Certificate Manager (2nd gen) overview

Certificate Manager (2nd gen) is a Google Cloud service that lets you centralize the management, deployment, and automation of SSL/TLS certificates across your organization. With Certificate Manager (2nd gen), you can manage certificates for various Google Cloud services, custom workloads, and on-premises environments through a single, centralized interface.

Certificate Manager mainly supports Google Cloud load balancers, whereas Certificate Manager (2nd gen) has expanded support for Google Kubernetes Engine (GKE) workloads, Compute Engine instances, and hybrid environments.

To understand the differences between the first and second generation of Certificate Manager, see Compare Certificate Manager versions.

Certificate Manager (2nd gen) features

Certificate Manager (2nd gen) lets you do the following:

• Monitor certificates: Use the Overview page in the Google Cloud console to monitor certificate health, including active certificates for each of your services, those nearing expiration, and the distribution of cryptographic algorithms. For more information, see Monitor certificates.

• Search and discover certificates: Use the Certificates page in the Google Cloud console to view all your certificates, including those not directly issued by Certificate Manager. You can filter by resource type, expiration status, and management status. For more information, see View certificate directory.

• Automate certificate lifecycles: Control certificate generation and rotation on Google Cloud resources like load balancers, and Google Cloud workloads by defining policies using issuance configurations. You can specify the following settings for auto-managed rotation:

  • Certificate lifetime
  • Key algorithm
  • Rotation window

  For more information, see Create issuance configurations, Configure lifecycle management for load balancers, and Configure lifecycle management for managed workloads.

• Secure workload communication: Define and distribute trust anchors, such as the root and intermediate CA certificates, to ensure workloads only trust authorized certificates. For more information, see Create trust configurations.

Supported Google Cloud services

Certificate Manager (2nd gen) integrates directly with Certificate Authority Service and Public CA to simplify management of both private and public certificates. It supports the following two integration models:

1. Certificate Manager (2nd gen) auto-manages certificates for the following services:

   • Managed workload identity-enabled environments:
     • GKE: Automates certificate issuance and rotation for your GKE workloads.
     • Compute Engine: Automates certificate management for your Compute Engine instances.
   • Cloud Load Balancing: Certificate Manager (2nd gen) automates TLS certificate provisioning and renewal for Cloud Load Balancing by using issuance configurations. This automation includes securing mutual TLS (mTLS) communication between Application Load Balancers and their backends.

2. CA Service auto-manages certificates for the following services, and Certificate Manager (2nd gen) observes them:

   • Agent Identity-enabled environments:
     • Vertex AI Agent Engine: Automated certificate management to enable secure authentication to Google Cloud and third-party APIs.
     • Gemini Enterprise: Automated certificate management for root agents, no-code agents, and Google-managed agents inside the Gemini Enterprise platform.
   • Cloud SQL: Cloud SQL instances with certificates issued by your CA Service appear in Certificate Manager (2nd gen) for observability and management.
   • Secure Web Proxy: Proxies with certificates issued by your CA Service appear in Certificate Manager (2nd gen) for observability and management.
   • Cloud Service Mesh: GKE workloads that leverage Cloud Service Mesh have certificates that Certificate Manager (2nd gen) observes and manages.
   • GKE control plane authority: GKE clusters that use custom CA and certificates (from CA Service) to sign and verify credentials within the GKE control plane have certificates that Certificate Manager (2nd gen) observes and manages.

How Certificate Manager (2nd gen) impacts APIs, the gcloud CLI, and Terraform

Certificate Manager (2nd gen) introduces features that build upon both existing APIs and the new API.

• Certificate Manager (2nd gen): Second generation features are fully supported and manageable in the Google Cloud console.
• Certificate Manager: Existing APIs aren't deprecated. You can continue to use the gcloud CLI, Terraform, and direct HTTP API calls to interact with first generation features.

Certificate Manager (2nd gen) uses both the v1 and v2 API namespaces.

The following list details the API namespace breakdown for each resource:

• v2 namespace: Contains the Observed Certificates API (v2/projects.locations.observedCertificates)
• v1 namespace: Contains the core management APIs used across both generations:
  • Certificate API (v1/projects.locations.certificates)
  • Certificate Map API (v1/projects.locations.certificateMaps)
  • Certificate Issuance Config API (v1/projects.locations.certificateIssuanceConfigs)
  • Trust Config API (v1/projects.locations.trustConfigs)

What's next

• How Certificate Manager (2nd gen) works
• Compare Certificate Manager versions
• Issue a certificate using CA Service and verify in Certificate Manager (2nd gen)
• Automate certificate lifecycle for load balancers
• Roles and permissions