This page provides instructions for creating a private certificate
authority (CA) by using the Certificate Authority Service and uploading your
certificates to a Certificate Manager TrustConfig
resource.
You also create the network security resources required for configuring mutual TLS for Application Load Balancers.
Before you begin
- Review the Mutual TLS overview.
Install the Google Cloud CLI. For a complete overview of the tool, see the gcloud CLI overview. You can find commands related to load balancing in the API and gcloud CLI reference.
If you haven't run the gcloud CLI previously, first run
gcloud init
to authenticate.Make sure that you know how to create CA pools.
Permissions
To get the permissions that you need to complete this guide, ask your administrator to grant you the following IAM roles on the project:
-
To create load balancer resources such as
TargetHTTPProxy
: Compute Load Balancer Admin (roles/compute.loadBalancerAdmin
) -
To use Certificate Manager resources:
Certificate Manager Owner (
roles/certificatemanager.owner
) -
To create security and networking components:
Compute Network Admin (
roles/compute.networkAdmin
) and Compute Security Admin (roles/compute.securityAdmin
) -
To create a project (optional):
Project Creator (
roles/resourcemanager.projectCreator
)
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a private CA
Create a private CA by using the CA Service, and then create a root certificate:
To create a CA pool, use the
gcloud privateca pools create
command:gcloud privateca pools create CA_POOL \ --location=us-central1
Replace
CA_POOL
with the ID or name of the parent CA pool.To create a private CA in the CA pool, use the
gcloud privateca roots create
command:gcloud privateca roots create CA_ROOT \ --pool=CA_POOL \ --subject="CN=my-ca, O=Test LLC" \ --location=us-central1
Replace the following:
CA_ROOT
: the ID or name of the private CACA_POOL
: the ID or name of the parent CA pool
To describe the new CA and create the
root.cert
file, use thegcloud privateca roots describe
command:gcloud privateca roots describe CA_ROOT \ --pool=CA_POOL \ --location=us-central1 \ --format='value(pemCaCertificates)' > root.cert
export ROOT=$(cat root.cert | sed 's/^[ ]*//g' | tr '\n' $ | sed 's/\$/\\n/g')
Replace the following:
CA_ROOT
: the ID or name of the private CACA_POOL
: the ID or name of the parent CA pool
For more information, see the following:
Create TrustConfig with private CA
Create a Certificate Manager TrustConfig
resource
that represents your PKI by using the root certificate generated by
using the private CA. We assume that the TrustConfig
resource is a
simple trust store with a single trust anchor that represents a root
certificate.
In the following steps, replace TRUST_CONFIG_NAME
with the name of the TrustConfig
resource.
To create the
trust_config.yaml
file, use the following command:cat << EOF > trust_config.yaml name: TRUST_CONFIG_NAME trustStores: - trustAnchors: - pemCertificate: "${ROOT?}" EOF
To create the Certificate Manager
TrustConfig
resources, use thegcloud certificate-manager trust-configs import
command:gcloud certificate-manager trust-configs import TRUST_CONFIG_NAME \ --source=trust_config.yaml \ --location=REGION
Replace the following:
REGION
: useglobal
for cross-region internal Application Load Balancer, global external Application Load Balancer, or classic Application Load Balancer. For regional external Application Load Balancer or regional internal Application Load Balancer, use the region where you configured the load balancer.
Create the network security resources
A server TLS policy (ServerTLSPolicy
network security resource) lets you
specify the server-side TLS mode and the TrustConfig
resource to use
when validating client certificates. When the client presents an invalid
certificate or no certificate to the load balancer, the
clientValidationMode
specifies how the client connection is handled.
- When the
clientValidationMode
is set toALLOW_INVALID_OR_MISSING_CLIENT_CERT
, all requests are passed to the backend even if the validation fails or the client certificate is missing. - When the
clientValidationMode
is set toREJECT_INVALID
, only requests that supply a client certificate that can be validated against aTrustConfig
resource are passed to the backend.
To create the ServerTLSPolicy
resource, complete the following steps:
Based on how you want to handle the connection, select one of the following options.
In the following steps, replace
SERVER_TLS_POLICY_NAME
with the name of the server TLS policy, and replacePROJECT_ID
with the ID of your Google Cloud project.Option 1:
clientValidationMode
is set toALLOW_INVALID_OR_MISSING_CLIENT_CERT
.To create the
server_tls_policy.yaml
file, use the following command:global
For external Application Load Balancers and cross-region internal Application Load Balancers, use the command:
cat << EOF > server_tls_policy.yaml name: SERVER_TLS_POLICY_NAME mtlsPolicy: clientValidationMode: ALLOW_INVALID_OR_MISSING_CLIENT_CERT clientValidationTrustConfig: projects/PROJECT_ID/locations/global/trustConfigs/TRUST_CONFIG_NAME EOF
regional
For regional external Application Load Balancers and regional internal Application Load Balancers, use the command:
cat << EOF > server_tls_policy.yaml name: SERVER_TLS_POLICY_NAME mtlsPolicy: clientValidationMode: ALLOW_INVALID_OR_MISSING_CLIENT_CERT clientValidationTrustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAME EOF
Option 2:
clientValidationMode
is set toREJECT_INVALID
.To create the
server_tls_policy.yaml
file, use the following command:global
For external Application Load Balancers and cross-region internal Application Load Balancers, use the command:
cat << EOF > server_tls_policy.yaml name: SERVER_TLS_POLICY_NAME mtlsPolicy: clientValidationMode: REJECT_INVALID clientValidationTrustConfig: projects/PROJECT_ID/locations/global/trustConfigs/TRUST_CONFIG_NAME EOF
regional
For regional external Application Load Balancers and regional internal Application Load Balancers, use the command:
cat << EOF > server_tls_policy.yaml name: SERVER_TLS_POLICY_NAME mtlsPolicy: clientValidationMode: REJECT_INVALID clientValidationTrustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAME EOF
To create the
ServerTlsPolicy
resource, use thegcloud network-security server-tls-policies import
command:global
For external Application Load Balancers and cross-region internal Application Load Balancers, use the command:
gcloud network-security server-tls-policies import SERVER_TLS_POLICY_NAME \ --source=server_tls_policy.yaml \ --location=global
regional
For regional external Application Load Balancers and regional internal Application Load Balancers, use the command:
gcloud network-security server-tls-policies import SERVER_TLS_POLICY_NAME \ --source=server_tls_policy.yaml \ --location=REGION
For more information, see MTLS client validation modes.
What's next
- Set up mutual TLS for a global external Application Load Balancer
- Set up mutual TLS for a classic Application Load Balancer
- Set up mutual TLS for an internal Application Load Balancer
- Set up mutual TLS for a regional external Application Load Balancer
- Set up mutual TLS with signed certificates