Monitor resources using Cloud Monitoring

You can monitor various operations on resources in Certificate Manager (2nd gen) using Cloud Monitoring. This document lists the metrics that you can use to track your certificate inventory and walks you through how to view them and create alerting policies.

Certificate Manager metrics

The metrics for Certificate Manager (2nd gen) are as follows:

The "metric type" strings in this table must be prefixed with certificatemanager.googleapis.com/. That prefix has been omitted from the entries in the table. When querying a label, use the metric.labels. prefix; for example, metric.labels.LABEL="VALUE".

Metric type Launch stage (Resource hierarchy levels) Display name
Kind, Type, Unit Monitored resources	Description Labels
map/entries GA  (project) Certificate map entries
GAUGE, INT64, 1 certificatemanager.googleapis.com/CertificateMap	Current number of map entries inside certificate map. Sampled every 60 seconds. is_primary: Shows whether map entry is configured as primary.
project/certificates GA  (project) Certificates
GAUGE, INT64, 1 certificatemanager.googleapis.com/Project	Current number of certificates. Sampled every 60 seconds. scope: Certificate scope, one of [DEFAULT, EDGE_CACHE]. type: Certificate type, one of [MANAGED, SELF_MANAGED]. is_active: Shows whether certificate is used in serving.
project/v2/active_certificates BETA  (project) Active Certificates
GAUGE, INT64, 1 certificatemanager.googleapis.com/Project	Current number of active certificates. For this metric, the sampling period is a reporting period, not a measurement period. Measurements are initiated every 3600 seconds. Measurements that take longer than 3600 seconds to complete will delay the start of the next measurement attempt. The last measured value is repeated until the next measurement completes. Sampled every 3600 seconds. authority_type: The type of CA that issued the certificate, one of [Private, Public]. key_algorithm: The algorithm of the key used to sign the certificate. key_usage_profile: The use case based on the key usages of the certificate. resource_types: Shows the associated GCP resource types.
project/v2/certificate_expiration BETA  (project) Certificate Expiration
GAUGE, DISTRIBUTION, s certificatemanager.googleapis.com/Project	The distribution of the seconds left until the notAfter time of long-lived certificates with lifetime greater than 72 hours. For this metric, the sampling period is a reporting period, not a measurement period. Measurements are initiated every 3600 seconds. Measurements that take longer than 3600 seconds to complete will delay the start of the next measurement attempt. The last measured value is repeated until the next measurement completes. Sampled every 3600 seconds.
project/v2/certificate_observance_event_count BETA  (project) Certificate Observance Event Count
DELTA, INT64, 1 certificatemanager.googleapis.com/Project	Count of times a new certificate is observed. authority_type: The type of CA that issued the certificate, one of [Private, Public]. key_algorithm: The algorithm of the key used to sign the certificate. key_usage_profile: The use case based on the key usages of the certificate.

Table generated at 2026-05-14 16:07:40 UTC.

For more information about monitored resources, see Monitored resource types.

View metrics in Monitoring

To view the metrics for a monitored resource by using the Metrics Explorer, do the following:

1. In the Google Cloud console, go to the leaderboard Metrics explorer page:

   Go to Metrics explorer

   If you use the search bar to find this page, then select the result whose subheading is Monitoring.

2. In the toolbar of the Google Cloud console, select your Google Cloud project. For App Hub configurations, select the App Hub host project or the app-enabled folder's management project.
3. In the Metric element, expand the Select a metric menu, enter Certificate Manager in the filter bar, and then use the submenus to select a specific resource type and metric:
   1. In the Active resources menu, select <a href="/monitoring/api/resources#tag_certificatemanager.googleapis.com"

      Certificate Manager.

   2. To select a metric, use the Active metric categories and Active metrics menus. For a list of metrics, see certificatemanager metrics.
   3. Click Apply.

4. To add filters, which remove time series from the query results, use the Filter element.

5. To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.

   All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.

6. For quota and other metrics that report one sample per day, do the following:
   1. In the Display pane, set the Widget type to Stacked bar chart.
   2. Set the time period to at least one week.

Create an alerting policy

To monitor your Certificate Manager resources, create alerting policies. Alerting policies notify you by email, SMS, or downstream tools when a particular metric passes a specified threshold.

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

1. In the Google Cloud console, go to the notifications Alerting page:

   Go to Alerting

   If you use the search bar to find this page, then select the result whose subheading is Monitoring.

2. If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
3. From the Alerting page, select Create policy.
4. To select the metric, expand the Select a metric menu and then do the following:
   1. To limit the menu to relevant entries, enter Certificate Manager into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
   2. For the Resource type, select <a href="/monitoring/api/resources#tag_certificatemanager.googleapis.com"

      Certificate Manager.

   3. For the Metric category, select Certificate.
   4. For the Metric, select a metric from the list of certificate manager metrics.
   5. Select Apply.
5. Click Next.
6. The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Create metric-threshold alerting policies.
7. Click Next.
8. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
9. Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
10. Optional: Click Documentation, and then add any information that you want included in a notification message.
11. Click Alert name and enter a name for the alerting policy.
12. Click Create Policy.

For more information, see Alerting overview.

What's next

• Audit logging
• Troubleshoot issues
• Quotas and limits