Deploy a regional Google-managed certificate

This tutorial describes how to use Certificate Manager to deploy a regional Google-managed certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer.

To deploy a certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer, attach the certificate directly to the target proxy.

Objectives

This tutorial shows you how to complete the following tasks:

  • Create a Google-managed certificate issued by a publicly trusted CA with DNS authorization by using Certificate Manager. To create a regional Google-managed certificate you must use per-project DNS authorization.

  • Deploy the certificate to a supported load balancer by using a target HTTPS proxy.

For more information about the certificate deployment process, see Deployment overview.

Before you begin

  1. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  2. The Google Cloud CLI version 465.0.0 or later is required to deploy the certificate. To check your gcloud CLI version, run the following command:

    gcloud --version

  3. To update the gcloud CLI, run the following command.

    gcloud components update

  4. Make sure that you have the following roles to complete the tasks in this tutorial:

    • Certificate Manager Owner: Required to create and manage Certificate Manager resources.
    • Compute Load Balancer Admin or Compute Network Admin: Required to create and manage HTTPS target proxy.
    • DNS Administrator: Required if you want to use Cloud DNS as your DNS solution.

    For more information, see the following:

Create a regional Google-managed certificate

Complete the steps in this section to create a DNS authorization and a Google-managed certificate that references that DNS authorization.

Create a DNS authorization

Create the DNS authorization as described in this section. If you're creating a DNS authorization for a wildcard certificate, such as *.myorg.example.com, configure the DNS authorization for the parent domain—for example, myorg.example.com.

gcloud 

gcloud certificate-manager dns-authorizations create AUTHORIZATION_NAME \
    --domain="DOMAIN_NAME" \
    --type=PER_PROJECT_RECORD \
    –-location="LOCATION" \
gcloud certificate-manager dns-authorizations describe AUTHORIZATION_NAME \
    -–location="LOCATION"

Replace the following:

  • AUTHORIZATION_NAME: the name of the DNS authorization.
  • DOMAIN_NAME: the name of the domain for which you are creating this DNS authorization. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • LOCATION: the location where you create the DNS authorization.

The command returns an output as shown in the following example. Use the CNAME record from the output to add to your DNS configuration.

createTime: '2022-01-14T13:35:00.258409106Z'
dnsResourceRecord:
data: 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.us-central1.authorize.certificatemanager.goog.
name: _acme-challenge_ujmmovf2vn55tgye.myorg.example.com.
type: CNAME
domain: myorg.example.com
name: projects/myProject/locations/us-central1/dnsAuthorizations/myAuthorization
updateTime: '2022-01-14T13:35:01.571086137Z'

Add the CNAME record to your DNS configuration

If you're using Google Cloud to manage your DNS, complete the steps in this section. Otherwise, consult the documentation for your third-party DNS solution.

Before completing the steps in this section, make sure you have created a public DNS zone.

When you create a DNS authorization, the gcloud CLI command returns the corresponding CNAME record. You must add this CNAME record to your DNS configuration in the DNS zone of the target domain as follows:

gcloud

  1. Initiate the DNS record transaction:

    gcloud dns record-sets transaction start --zone="DNS_ZONE_NAME"

    Replace DNS_ZONE_NAME with the name of the target DNS zone.

  2. Add the CNAME record to the target DNS zone:

    gcloud dns record-sets transaction add CNAME_RECORD_DATA \
  --name= CNAME_RECORD_NAME \
  --ttl="30" \
  --type="CNAME" \
  --zone="DNS_ZONE_NAME"

    Replace the following:

    • CNAME_RECORD_DATA: the full data value of the CNAME record returned by the gcloud CLI command that created the corresponding DNS authorization.
    • CNAME_RECORD_NAME: the full name value of the CNAME record returned by the gcloud CLI command that created the corresponding DNS authorization.
    • DNS_ZONE_NAME: the name of the target DNS zone.

    See the following example:

    gcloud dns record-sets transaction add 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.us-central1.authorize.certificatemanager.goog. \
  --name="_acme-challenge_ujmmovf2vn55tgye.myorg.example.com" \
  --ttl="30" \
  --type="CNAME" \
  --zone="example-com"

  3. Run the DNS record transaction to save your changes:

    gcloud dns record-sets transaction execute --zone="DNS_ZONE_NAME"

    Replace DNS_ZONE_NAME with the name of the target DNS zone.

