the following:
CNAME_RECORD
is the full value of the CNAME record returned by thegcloud
command that created the corresponding DNS authorization.DOMAIN_NAME
is the name of the target domain. You must include the trailing period after the target domain name.DNS_ZONE_NAME
is the name of the target DNS zone.
Execute the DNS record transaction to save your changes:
gcloud dns record-sets transaction execute --zone="DNS_ZONE_NAME"
Replace
DNS_ZONE_NAME
with the name of the target DNS zone.
Terraform
To add the CNAME record to your DNS configuration, you can use a google_dns_record_set
resource.
Create a Google-managed certificate referencing the DNS authorization
To create a Google-managed certificate that references the DNS authorization you created in the previous steps, do the following:
gcloud
gcloud certificate-manager certificates create CERTIFICATE_NAME \ --domains=DOMAIN_NAME --dns-authorizations=AUTHORIZATION_NAME
Replace the following:
CERTIFICATE_NAME
is a unique name that describes this certificate.DOMAIN_NAME
is the target domain for this certificate.AUTHORIZATION_NAME
is the name of the DNS authorization you created for this certificate.
Terraform
Verify that the certificate is active
Use the following command to verify that the certificate itself is active before
deploying it to your load balancer. It can take up to several hours for the
certificate state to change to ACTIVE
.
gcloud certificate-manager certificates describe CERTIFICATE_NAME
Replace CERTIFICATE_NAME
with the name of the target
Google-managed certificate.
The gcloud
tool returns output similar to the following:
certificatePem: myPEM
createTime: '2021-10-20T12:19:53.370778666Z'
expireTime: '2022-05-07T05:03:49Z'
managed:
authorizationAttemptInfo:
- domain: example.com
state: AUTHORIZED
dnsAuthorizations:
- projects/my-project/locations/global/dnsAuthorizations/myAuth
domains:
- example.com
state: ACTIVE
name: projects/myProject/locations/global/certificates/myCert
scope: myScope
sanDnsnames:
- example.com
updateTime: '2021-10-20T12:19:55.083385630Z'
Deploy the certificate to a load balancer
Complete the steps in this section to deploy the Google-managed certificate you created in the previous steps to a load balancer.
Create a certificate map
Create a certificate map that references the certificate map entry associated with your certificate:
gcloud
gcloud certificate-manager maps create CERTIFICATE_MAP_NAME
Replace CERTIFICATE_MAP_NAME
with the name of the target certificate map.
Terraform
To create a certificate map, you can use a google_certificate_manager_certificate_map
resource.
Create a certificate map entry
Create a certificate map entry and associate it with your certificate as well as your certificate map:
gcloud
gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME" \ --certificates="CERTIFICATE_NAME" \ --hostname="HOSTNAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME
is a unique name that describes this certificate map entry.CERTIFICATE_MAP_NAME
is the name of the certificate map to which this certificate map entry attaches.CERTIFICATE_NAME
is the name of the certificate you want to associate with this certificate map entry.HOSTNAME
is the hostname that you want to associate with this certificate map entry.
Terraform
To create a certificate map entry, you can use a google_certificate_manager_certificate_map_entry
resource.
Verify that the certificate map entry is active
Use the following command to verify that the certificate map entry is active before attaching its corresponding certificate map to the target proxy:
gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME
is the name of the target certificate map entry.CERTIFICATE_MAP_NAME
is the name of the certificate map to which this certificate map entry attaches.
The gcloud
tool returns output similar to the following:
createTime: '2021-09-06T10:01:56.229472109Z'
name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntry
state: ACTIVE
updateTime: '2021-09-06T10:01:58.277031787Z'
Attach the certificate map to the target proxy
Attach the configured certificate map to the desired target proxy:
gcloud
In the Google Cloud console, go to the Target proxies page.
Note the name of the target proxy.
Attach the certificate map to the target proxy:
gcloud compute target-https-proxies update PROXY_NAME \ --certificate-map="CERTIFICATE_MAP_NAME"
Replace the following:
PROXY_NAME
is the name of the target proxy.CERTIFICATE_MAP_NAME
is the name of the certificate map referencing your certificate map entry and its associated certificate.
Terraform
To attach the certificate map to the target proxy, you can use a google_compute_target_https_proxy
resource.
If there are any existing TLS (SSL) certificates attached directly to the proxy, the proxy gives preference to the certificates referenced by the certificate map over the directly attached TLS (SSL) certificates.
Clean up
To revert the changes you have made in this tutorial, complete the following steps:
Detach the certificate map from the proxy:
gcloud compute target-https-proxies update PROXY_NAME \ --clear-certificate-map
Replace
PROXY_NAME
with the name of the target proxy.Keep the following in mind:
- If there were any TLS (SSL) certificates attached directly to the proxy, detaching the certificate map causes the proxy to resume using those directly attached TLS (SSL) certificates.
- If there were no TLS (SSL) certificates attached directly to the proxy, the certificate map cannot be detached from the proxy. You must first attach at least one TLS (SSL) certificate directly to the proxy before you can detach the certificate map.
Delete the certificate map entry from the certificate map:
gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME
with the name of the target certificate map entry.CERTIFICATE_MAP_NAME
with the name of the target certificate map.
Delete the certificate map:
gcloud certificate-manager maps delete CERTIFICATE_MAP_NAME
Replace
CERTIFICATE_MAP_NAME
with the name of the target certificate map.Delete the Google-managed certificate:
gcloud certificate-manager certificates delete CERTIFICATE_NAME
Replace
CERTIFICATE_NAME
with the name of the target certificate.Delete the DNS authorization:
gcloud certificate-manager dns-authorizations delete AUTHORIZATION_NAME
Replace
AUTHORIZATION_NAME
with the name of the target DNS authorization.
What's next
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a self-managed certificate (tutorial)
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations
- Manage certificate issuance configs