This tutorial describes how to use Certificate Manager to deploy a self-managed certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer.
To deploy a certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer, attach the certificate directly to the target proxy. To deploy a certificate to a global external Application Load Balancer, create a certificate map and attach the map to the target proxy. For more information, see Deploy a self-managed certificate.
Objectives
This tutorial shows you how to:
- Upload a self-managed certificate to Certificate Manager.
- Deploy the certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer by using a target HTTPS proxy.
For more information about the certificate deployment process, see Deployment overview.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that you have the following roles to complete the tasks in this tutorial:
- Certificate Manager Owner: Required to create and manage Certificate Manager resources.
- Compute Load Balancer Admin or Compute Network Admin: Required to create and manage HTTPS target proxy.
For more information, see the following:
- Roles and permissions for Certificate Manager
- Compute Engine IAM roles and permissions for Compute Engine
Create the load balancer
Create the load balancer where you want to deploy the certificate.
- To create a regional external Application Load Balancer, see Set up a regional external Application Load Balancer with VM instance group backends.
- To create a regional internal Application Load Balancer, see Set up a regional internal Application Load Balancer with VM instance group backends.
The rest of this tutorial assumes that you have already configured the load balancer's backends, health check, backend service, and URL map. Note the name of the URL map because you need it later in this tutorial.
Request and validate a certificate
To request and validate a self-managed certificate, do the following:
Use a trusted third-party certificate authority (CA) to issue the certificate along with its associated key.
Verify that the certificate is properly chained and root-trusted.
Prepare the following PEM-encoded files:
- The certificate file (CRT)
- The corresponding private key file (KEY)
For information about how to request and validate a certificate, see Create a private key and certificate.
Upload a self-managed certificate to Certificate Manager
Console
In the Google Cloud console, go to the Certificate Manager page.
On the page that appears, select the Certificates tab.
Click Add Certificate.
Enter a Name for the certificate.
This name must be unique for the project.
Optional: Enter the Description for the certificate. The description helps you identify a specific certificate later.
For location, choose Regional.
From the Region list, select a region.
For Certificate type, choose Create Self-managed certificate.
For Certificate field, do any of the following:
- Click the Upload button and select your PEM-formatted certificate file.
- Copy and paste the contents of a PEM-formatted certificate. The
contents must start with
-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----.
For the Private key certificate field, do any of the following:
- Click the Upload button and select your private key. Your private key must be PEM-formatted and not protected with a passphrase.
- Copy and paste the contents of a PEM-formatted private key. The
private keys must start with
-----BEGIN PRIVATE KEY-----and end with-----END PRIVATE KEY-----.
Specify a label to associate to the certificate. You can add more than one label, if needed. To add a label, click the add_box Add label button, and specify a
keyand avaluefor your label.Click Create. Verify that the new certificate appears in the list of certificates.
gcloud
To upload the certificate to Certificate Manager, run the following command:
gcloud certificate-manager certificates create CERTIFICATE_NAME
--certificate-file="CERTIFICATE_FILE"
--private-key-file="PRIVATE_KEY_FILE"
--location="REGION"
Replace the following:
CERTIFICATE_NAME: a unique name of the certificateCERTIFICATE_FILE: the path and filename of the CRT certificate filePRIVATE_KEY_FILE: the path and filename of the KEY private key fileREGION: the target Google Cloud region
Deploy the self-managed certificate to a load balancer
To deploy the self-managed certificate, create an HTTPS target proxy and attach the certificate to it.
Create the HTTPS target proxy
To create the HTTPS target proxy and attach the certificate, run the following command:
gcloud compute target-https-proxies create PROXY_NAME \
--url-map=URL_MAP \
--region=REGION \
--certificate-manager-certificates=CERTIFICATE_NAME
Replace the following:
PROXY_NAME: a unique name of the proxy.URL_MAP: the name of the URL map. You created the URL map when you created the load balancer.REGION: the region where you are creating the HTTPS target proxy.CERTIFICATE_NAME: the name of the certificate.
To verify whether the target proxy is created, run the following command:
gcloud compute list target-https-proxies
Create a forwarding rule
Set up a forwarding rule and finish setting up the load balancer.
- If you're using a regional external Application Load Balancer, see Set up a regional external Application Load Balancer with VM instance group backends.
- If you're using a regional internal Application Load Balancer, see Set up an regional internal Application Load Balancer with VM instance group backends.
Clean up
To revert the changes that you have made in this tutorial, delete the uploaded certificate:
gcloud certificate-manager certificates delete CERTIFICATE_NAME
Replace CERTIFICATE_NAME with the name of the target certificate.