Deploy a global self-managed certificate  |  Certificate Manager  |  Google Cloud (2024)

Table of Contents
Create the load balancer Create a private key and certificate Upload a self-managed certificate to Certificate Manager Console gcloud Deploy the self-managed certificate to a load balancer Deploy the certificate using a certificate map Attach the certificate directly to the target proxy Clean up

Create the load balancer

Create the load balancer where you want to deploy the certificate.

  • To create a global external Application Load Balancer, see Set up a global external Application Load Balancer with VM instance group backends.

  • To create a Classic Application Load Balancer, see Set up a Classic Application Load Balancer with a managed instance group backends.

  • To create a Global external proxy Network Load Balancer (SSL proxy), see Set up a global external proxy Network Load Balancer (SSL proxy) with VM instance group backends.

  • To create a Global external proxy Network Load Balancer (TCP proxy), see Set up a global external proxy Network Load Balancer (TCP proxy) with VM instance group backends.

  • To create a Cross-region internal Application Load Balancer, see Set up a Cross-region internal Application Load Balancer with VM instance group backends.

The rest of this tutorial assumes that you have already configured the load balancer's backends, health check, backend service, and URL map. Note the name of the URL map because you need it later in this tutorial.

Create a private key and certificate

To create a private key and a certificate, do the following:

  1. Use a trusted third-party certificate authority (CA) to issue the certificate along with its associated key.

  2. Verify that the certificate is properly chained and root-trusted.

  3. Prepare the following PEM-encoded files:

    • The certificate file (CRT)
    • The corresponding private key file (KEY)

For information about how to request and validate a certificate, seeCreate a private key and certificate.

Upload a self-managed certificate to Certificate Manager

Console

  1. In the Google Cloud console, go to the Certificate Manager page.

    Go to Certificate Manager

  2. On the page that appears, select the Certificates tab.

    See Also
    New-SelfSignedCertificate (pki)- Create an eSignature with Adobe Acrobat ReaderHow to generate a self signed SSL certificate for Public IP addressCreating a Self Signed Certificate

  3. Click Add Certificate.

  4. Enter a Name for the certificate.

    This name must be unique for the project.

  5. Optional: Enter the Description for the certificate. Thedescription helps you identify a specific certificate later.

  6. For Location, choose Global.

  7. For Scope, choose any of the following options:

    1. Default: Choose default for Global external Application Load Balancer, a Classic Application Load Balancer, or a Global external proxy Network Load Balancer
    2. All-regions: Choose all-regions for a Cross-region internal Application Load Balancer

  8. For Certificate type, choose Create Self-managed certificate.

  9. For the Certificate field, do any of the following:

    • Click the Upload button and select your PEM-formattedcertificate file.
    • Copy and paste the contents of a PEM-formatted certificate. Thecontents must start with -----BEGIN CERTIFICATE----- and endwith -----END CERTIFICATE-----.

  10. For the Private key certificate field, do any of the following:

    • Click the Upload button and select your private key. Yourprivate key must be PEM-formatted and not protected with a passphrase.
    • Copy and paste the contents of a PEM-formatted private key. Theprivate keys must start with -----BEGIN PRIVATE KEY----- andend with -----END PRIVATE KEY-----.

  11. Specify a label to associate to the certificate. You can addmore than one label, if needed. To add a label, click theadd_box Add label button, and specify a key and a value for your label.

  12. Click Create.Verify that the new certificate appears in the list of certificates.

gcloud

To upload the certificate to Certificate Manager, do the following:

For a Global external Application Load Balancer, a Classic Application Load Balancer, or a Global external proxy Network Load Balancer:

Run the following command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \ --certificate-file="CERTIFICATE_FILE" \ --private-key-file="PRIVATE_KEY_FILE"

Replace the following:

  • CERTIFICATE_NAME: the unique name of the certificate
  • CERTIFICATE_FILE: the path and filename of the CRT certificate file
  • PRIVATE_KEY_FILE: the path and filename of the KEY private key file

For a Cross-region internal Application Load Balancer:

See Also
How to Create a Self-Signed SSL Certificate with SAN for Apache on Ubuntu

Run the following command:

gcloud certificate-manager certificates create CERTIFICATE_NAME \ --certificate-file="CERTIFICATE_FILE" \ --private-key-file="PRIVATE_KEY_FILE" \ --scope=all-regions

Replace the following:

  • CERTIFICATE_NAME: the unique name of the certificate
  • CERTIFICATE_FILE: the path and filename of the CRT certificate file
  • PRIVATE_KEY_FILE: the path and filename of the KEY private key file

Deploy the self-managed certificate to a load balancer

The following sections describe how to deploy the self-managed certificate that you uploaded to Certificate Manager to a load balancer.

Depending on the load balancer type, you can deploy certificates as follows:

  • For the following load balancers, deploy the certificate using a certificate map:
    • Global external Application Load Balancer
    • Global external proxy Network Load Balancer
    • Classic Application Load Balancer
  • For the Cross-region internal Application Load Balancer, deploy the certificate by attaching it directly to the target proxy.

Deploy the certificate using a certificate map

This section describes the steps to deploy a certificate using a certificate map.

Create a certificate map

Create a certificate mapthat references the certificate map entryassociated with your certificate:

gcloud certificate-manager maps create CERTIFICATE_MAP_NAME

Replace CERTIFICATE_MAP_NAME with the name of the target certificate map.

