This tutorial describes how to use Certificate Manager to deploy a global self-managed certificate.
The following load balancers support global self-managed certificates:
- Global external Application Load Balancer
- Classic Application Load Balancer
- Global external proxy Network Load Balancer
- Cross-region internal Application Load Balancer
To deploy a self-managed certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer, see Deploy a regional self-managed certificate.
Objectives
This tutorial shows you how to complete the following tasks:
- Upload a self-managed certificate to Certificate Manager.
- Deploy the certificate to a supported load balancer using a target HTTPS proxy.
For more information about the certificate deployment process, see Deployment overview.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that you have the following roles to complete the tasks in this tutorial:
- Certificate Manager Owner: Required to create and manage Certificate Manager resources.
- Compute Load Balancer Admin or Compute Network Admin: Required to create and manage HTTPS target proxy.
For more information, see the following:
- Roles and permissions for Certificate Manager
- Compute Engine IAM roles and permissions for Compute Engine
Create the load balancer
Create the load balancer where you want to deploy the certificate.
To create a global external Application Load Balancer, see Set up a global external Application Load Balancer with VM instance group backends.
To create a Classic Application Load Balancer, see Set up a Classic Application Load Balancer with a managed instance group backends.
To create a Global external proxy Network Load Balancer (SSL proxy), see Set up a global external proxy Network Load Balancer (SSL proxy) with VM instance group backends.
To create a Global external proxy Network Load Balancer (TCP proxy), see Set up a global external proxy Network Load Balancer (TCP proxy) with VM instance group backends.
To create a Cross-region internal Application Load Balancer, see Set up a Cross-region internal Application Load Balancer with VM instance group backends.
The rest of this tutorial assumes that you have already configured the load balancer's backends, health check, backend service, and URL map. Note the name of the URL map because you need it later in this tutorial.
Create a private key and certificate
To create a private key and a certificate, do the following:
Use a trusted third-party certificate authority (CA) to issue the certificate along with its associated key.
Verify that the certificate is properly chained and root-trusted.
Prepare the following PEM-encoded files:
- The certificate file (CRT)
- The corresponding private key file (KEY)
For information about how to request and validate a certificate, see Create a private key and certificate.
Upload a self-managed certificate to Certificate Manager
To upload the certificate to Certificate Manager, do the following:
For a Global external Application Load Balancer, a Classic Application Load Balancer, or a Global external proxy Network Load Balancer:
Run the following command:
gcloud certificate-manager certificates create CERTIFICATE_NAME \
--certificate-file="CERTIFICATE_FILE" \
--private-key-file="PRIVATE_KEY_FILE"
Replace the following:
CERTIFICATE_NAME: the unique name of the certificateCERTIFICATE_FILE: the path and filename of the CRT certificate filePRIVATE_KEY_FILE: the path and filename of the KEY private key file
For a Cross-region internal Application Load Balancer:
Run the following command:
gcloud certificate-manager certificates create CERTIFICATE_NAME \
--certificate-file="CERTIFICATE_FILE" \
--private-key-file="PRIVATE_KEY_FILE" \
--scope=all-regions
Replace the following:
CERTIFICATE_NAME: the unique name of the certificateCERTIFICATE_FILE: the path and filename of the CRT certificate filePRIVATE_KEY_FILE: the path and filename of the KEY private key file
Deploy the self-managed certificate to a load balancer
The following sections describe how to deploy the self-managed certificate that you uploaded to Certificate Manager to a load balancer.
Depending on the load balancer type, you can deploy certificates as follows:
- For the following load balancers, deploy the certificate using a certificate map:
- Global external Application Load Balancer
- Global external proxy Network Load Balancer
- Classic Application Load Balancer
- For the Cross-region internal Application Load Balancer, deploy the certificate by attaching it directly to the target proxy.
Deploy the certificate using a certificate map
This section describes the steps to deploy a certificate using a certificate map.
Create a certificate map
Create a certificate map that references the certificate map entry associated with your certificate:
gcloud certificate-manager maps create CERTIFICATE_MAP_NAME
Replace CERTIFICATE_MAP_NAME with the name of the target certificate map.
Create a certificate map entry
Create a certificate map entry, and associate it with your self-managed certificate and certificate map:
gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \
--map="CERTIFICATE_MAP_NAME" \
--certificates="CERTIFICATE_NAME" \
--hostname="HOSTNAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: a unique name of the certificate map entryCERTIFICATE_MAP_NAME: the certificate map name that the certificate map entry is attached toCERTIFICATE_NAME: the certificate name that you want to associate with the certificate map entryHOSTNAME: the hostname that you want to associate with the certificate map entry
Verify that the certificate map entry is active
Before you attach the certificate map to the target proxy, run the following command to verify whether the certificate map entry is active:
gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \
--map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: a unique name of the certificate map entryCERTIFICATE_MAP_NAME: the certificate map name that the certificate map entry is attached to
If the certificate map entry is active, the Google Cloud CLI returns output similar to the following:
createTime: '2021-09-06T10:01:56.229472109Z' name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntry state: ACTIVE updateTime: '2021-09-06T10:01:58.277031787Z'
Create the HTTPS target proxy
To create an HTTPS target proxy, see Create a target proxy.
Attach the certificate map to the target proxy
To attach the configured certificate map to the target proxy, follow these steps:
In the Google Cloud console, go to the Target proxies page.
Note the name of the target proxy.
To attach the certificate map to the target proxy, run the following command:
gcloud compute target-https-proxies update PROXY_NAME \ --certificate-map="CERTIFICATE_MAP_NAME"
Replace the following:
PROXY_NAME: the name of the target proxyCERTIFICATE_MAP_NAME: the name of the certificate map that references your certificate map entry and its associated certificate
If any TLS (SSL) certificates are attached directly to the proxy, the proxy gives preference to the certificates referenced by the certificate map over directly attached certificates.
Create a forwarding rule
Set up a forwarding rule and finish setting up the load balancer. For more information, see Use forwarding rules.
Attach the certificate directly to the target proxy
To attach the certificate directly to the proxy, run the following command:
gcloud compute target-https-proxies update PROXY_NAME \
--url-map=URL_MAP \
--global \
--certificate-manager-certificates=CERTIFICATE_NAME
Replace the following:
PROXY_NAME: a unique name of the proxy.URL_MAP: the name of the URL map. You created the URL map when you created the load balancer.CERTIFICATE_NAME: the name of the certificate.
Clean up
To revert the changes that you have made in this tutorial, complete the following steps:
Detach the certificate map from the proxy:
gcloud compute target-https-proxies update PROXY_NAME \ --clear-certificate-map
Replace
PROXY_NAMEwith the name of the target proxy.Before you detach the certificate map from the proxy, note the following:
- Make sure that at least one TLS (SSL) certificate is directly attached to the proxy. If no certificates are attached to the proxy, you can't detach the certificate map.
- Detaching the certificate map from a proxy enables the proxy to resume using TLS (SSL) certificates that were directly attached to the proxy.
Delete the certificate map entry from the certificate map:
gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the target certificate map entryCERTIFICATE_MAP_NAME: the name of the target certificate map
Delete the certificate map:
gcloud certificate-manager maps delete CERTIFICATE_MAP_NAME
Replace
CERTIFICATE_MAP_NAMEwith the name of the target certificate map.Delete the uploaded certificate:
gcloud certificate-manager certificates delete CERTIFICATE_NAME
Replace
CERTIFICATE_NAMEwith the name of the target certificate.