Create a regional Google-managed certificate referencing the DNS authorization

To create a Google-managed certificate that references the DNS authorization you created in the preceding steps, do the following:

gcloud

Run the following command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
   --domains=DOMAIN_NAME \
   --dns-authorizations=AUTHORIZATION_NAME \
   --location=LOCATION

Replace the following:

  • CERTIFICATE_NAME: a unique name of the certificate.
  • DOMAIN_NAME: the target domain of the certificate. The asterisk dot prefix (*.) signifies a wildcard certificate. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • AUTHORIZATION_NAME: the name of the DNS authorization you created for this certificate.
  • LOCATION: the location where you create the Google-managed certificate.

To create a Google-managed certificate with a wildcard domain name, use the following command. A wildcard domain name certificate covers all first-level subdomains of a given domain.

gcloud certificate-manager certificates create CERTIFICATE_NAME \
   --domains="*.DOMAIN_NAME,DOMAIN_NAME" \
   --dns-authorizations=AUTHORIZATION_NAME
   --location=LOCATION

Replace the following:

  • CERTIFICATE_NAME: a unique name of the certificate.
  • DOMAIN_NAME: the target domain of the certificate. The *. prefix signifies a wildcard certificate. The domain name must be a fully qualified domain name, such as myorg.example.com.
  • AUTHORIZATION_NAME: the name of the DNS authorization that you created for this certificate.
  • LOCATION: the location where you create the Google-managed certificate.

Verify that the certificate is active

Use the following command to verify that the certificate itself is active before deploying it to your load balancer. It can take up to several hours for the certificate state to change to ACTIVE.

gcloud certificate-manager certificates describe CERTIFICATE_NAME \
    --location=LOCATION

Replace the following:

  • CERTIFICATE_NAME: a unique name of the certificate.
  • LOCATION: the location where you created the Google-managed certificate.

The output is similar to the following:

certificatePem: myPEM
createTime: '2021-10-20T12:19:53.370778666Z'
expireTime: '2022-05-07T05:03:49Z'
managed:
  authorizationAttemptInfo:
  - domain: myorg.example.com
    state: AUTHORIZED
  dnsAuthorizations:
  -  projects/my-project/locations/us-central1/dnsAuthorizations/myAuth
  domains:
  - myorg.example.com
  state: ACTIVE
name: projects/myProject/locations/us-central1/certificates/myCert
scope: myScope
sanDnsnames:
- myorg.example.com
updateTime: '2021-10-20T12:19:55.083385630Z'

Deploy the certificate to a load balancer

To deploy the Google-managed certificate to a load balancer, complete the following steps.

Before you proceed with the tasks in this section, make sure you have completed the tasks listed in the Create a regional Google-managed certificate section.

To deploy a regional Google-managed certificate to a regional external Application Load Balancer or regional internal Application Load Balancer, deploy the certificate by attaching it directly to the target proxy.

Attach the certificate directly to the target proxy

To attach the certificate directly to the proxy, run the following command:

gcloud compute target-https-proxies update PROXY_NAME \
    --url-map=URL_MAP \
    --region=REGION \
    --certificate-manager-certificates=CERTIFICATE_NAME

Replace the following:

  • PROXY_NAME: a unique name of the proxy.
  • URL_MAP: the name of the URL map you created when you created the load balancer.
  • REGION: the region in which to create the HTTPS target proxy.
  • CERTIFICATE_NAME: the name of the certificate.

Clean up

To revert the changes you have made in this tutorial, complete the following steps:

  1. Delete the Google-managed certificate: 
    gcloud certificate-manager certificates delete CERTIFICATE_NAME
   --location=LOCATION
    Replace the following:
  • CERTIFICATE_NAME: the name of the certificate.
  • LOCATION: the location where you created the Google-managed certificate.
  1. Delete the DNS authorization: 
    gcloud certificate-manager dns-authorizations delete AUTHORIZATION_NAME
   --location=LOCATION
    Replace the following:
  • AUTHORIZATION_NAME: the name of the DNS authorization.
  • LOCATION: the location where you created the DNS authorization.

What's next