Create a certificate map entry

Create a certificate map entry,and associate it with yourself-managed certificate andcertificate map:

gcloud certificate-manager maps entries create CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME" \ --certificates="CERTIFICATE_NAME" \ --hostname="HOSTNAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: a unique name of the certificate map entry
  • CERTIFICATE_MAP_NAME: the certificate map name that the certificate map entry is attached to
  • CERTIFICATE_NAME: the certificate name that you want to associate with the certificate map entry
  • HOSTNAME: the hostname that you want to associatewith the certificate map entry

Verify that the certificate map entry is active

Before you attach the certificate map to the target proxy, run the following command to verify whether the certificate map entry is active:

gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: a unique name of the certificate map entry
  • CERTIFICATE_MAP_NAME: the certificate map name that the certificate map entry is attached to

If the certificate map entry is active, the Google Cloud CLI returns output similar to the following:

certificates:createTime: '2021-09-06T10:01:56.229472109Z'hostname: example.comname: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntrystate: ACTIVEupdateTime: '2021-09-06T10:01:58.277031787Z'

Create the HTTPS target proxy

To create an HTTPS target proxy, see Create a target proxy.

Attach the certificate map to the target proxy

To attach the configured certificate map to the target proxy, follow these steps:

  1. In the Google Cloud console, go to the Target proxies page.

    Go to Target proxies

  2. Note the name of the target proxy.

  3. To attach the certificate map to the target proxy, run the following command:

    gcloud compute target-https-proxies update PROXY_NAME \ --certificate-map="CERTIFICATE_MAP_NAME"

    Replace the following:

    • PROXY_NAME: the name of the target proxy
    • CERTIFICATE_MAP_NAME: the name of the certificate map that references your certificate map entry and its associated certificate

If any TLS (SSL) certificates are attached directly to theproxy, the proxy gives preference to the certificates referenced by the certificate map over directly attached certificates.

Create a forwarding rule

Set up a forwarding rule and finish setting up the load balancer. Formore information, seeUse forwarding rules.

Attach the certificate directly to the target proxy

To attach the certificate directly to the proxy, run the following command:

gcloud compute target-https-proxies update PROXY_NAME \ --url-map=URL_MAP \ --global \ --certificate-manager-certificates=CERTIFICATE_NAME

Replace the following:

  • PROXY_NAME: a unique name of the proxy.
  • URL_MAP: the name of the URL map. You created the URL map when you created the load balancer.
  • CERTIFICATE_NAME: the name of the certificate.

Clean up

To revert the changes that you have made in this tutorial, complete the following steps:

  1. Detach the certificate map from the proxy:

    gcloud compute target-https-proxies update PROXY_NAME \ --clear-certificate-map

    Replace PROXY_NAME with the name of the target proxy.

    Before you detach the certificate map from the proxy, note the following:

    • Make sure that at least one TLS (SSL) certificate is directly attached to the proxy. If no certificates are attached to the proxy, you can't detach the certificate map.
    • Detaching the certificate map from a proxy enables the proxy to resume using TLS (SSL) certificates that were directly attached to the proxy.

  2. Delete the certificate map entry from the certificate map:

    gcloud certificate-manager maps entries delete CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"

    Replace the following:

    • CERTIFICATE_MAP_ENTRY_NAME: the name of the target certificate map entry
    • CERTIFICATE_MAP_NAME: the name of the target certificate map

  3. Delete the certificate map:

    gcloud certificate-manager maps delete CERTIFICATE_MAP_NAME

    Replace CERTIFICATE_MAP_NAME with the name of the target certificate map.

  4. Delete the uploaded certificate:

    gcloud certificate-manager certificates delete CERTIFICATE_NAME

    Replace CERTIFICATE_NAME with the name of the target certificate.

Deploy a global self-managed certificate  |  Certificate Manager  |  Google Cloud (2024)
Top Articles
A single integration to a variety of solutions
LoungeKey Airport Lounge Program
Dunhams Treestands
Diario Las Americas Rentas Hialeah
Edina Omni Portal
Rubratings Tampa
Walgreens Pharmqcy
Noaa Swell Forecast
Puretalkusa.com/Amac
Nikki Catsouras Head Cut In Half
Music Archives | Hotel Grand Bach - Hotel GrandBach
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Helloid Worthington Login
Ukraine-Russia war: Latest updates
Cnnfn.com Markets
Rainfall Map Oklahoma
Craigslist Malone New York
Bcbs Prefix List Phone Numbers
Procore Championship 2024 - PGA TOUR Golf Leaderboard | ESPN
111 Cubic Inch To Cc
24 Hour Drive Thru Car Wash Near Me
Walmart Car Department Phone Number
*Price Lowered! This weekend ONLY* 2006 VTX1300R, windshield & hard bags, low mi - motorcycles/scooters - by owner -...
Scream Queens Parents Guide
Employee Health Upmc
Mybiglots Net Associates
Slim Thug’s Wealth and Wellness: A Journey Beyond Music
Hdmovie2 Sbs
Cpt 90677 Reimbursem*nt 2023
Craig Woolard Net Worth
Ltg Speech Copy Paste
Water Temperature Robert Moses
Dal Tadka Recipe - Punjabi Dhaba Style
Jesus Calling Feb 13
R3Vlimited Forum
CARLY Thank You Notes
Flashscore.com Live Football Scores Livescore
Afspraak inzien
Page 5662 – Christianity Today
Legit Ticket Sites - Seatgeek vs Stubhub [Fees, Customer Service, Security]
2700 Yen To Usd
2007 Jaguar XK Low Miles for sale - Palm Desert, CA - craigslist
Amc.santa Anita
Tricare Dermatologists Near Me
Bmp 202 Blue Round Pill
Crystal Glassware Ebay
Erica Mena Net Worth Forbes
Mawal Gameroom Download
Grandma's Portuguese Sweet Bread Recipe Made from Scratch
Www Extramovies Com
Www.card-Data.com/Comerica Prepaid Balance
Latest Posts
How Many Financial Advisors Are in the U.S.? | Finance Strategists
How to Contact Bank of America FAQs - Chat, Email, Phone
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6150

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.