Configure lifecycle management for load balancers

This document shows how to configure certificate lifecycle management for Application Load Balancers using Certificate Manager (2nd gen).

There are different ways to configure a load balancer's certificates depending on the properties of the load balancer and previously configured certificate configuration parameters. The Certificate Manager (2nd gen) interface detects and displays the appropriate configuration method based on what is available for a particular load balancer.

The following options are available:

  1. Configure a global load balancer with an SSL certificate.
  2. Configure a regional load balancer with a networking certificate or Compute SSL certificate.
  3. Configure a regional load balancer with a certificate map.
  4. Configure a global load balancer with a networking certificate.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  7. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  8. Verify that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    10.
  10. Make sure that you have an existing Application Load Balancer with at least one target HTTPS proxy. For more information, see Choose a load balancer.

Required roles

To get the permissions that you need to configure lifecycle management, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Configure lifecycle for load balancers

To configure lifecycle management for your load balancer certificate, follow the steps for your specific load balancer configuration:

Global load balancer with Compute SSL certificates

  1. In the Google Cloud console, go to Certificate Manager (2nd gen).

    Go to Certificate Manager (2nd gen)

  2. In the navigation menu, click Manage Lifecycle.

  3. Click the Load balancing tab. A list of your load balancers appears.

  4. Locate the load balancer and click the toggle node to expand the row to see the associated target proxies.

  5. Click the name of the target proxy.

  6. Click Configure lifecycle management. The page displays certificates associated with this target proxy.

  7. Select a certificate from the available list. You can use your own certificate or a Google-managed certificate.

  8. Click Additional certificates and then Add a certificate.

  9. Select a certificate from the available list. Each forwarding rule of the load balancer can have 1-14 additional certificates.

  10. Click Update to apply the changes to the target proxy. This action updates the underlying certificate map entry or creates a new one.

Regional load balancer with networking or SSL certificates

  1. In the Google Cloud console, go to Certificate Manager (2nd gen).

    Go to Certificate Manager (2nd gen)

  2. In the navigation menu, click Manage Lifecycle.

  3. Click the Load balancing tab. A list of your load balancers appears.

  4. Locate the load balancer and click the toggle node to expand the row to see the associated target proxies.

  5. Click the name of the target proxy.

  6. Click Configure lifecycle management. The page displays certificates associated with this target proxy's effective certificate map.

  7. Select a repository type: Certificates or Classic certificates.

  8. Click Add a certificate.

  9. Select an existing certificate or create a new certificate.

  10. Enter the following details for the new certificate:

    • Name: A unique name for this certificate resource (for example, my-lb-cert).
    • Scope: Select the appropriate key distribution scope (for example, Default).
    • Certificate type: Self-managed or Google-managed types of certificates.
    • Domain Name: The domain name this certificate will cover (for example, app.example.com). This domain must be one that you control.
    • Issuance Configuration: Select your existing issuance configuration from the list. This configuration dictates the CA, lifetime, and key type.

  11. Click Create. The console adds the new certificate to the list for the target proxy.

  12. Review the list of certificates, and then click Update to apply the changes to the target proxy. This action updates the underlying certificate map entry or creates a new one.

Regional load balancer with a certificate map

  1. In the Google Cloud console, go to Certificate Manager (2nd gen).

    Go to Certificate Manager (2nd gen)

  2. In the navigation menu, click Manage Lifecycle.

  3. Click the Load balancing tab. A list of your load balancers appears.

  4. Locate the load balancer and click the toggle node to expand the row to see the associated target proxies.

  5. Click the name of the target proxy.

  6. Click Update certificate map. The page displays certificate map details and certificate map entries.

  7. Click Edit and then click Add map entry.

  8. Enter the following details for the new map entry:

    • Name: A unique name for this certificate resource (for example, my-lb-cert).
    • Hostname: Select the appropriate hostname. Certificate searches match the exact hostname provided. For single-level subdomains, the search also includes certificates issued for the parent domain wildcard. For example, entering app.example.com returns certificates for both app.example.com and *.example.com.

  9. Select an existing certificate or create a new certificate.

  10. Click Add. The console adds the new certificate to the list for the target proxy.

  11. Review the list of certificates, and then click Save to apply the changes to the target proxy. This action updates the underlying certificate map entry or creates a new one.

Global load balancer with a networking certificate

  1. In the Google Cloud console, go to Certificate Manager (2nd gen).

    Go to Certificate Manager (2nd gen)

  2. In the navigation menu, click Manage Lifecycle.

  3. Click the Load balancing tab. A list of your load balancers appears.

  4. Locate the load balancer and click the toggle node to expand the row to see the associated target proxies.

  5. Click the name of the target proxy.

  6. Click Configure lifecycle management. The page displays certificates associated with this target proxy's effective certificate map.

  7. Click Add a certificate.

  8. Select an existing certificate or create a new certificate.

  9. Enter the following details for the new certificate:

    • Name: A unique name for this certificate resource (for example, my-lb-cert).
    • Scope: Select the appropriate key distribution scope (for example, Default).
    • Certificate type: Self-managed or Google-managed types of certificates.
    • Domain Name: The domain name this certificate will cover (for example, app.example.com). This domain must be one that you control.
    • Issuance Configuration: Select your existing issuance configuration from the list. This configuration dictates the CA, lifetime, and key type.

  10. Click Create. The console adds the new certificate to the list for the target proxy.

  11. Review the list of certificates, and then click Update to apply the changes to the target proxy. This action updates the underlying certificate map entry or creates a new one.

What's next