This page describes the steps for migrating one or more certificates to Certificate Manager. It covers the following scenarios:
- Migrate third-party certificates to Certificate Manager.
- Migrate Cloud Load Balancing certificates to Certificate Manager. For more information on Cloud Load Balancing certificates, see SSL certificates overview in the Cloud Load Balancing documentation.
Both scenarios incur no downtime as long as no errors occur during configuration.
For more information on the Certificate Manager entities mentioned on this page, see How Certificate Manager works.
Migrate third-party certificates to Certificate Manager
This section describes how to migrate one or more certificates served by a third-party service to Certificate Manager.
Before you begin, you must select and set up a supported load balancer. Certificate Manager lets you acquire and manage Transport Layer Security (TLS) certificates for use with the following load balancer resources:
Target HTTPS proxies used by Application Load Balancers:
Target SSL proxies used by proxy Network Load Balancers:
- Global external proxy Network Load Balancer
- Classic proxy Network Load Balancer
Complete the following steps for each certificate that you want to migrate:
Deploy the target certificate with DNS authorization as described in Deploy a Google-managed certificate with DNS authorization (tutorial) up to but not including the clean-up steps. Use a single certificate map for all certificates you are migrating to your load balancer.
For each certificate you have deployed in the previous step, test the connectivity to each domain covered by the certificate on your load balancer's IP address using the following command:
openssl s_client -showcerts -servername DOMAIN_NAME -connect IP_ADDRESS:443
Replace the following:
DOMAIN_NAME: the name of the target domainIP_ADDRESS: the IP address of your load balancer
For more information about testing connectivity, see Test with OpenSSL
Switch over the traffic from your third-party service to Cloud Load Balancing by completing the steps in Update the DNS A and AAAA records to point to the load balancer's IP address.
Migrate Cloud Load Balancing certificates to Certificate Manager
This section describes how to migrate one or more Cloud Load Balancing certificates to Certificate Manager.
Identify the certificates to migrate
Complete the following steps to identify the certificates you want to migrate:
On the target load balancer, identify the name of the target proxy.
Identify the certificates you want to migrate by using the following command to get information about the target proxy, including the attached certificates:
gcloud compute target-https-proxies describe TARGET_PROXY_NAME
Replace
TARGET_PROXY_NAMEwith the name of the target proxy.The output is similar to the following:
creationTimestamp: '2021-10-06T04:05:07.520-07:00' fingerprint: c9Txdx6AfcM= id: '365692570234384780' kind: compute#targetHttpsProxy name: my-proxy selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/targetHttpsProxies/my-proxy sslCertificates: - https://www.googleapis.com/compute/v1/projects/my-project/global/sslCertificates/my-first-certificate - https://www.googleapis.com/compute/v1/projects/my-project/global/sslCertificates/my-second-certificate urlMap: https://www.googleapis.com/compute/v1/projects/my-project/global/urlMaps/my-mapFor more information, see Getting information about a target proxy.
Create the certificates in Certificate Manager
Create the selected certificates in Certificate Manager as follows:
- For each self-managed certificate, complete the steps in Upload a self-managed certificate.
- For each Google-managed certificate, we recommend creating the certificate with a DNS authorization by completing the steps in Deploy a Google-managed certificate with DNS authorization (tutorial) up to but not including the "Deploy the certificate to a load balancer" step. You will complete this step later in this guide.
Before moving on to the next step, wait until each certificate's state has changed to ACTIVE as described in
Verify that the certificate is active.
It can take several hours for each certificate to be issued and its state change to ACTIVE.
Create the certificate map
To deploy the certificate to a global external Application Load Balancer or a classic Application Load Balancer, create a certificate map by completing the steps in Create a certificate map.
You don't need a certificate map to deploy the certificate to a regional external Application Load Balancer or a regional internal Application Load Balancer.
Create the certificate map entries
To deploy the certificate to a global external Application Load Balancer or a classic Application Load Balancer, create a certificate map entry. You don't need a certificate map entry to deploy a certificate to a regional external Application Load Balancer or a regional internal Application Load Balancer.
