To use HTTPS or SSL load balancing, you must create an SslCertificate resource that can be used by your target proxy.
Create an SslCertificate resource
Get a private key and signed certificate
To create an SslCertificate resource for use with a load balancing proxy, you need an unencrypted private key and a certificate generated using that key. If you already have a private key and a certificate from a certificate authority, you can skip ahead to Creating an SslCertificate resource. If not, you can create a new private key and generate a self-signed certificate that can be used to create an SslCertificate resource.
To create a new private key, first create a new folder to store your key and
certificate, then use openssl to generate the key:
$ mkdir ssl_cert
$ cd ssl_cert
$ openssl genrsa -out example.key 2048
To generate a signed certificate, you will need a certificate signing request (CSR). Run the following command to create one:
$ openssl req -new -key example.key -out example.csr
You can use your new CSR to obtain a valid certificate from a certificate authority. Alternatively, you can generate a self-signed certificate by running the following:
$ openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt
Create an SslCertificate resource
You can create an SslCertificate resource by running the following command. You must already have a certificate to run this command.
gcloud compute ssl-certificates create [SSL_CERTIFICATE] \
--certificate [CRT_FILE_PATH] \
--private-key [KEY_FILE_PATH]
[SSL_CERTIFICATE]: the name you want to give the certificate resource.[CRT_FILE_PATH]: the path and filename of your certificate file (.crtfile).[KEY_FILE_PATH]: the path and filename of your key file (.keyfile).
GCP only validates that all certificates in a chain have valid PEM formats. It does not validate whether all certificates are chained in a legitimate way. It is your responsibility to provide valid certificate chains.
View SslCertificate resource properties
To see information about your SslCertificate resource, run the following command:
gcloud compute ssl-certificates describe [SSL_CERTIFICATE]
[SSL_CERTIFICATE]: the name of the SslCertificate resource.
List your SslCertificate resources
To view a list of all of your SslCertificate resources, run the following command:
gcloud compute ssl-certificates list
Update a proxy to use a different SSL certificate resource
To update a target HTTPS proxy or target SSL proxy with a new certificate, first create an SSL certificate resource, then update the proxy using the appropriate command.
For target HTTPS proxies, use:
gcloud compute target-https-proxies update [PROXY_NAME] \
--ssl-certificate [SSL_CERTIFICATE]
[PROXY_NAME]: the name of the target-https-proxies resource you are updating.[SSL_CERTIFICATE]: the name of the new SslCertificate resource.
For target SSL proxies, use:
gcloud compute target-ssl-proxies update [PROXY_NAME] \
--ssl-certificate [SSL_CERTIFICATE]
[PROXY_NAME]: the name of the target-ssl-proxies resource you are updating.[SSL_CERTIFICATE]: the name of the new SslCertificate resource.
Delete an SslCertificate resource
To delete an SslCertificate resource, run the following command:
gcloud compute ssl-certificates delete [SSL_CERTIFICATE]
[SSL_CERTIFICATE]: the name of the SslCertificate resource.
