Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
Required roles
To get the permissions that you need to configure lifecycle management, ask your administrator to grant you the following IAM roles on your project:
- Certificate Manager Editor (
roles/certificatemanager.editor) - CA Service Certificate Manager (
roles/privateca.certificateManager) - Workload Identity Pool Admin (
roles/iam.workloadIdentityPoolAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Configure lifecycle for managed workloads
Configure a managed workload identity pool to specify how associated workloads receive and renew certificates from your existing CA Service pool.
- In the Google Cloud console, go to the Certificate Manager (2nd gen) page.
- In the navigation pane, click Manage Lifecycle.
- Select the Managed Workload Identity tab.
- Locate the workload identity pool that you want to configure, and then click Configure lifecycle management.
- Select the Region and the CA pool for the region.
- In the Certificate lifetime field, specify the validity of the issued certificate. The value must be between 21 and 30 days.
- Set the Rotation window to a value between 50 and 80. This is the percentage of the certificate's lifetime that triggers a renewal.
- In the Key algorithm field, select the encryption algorithm to use to generate the private key.
- Click Update.
What's next
- View certificate inventory
- Create issuance configuration
- Monitor your certificates
- Configure lifecycle management for load balancers
- Create trust configuration