This document shows how to view and filter your certificate directory by using the Certificate Manager (2nd gen) page in the Google Cloud console. You can use the directory to monitor the expiration status of your certificate, identify associated resources, and find specific certificates.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Certificate Authority Service, Certificate Manager APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the Certificate Authority Service, Certificate Manager APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
Required roles
To get the permissions that you need to view the certificate directory, ask your administrator to grant you the following IAM roles on your project:
- Certificate Manager Viewer (
roles/certificatemanager.viewer) - Certificate Manager Editor (
roles/certificatemanager.editor)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Access the certificate directory
To access the directory and view your certificates, follow these steps:
In the Google Cloud console, go to the Certificate Manager page.
Review the certificate directory table that's displayed.
By default, the table displays only long-duration certificates (lifetime greater than 72 hours). To display short-duration certificates, see Include short-duration certificates.
Filter your certificate directory
Use filters to find specific certificates or narrow down your directory view based on your monitoring needs.
Include short-duration certificates
To view certificates with a lifetime of less than 72 hours, follow these steps:
- Click the Include short-duration certificates toggle. The certificates are displayed in the directory.
Short-duration certificates are typically managed through automated rotation and are excluded by default to reduce noise.
Use the filter panel
To filter the table using predefined values, follow these steps:
- Click Filter panel.
- Select the checkboxes next to the criteria that you want to apply, such as Issuer type or Expiration status.
Use the filter bar
To enter custom filters for specific columns, follow these steps:
- Click the Filter field in the filter bar in the directory table.
- Select a column from the list, such as Identity, Expiration date, or Resources.
- Enter the value that you want to filter for (for example, a domain name or a specific resource name).
Review and manage certificate details
To monitor key parameters and manage individual certificates in the directory table, use the following tasks.
Monitor certificate status and view certificate details
To check the status of a specific certificate, follow these steps:
- Locate the certificate in the directory table.
- Review the Expiration status column to determine whether the certificate is valid or expired.
- Click the identity name (Common Name or SAN) in the Identity column to view its full details.
Audit locations and resources
To verify the source and usage of your certificates, follow these steps:
- Look at the Location and Issuer type columns to verify where your certificates are staged and whether they were issued by a public CA (such as Public Certificate Authority) or a private CA (such as CA Service).
- In the Resources column, find the Google Cloud resource that issued the
certificate, such as a
TargetHttpsProxy. - Click the resource name to view more information about that specific resource.
Track lifecycle dates
To monitor issuance and expiration timelines, follow these steps:
- Locate the certificate in the directory table.
- Review the Issuance date and Expiration date columns to track when your managed certificates were generated and when they are scheduled to expire.