Automate certificate lifecycle for load balancers

Learn how to use Certificate Manager (2nd gen) to automate the lifecycle of a Google-managed certificate for a global Application Load Balancer.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    8.
  8. You need an existing Application Load Balancer with at least one target HTTPS proxy. For more information, see Choose a load balancer.

Required roles

To get the permissions that you need to configure lifecycle management, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to configure lifecycle management. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure lifecycle management:

  • compute.targetHttpsProxies.update
  • compute.targetSslProxies.update
  • compute.targetHttpsProxies.setCertificateMap
  • compute.targetSslProxies.setCertificateMap
  • compute.sslCertificates.*

You might also be able to get these permissions with custom roles or other predefined roles.

Configure certificate lifecycle management

To configure lifecycle management for your load balancer certificate:

  1. In the Google Cloud console, go to Certificate Manager (2nd gen).

    Go to Certificate Manager (2nd gen)

  2. In the navigation menu, click Manage Lifecycle.

  3. Click the Load balancing tab. A list of your load balancers appears.

  4. Expand the load balancer row to see the attached certificates.

  5. Click the name of the target proxy.

  6. Click Configure lifecycle management. The page displays a list of associated certificates that you can add to and remove from.

  7. Click Certificate and then click Add certificate.

  8. Select an existing certificate or create a new certificate.

  9. Enter the following details for the new certificate:

    • Name: Enter a unique name (for example, my-lb-cert).
    • Scope: Select the appropriate key distribution scope (for example, Default).
    • Certificate type: Select Self-managed or Google-managed certificates. For more information, see certificate types.
    • Domain Name: Enter the domain name that this certificate covers (for example, app.example.com). This domain must be one that you control.
    • Issuance Configuration: Select your existing issuance configuration from the list. This configuration dictates the certificate authority, lifetime, and key type.

  10. Click Create. The console adds the new certificate to the list for the target proxy.

  11. Review the list of certificates, and then click Update to apply the changes to the target proxy.

Verify the configuration

To verify the certificate configuration:

  1. Check the certificate status. Issuance and provisioning can take from several minutes to a few hours. The certificate starts with a Pending status.

  2. Monitor the certificate status on the Certificates tab within Certificate Manager (2nd gen). When the status is Active, the certificate is ready.

  3. Ensure your domain's DNS records point to the load balancer IP address.

  4. Test the setup by accessing your service using HTTPS (for example, https://app.example.com).

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. Remove the certificate from the target proxy:

    1. Go to the Manage Lifecycle > Load balancing tab for your target proxy.
    2. Find the certificate that you created (my-lb-cert).
    3. Remove the certificate from the list.
    4. Click Update.

  2. Delete the certificate resource:

    1. Go to the Certificates tab in Certificate Manager (2nd gen).
    2. Select the certificate (my-lb-cert).
    3. Click Delete.

You don't need to delete the load balancer, target proxy, or certificate issuance configuration that you created or used in this quickstart.

What's next