Deploy a global self-managed certificate

This tutorial shows you how to use Certificate Manager to deploy a global self-managed certificate.

The following load balancers support global self-managed certificates:

  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Global external proxy Network Load Balancer
  • Classic proxy Network Load Balancer

If you want to deploy to regional or cross-region load balancers, see the following:

Objectives

This tutorial shows you how to complete the following tasks:

  • Upload a self-managed certificate to Certificate Manager.
  • Deploy the certificate to a supported load balancer by using a target HTTPS proxy.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine, Certificate Manager APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. To initialize the gcloud CLI, run the following command: 

    gcloud init

  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Make sure that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine, Certificate Manager APIs.

    Enable the APIs

  10. Install the Google Cloud CLI.

  11. To initialize the gcloud CLI, run the following command: 

    gcloud init

Required roles

Make sure that you have the following roles to complete the tasks in this tutorial:

  • Certificate Manager Owner (roles/certificatemanager.owner): Required to create and manage Certificate Manager resources.
  • Compute Load Balancer Admin (roles/compute.loadBalancerAdmin) or Compute Network Admin (roles/compute.networkAdmin): Required to create and manage HTTPS target proxy.

For more information, see the following:

Create the load balancer

This tutorial assumes that you've already created and configured the load balancer's backends, health checks, backend services, and URL maps. If you've created an external Application Load Balancer, note the name of the URL map because you need it later in this tutorial.

If you haven't created the load balancer, see the following pages to create one:

Create a private key and certificate

To create a private key and a certificate, do the following:

  1. Use a trusted third-party certificate authority (CA) to issue the certificate along with its associated key.

  2. Verify that the certificate is properly chained and root-trusted.

  3. Prepare the following PEM-encoded files:

    • The certificate file (CRT)
    • The corresponding private key file (KEY)

For information about how to request and validate a certificate, see Create a private key and certificate.

Upload a self-managed certificate to Certificate Manager

To upload the certificate to Certificate Manager, do the following:

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the Certificates tab, click Add Certificate.

  3. In the Certificate name field, enter a unique name for the certificate.

  4. Optional: In the Description field, enter a description for the certificate. The description lets you identify the certificate.

  5. For Location, select Global.

  6. For Scope, select Default.

  7. For Certificate type, select Create self-managed certificate.

  8. For the Certificate field, do either of the following:

    • Click the Upload button and select your PEM-formatted certificate file.
    • Copy and paste the contents of a PEM-formatted certificate. The contents must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  9. For the Private key certificate field, do either of the following:

    • Click the Upload button and select your private key. Your private key must be PEM-formatted and not protected with a passphrase.
    • Copy and paste the contents of a PEM-formatted private key. The private keys must start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----.

  10. In the Labels field, specify labels to associate with the certificate. To add a label, click Add label, and specify a key and a value for your label.

  11. Click Create.

    The new certificate appears in the list of certificates.

gcloud

To create a global self-managed certificate, use the certificate-manager certificates create command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \
    --certificate-file="CERTIFICATE_FILE" \
    --private-key-file="PRIVATE_KEY_FILE"

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • CERTIFICATE_FILE: the path and filename of the CRT certificate file.
  • PRIVATE_KEY_FILE: the path and filename of the KEY private key file.

Terraform

To upload a self-managed certificate, you can use a google_certificate_manager_certificate resource with the self_managed block.

API

Upload the certificate by making a POST request to the certificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/global/certificates?certificate_id=CERTIFICATE_NAME
{
  self_managed: {
    pem_certificate: "PEM_CERTIFICATE",
    pem_private_key: "PEM_KEY",
  }
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • CERTIFICATE_NAME: the name of the certificate.
  • PEM_CERTIFICATE: the certificate PEM.
  • PEM_KEY: the key PEM.

Deploy the self-managed certificate to a load balancer

To deploy the global self-managed certificate, use a certificate map.

Create a certificate map

Create a certificate map that references the certificate map entry associated with your certificate:

gcloud

To create a certificate map, use the gcloud certificate-manager maps create command:

gcloud certificate-manager maps create CERTIFICATE_MAP_NAME

Replace CERTIFICATE_MAP_NAME with the name of the target certificate map.