For each certificate you want to migrate, create certificate map entries referencing those certificates as follows:
Obtain the details of the certificate using the following command:
gcloud compute ssl-certificates --project=my-project describe CERTIFICATE_NAME
Replace
CERTIFICATE_NAMEwith the name of the target certificate.The output is similar to the following:
-----BEGIN CERTIFICATE----- MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63 ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5 cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499 iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b 9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9 NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9 WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw 9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy +qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8= -----END CERTIFICATE----- creationTimestamp: '2021-05-06T04:39:21.736-07:00' expireTime: '2022-06-07T01:10:34.000-07:00' id: '6422259403966690822' kind: compute#sslCertificate managed: domainStatus: a.my-domain1.example.com: ACTIVE b.my-domain2.example.com: ACTIVE domains: - a.my-domain1.example.com - b.my-domain2.example.com status: ACTIVE name: my-certificate selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/sslCertificates/my-certificate subjectAlternativeNames: - a. my-domain1.example.com - b. my-domain2.example.com type: MANAGEDFor each domain listed in the
subjectAlternativeNamesfield, create a certificate map entry covering that domain by completing the steps in Create a certificate map entry. If more than one certificate covers a single domain, you only need to create one certificate map entry and use any valid certificate covering that domain.Optional: Create a primary certificate map entry referencing the certificate that corresponds to the first certificate from the list of certificates originally attached to the proxy as described in Create a primary certificate map entry.
Use the following command to verify that each certificate map entry you have created is active:
gcloud certificate-manager maps entries describe CERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the target certificate map entryCERTIFICATE_MAP_NAME: the name of the certificate map to which this certificate map entry attaches
The output is similar to the following:
createTime: '2021-09-06T10:01:56.229472109Z' name: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/my-map-entry state: ACTIVE updateTime: '2021-09-06T10:01:58.277031787Z'
Optional: Test your configuration on a new load balancer
To minimize downtime, we recommend that you test your newly configured certificate maps on a new load balancer that is not serving production traffic. This allows you to detect and resolve any errors before proceeding with the migration in your production environment.
Test your configuration as follows:
Create a new load balancer with a new target proxy a described in Setting up an external Application Load Balancer.
If you're using external Application Load Balancer, attach the certificate map you want to test to the new load balancer's target proxy as described in Attach the certificate map to the target proxy.
If you're using regional external Application Load Balancer or regional internal Application Load Balancer, attach the certificate to the target proxy as described Deploy a regional self-managed certificate.
For each target domain included in your migration, test the connectivity to the domain on the new load balancer's IP address using the following command:
openssl s_client -showcerts -servername DOMAIN_NAME -connect IP_ADDRESS:443
Replace the following:
DOMAIN_NAME: the name of the target domainIP_ADDRESS: the IP address of your new load balancer
For more information about testing connectivity, see Test with OpenSSL
Clean up the test environment
Clean up the test environment you created in the previous steps as follows:
Detach the certificate map from the proxy:
gcloud compute target-https-proxies update PROXY_NAME \ --clear-certificate-map
Replace
PROXY_NAMEwith the name of the target proxy.Delete the test load balancer as described in Deleting the load balancer.
Do not delete the certificates, certificate map, or certificate map entries you created in the previous steps.
Apply the new certificate map to the target load balancer
After you have tested your new certificate configuration and confirmed that it's valid, apply the new certificate map to the target load balancer as follows.
If you're using external Application Load Balancer, attach the new certificate map to the appropriate target proxy as described in Attach the certificate map to the target proxy.
If you're using regional external Application Load Balancer or regional internal Application Load Balancer, attach the certificate to the target proxy as described Deploy a regional self-managed certificate.
Wait until the configuration change has been applied and the load balancer has started serving the new certificate. This typically takes a few minutes, but can take up to 30 minutes.
If you notice any problems with your traffic, detach the new certificate map from the target proxy by completing the steps in Detach a certificate map from a proxy. This reverts your load balancer to its original configuration. Otherwise, your new configuration is now complete.
If you're using regional external Application Load Balancer or regional internal Application Load Balancer, revert the change by attaching the previously attached classic certificates.
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a global self-managed certificate (tutorial)
- Deploy a regional self-managed certificate (tutorial) (Preview)