SSL Certificates

To use HTTPS or SSL load balancing, you must create an SslCertificate resource that can be used by your target proxy.

Create an SslCertificate resource

Get a private key and signed certificate

To create an SslCertificate resource for use with a load balancing proxy, you need an unencrypted private key and a certificate generated using that key. If you already have a private key and a certificate from a certificate authority, you can skip ahead to Creating an SslCertificate resource. If not, you can create a new private key and generate a self-signed certificate that can be used to create an SslCertificate resource.

To create a new private key, first create a new folder to store your key and certificate, then use openssl to generate the key:

$ mkdir ssl_cert
$ cd ssl_cert
$ openssl genrsa -out example.key 2048

To generate a signed certificate, you will need a certificate signing request (CSR). Run the following command to create one:

$ openssl req -new -key example.key -out example.csr

You can use your new CSR to obtain a valid certificate from a certificate authority. Alternatively, you can generate a self-signed certificate by running the following:

$ openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

Create an SslCertificate resource

You can create an SslCertificate resource by running the following command. You must already have a certificate to run this command.

  • SSL_CERTIFICATE: the name you want to give the certificate resource.
  • CRT_FILE_PATH: the path and filename of your certificate file (.crt file).
  • KEY_FILE_PATH: the path and filename of your key file (.key file).

    gcloud compute ssl-certificates create SSL_CERTIFICATE --certificate CRT_FILE_PATH
        --private-key KEY_FILE_PATH

Compute Engine only validates that all certificates in a chain have valid PEM formats. It does not validate whether all certificates are chained in a legitimate way. It is your responsibility to provide valid certificate chains.

View SslCertificate resource properties

To see information about your SslCertificate resource, run the following command, replacing SSL_CERTIFICATE with the name of the SslCertificate resource that you want to describe:

gcloud compute ssl-certificates describe SSL_CERTIFICATE

List your SslCertificate resources

To view a list of all of your SslCertificate resources, run the following command:

gcloud compute ssl-certificates list

Update a proxy to use a different SSL certificate resource

To update a target HTTPS proxy or target SSL proxy with a new certificate, first create an SSL certificate resource, then update the proxy using the appropriate command.

For target HTTPS proxies, use:

gcloud compute target-https-proxies update --ssl-certificate [SSL_CERTIFICATE]

For target SSL proxies, use:

gcloud compute target-ssl-proxies update --ssl-certificate [SSL_CERTIFICATE]

Delete an SslCertificate resource

To delete an SslCertificate resource, run the following command, replacing SSL_CERTIFICATE with the name of the SslCertificate resource to delete:

gcloud compute ssl-certificates delete SSL_CERTIFICATE

Send feedback about...

Compute Engine Documentation