Terraform

To create a certificate map, you can use a google_certificate_manager_certificate_map resource.

resource "google_certificate_manager_certificate_map" "certificate_map" {
  name        = "${local.name}-certmap-${random_id.tf_prefix.hex}"
  description = "${local.domain} certificate map"
  labels = {
    "terraform" : true
  }
}

Create a certificate map entry

Create a certificate map entry and associate it with your certificate and certificate map:

gcloud

To create a certificate map entry, use the gcloud certificate-manager maps entries create command:

gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \
    --map="CERTIFICATE_MAP_NAME" \
    --certificates="CERTIFICATE_NAME" \
    --hostname="HOSTNAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
  • CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.
  • CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.

  • HOSTNAME: the hostname that you want to associate with the certificate map entry.

    If you are creating certificates with a wildcard domain, specify the hostname with a wildcard too, such as *.example.com.

Terraform

To create a certificate map entry, you can use a google_certificate_manager_certificate_map_entry resource.

resource "google_certificate_manager_certificate_map_entry" "first_entry" {
  name        = "${local.name}-first-entry-${random_id.tf_prefix.hex}"
  description = "example certificate map entry"
  map         = google_certificate_manager_certificate_map.certificate_map.name
  labels = {
    "terraform" : true
  }
  certificates = [google_certificate_manager_certificate.root_cert.id]
  hostname     = local.domain
}

Verify that the certificate map entry is active

Verify that the certificate map entry is active before attaching its corresponding certificate map to the target proxy.

To verify the certificate map entry, use the gcloud certificate-manager maps entries describe command:

gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \
    --map="CERTIFICATE_MAP_NAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
  • CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.

The output is similar to the following:

certificates:
createTime: '2021-09-06T10:01:56.229472109Z'
hostname: example.com
name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntry
state: ACTIVE
updateTime: '2021-09-06T10:01:58.277031787Z'

Attach the certificate map to the target proxy

You can attach the certificate map to a new target proxy or an existing target proxy.

gcloud

To attach the certificate map to a new target proxy, use the gcloud compute target-https-proxies create command:

gcloud compute target-https-proxies create PROXY_NAME \
    --certificate-map="CERTIFICATE_MAP_NAME" \
    --url-map="URL_MAP" \
    --global

Replace the following:

  • PROXY_NAME: the name of the target proxy.
  • CERTIFICATE_MAP_NAME: the name of the certificate map referencing the certificate map entry and the associated certificate.
  • URL_MAP: the name of the URL map

To attach the certificate map to an existing target HTTPS proxy, use the gcloud compute target-https-proxies update command. If you don't know the name of the existing target proxy, go to the Target proxies page and note the name of the target proxy.

gcloud compute target-https-proxies update PROXY_NAME \
    --certificate-map="CERTIFICATE_MAP_NAME" \
    --global

After creating or updating the target proxy, run the following command to verify it:

gcloud compute target-https-proxies list

Terraform

To attach the certificate map to the target proxy, you can use a google_compute_target_https_proxy resource.

When configuring a target proxy, if you attach TLS (SSL) certificates directly and also through a certificate map, the proxy uses the certificates referenced by the certificate map and ignores the directly attached TLS (SSL) certificates.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, delete them.

  1. Delete the load balancer and its resources.

    See Clean up a load balancing setup.

  2. Delete or detach the certificate map from the proxy.

    To delete the certificate map, run the following command:

    gcloud compute target-https-proxies delete PROXY_NAME

    If you want to keep the target HTTPS proxy, then detach the certificate map from the proxy. Before you detach the certificate map, note the following:

    • If there are any TLS (SSL) certificates attached directly to the proxy, detaching the certificate map causes the proxy to resume using those directly attached TLS (SSL) certificates.
    • If there are no TLS (SSL) certificates attached directly to the proxy, the certificate map can't be detached from the proxy. You must first attach at least one TLS (SSL) certificate directly to the proxy before you can detach the certificate map.

    To detach the certificate map, run the following command:

    gcloud compute target-https-proxies update PROXY_NAME \
    --clear-certificate-map

    Replace PROXY_NAME with the name of the target proxy.

  3. Delete the certificate map entry from the certificate map:

    gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \
    --map="CERTIFICATE_MAP_NAME"

    Replace the following:

    • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
    • CERTIFICATE_MAP_NAME: the name of the certificate map.

  4. Delete the certificate map:

    gcloud certificate-manager maps delete CERTIFICATE_MAP_NAME

    Replace CERTIFICATE_MAP_NAME with the name of the certificate map.

  5. Delete the uploaded certificate:

    gcloud certificate-manager certificates delete CERTIFICATE_NAME

    Replace CERTIFICATE_NAME with the name of the certificate.

What's next