Open in app

Sign in

Write

Sign in

Extending GCP Certificate manager with Self-Managed certificate

Ishaq Shaikh
Google Cloud - Community
Published in
5 min readSep 1, 2023
Illustration Prompt: SSL lock realistic visualisation, technology, Digital Art

Recently, I encountered a scenario where we had GCP certificate map linked to our HTTP(S) Global load balancer. However, we aimed to associate our own custom self-managed certificate with the LoadBalancer, featuring a custom domain.
This blog post aims to describe the process of generating a wildcard GCP managed certificate and expanding its scope by incorporating a self-managed certificate.
Before diving deeper, here’s a brief overview of the GCP Certificate Manager, it employs a versatile mapping mechanism that grants us granular control over certificate assignments and their delivery for individual domain names within environment.

Certificate Manager entities

Certainly, make sure you have the requisite certificates from the appropriate Certificate Authority. alongside the Application LoadBalancer with an attached GCP certificate map.
For demonstration, I’ll use Let’s Encrypt certificates, but the approach applies to other trusted certificate authorities too.

At present, my GCP project configuration includes the following:

GCP ALB
# List HTTPS Target Proxy for GCP ALB
gcloud compute target-https-proxies list --project=rich-principle-394408

# List Map entries for cert-manager certificate-map
gcloud certificate-manager maps entries list \
--map='devx0-alb-star-map' --project rich-principle-394408
GCP Cert manager Certificate map & Certificate map entries

The certificate map(devx0-alb-star-map) notably includes an entry for the “*.thekubebuddy.tech” domain.

I performed the following steps to generate a wildcard GCP managed certificate for the apex hostname mentioned above:

1. Creating Domain Authorization for Certificate Manager

Certificate Manager’s domain authorization allows us to verify ownership of domains to acquire Google-managed certificates.

gcloud config set project --project rich-principle-394408

gcloud certificate-manager dns-authorizations create \
devx0-apex-thekubebuddy-tech --domain='thekubebuddy.tech'

gcloud certificate-manager dns-authorizations list
Certificate DNS-authorization

Ensure that we include the above ACME CNAME entry in Domains’ hosted zone; otherwise, certificates won’t be validated.

2. Generating a GCP managed wildcard certificate for domains with the previously established DNS authorization

gcloud certificate-manager certificates --project rich-principle-394408 create \
devx0-apex-thekubebuddy-tech --domains='thekubebuddy.tech,*.thekubebuddy.tech' \
--dns-authorizations='devx0-apex-thekubebuddy-tech'

gcloud certificate-manager certificates list
GCP managed Certificate

3. Creating certificate map & certificate map entries

A certificate map refers to one or more entries that link particular certificates to distinct hostnames.
Each certificate map entry comprises a set of certificates catered to a particular domain.
Additionally, this certificate map can be shared across various load balancers through multiple target proxies, facilitating reuse.
You can also configure diverse certificate sets for different domain names, encompassing domains and subdomains, by utilising certificate map entries.

gcloud certificate-manager maps list

gcloud certificate-manager maps create devx0-alb-star-map --quiet

gcloud certificate-manager maps entries create \
devx0-apex-thekubebuddy-tech-0 --map='devx0-alb-star-map' \
--certificates='devx0-apex-thekubebuddy-tech' \
--hostname='thekubebuddy.tech'

gcloud beta certificate-manager maps entries create \
devx0-apex-thekubebuddy-tech-1 --map='devx0-alb-star-map' \
--certificates='devx0-apex-thekubebuddy-tech' \
--hostname='*.thekubebuddy.tech'

gcloud certificate-manager maps entries list --map='devx0-alb-star-map'
Certificate map & Certificate map entries

Troubleshooting Tip: In the event that certificate validation is experiencing delays, you can diagnose the issue by accessing the Certificate Manager Page. Additionally, referring to this Python client documentation offers valuable insights into the reasons behind the failure.

4. Associating certificate map with HTTPS target Proxy

# Listing HTTPS proxy
gcloud compute target-https-proxies list --project rich-principle-394408

# Associating the above certificate-map to 'devx0-alb-target-proxy' target proxy
gcloud beta compute target-https-proxies --project rich-principle-394408 \
update --certificate-map='devx0-alb-star-map' devx0-alb-target-proxy

# Reference gcloud command to clear certificate-map attach to Target Proxy  before deleting it.
# gcloud beta compute target-https-proxies update --clear-certificate-map [HTTPS_TARGET_PROXY_OF_THE_LB]

Coool.…. 😮‍💨
The upcoming steps will guide you in associating a self-managed certificate with above certificate map, obtained from the letsencrypt CA, for domain cdn.dev.thekubebuddy.tech.

openssl x509 -text -noout -in fullchain.pem
Lets’ Encrypt Certificate
  1. Use the provided gcloud certificate-manager command to create the certificate(substitute the values with your own accordingly)

gcloud certificate-manager certificates create  devx0-cdn-thekubebuddy-tech \
    --certificate-file="/home/thekubebuddy/cdn-cert/fullchain.pem" \
    --private-key-file="/home/thekubebuddy/cdn-cert/privkey.pem" \
    --location="global" --project=rich-principle-394408

# To view the list of certificates, use the command:
gcloud certificate-manager certificates list --project=rich-principle-394408
Certificate Created

To address below error, ensure that your fullchain.pem (certificate file) doesn’t include any newline characters in between.

Common Issue

2. Create a certificate map entry for the mentioned certificate, along with its corresponding hostname

gcloud certificate-manager maps entries list --map='devx0-alb-star-map' \
--project=rich-principle-394408

gcloud certificate-manager maps entries create devx0-cdn-thekubebuddy-tech-0 \
    --map="devx0-alb-star-map" \
    --certificates="devx0-cdn-thekubebuddy-tech" \
    --hostname="cdn.dev.thekubebuddy.tech" \
    --project=rich-principle-394408
Certificate map entry within certificate map

We can also view our certificates from the GCP certificate manager page, as shown below.

3. After the certificate map entry transitions to the ACTIVE state, validate SSL termination for that hostname

State before linking self-managed certificate to certificate map.
Self-managed certificate’s SSL termination validated successfully.

In conclusion, this article has describes the procedures involved in incorporating a GCP certificate map into our HTTP(S) Global load balancer and integrating our personalised self-managed certificate.
This process not only showcases our ability to adapt certificates but also highlights the versatility of GCP’s certificate manager features.
As we continue to navigate intricate scenarios, this experience contributes to a deeper understanding of managing certificates within a dynamic environment.
Thankyou..!!

Credit: imgur.com

References:

https://cloud.google.com/certificate-manager/docs/overview
https://cloud.google.com/certificate-manager/docs/how-it-works
https://cloud.google.com/certificate-manager/docs/deploy
https://cloud.google.com/python/docs/reference/certificatemanager/latest/google.cloud.certificate_manager_v1.types.Certificate.ManagedCertificate.AuthorizationAttemptInfo.FailureReason

Certificate
Certificatemanager
Ssl
Google Cloud Platform
Gcp Security Operations

--

--

Ishaq Shaikh
Google Cloud - Community

Written by Ishaq Shaikh

27 Followers
Writer for

Knowledge Seeker || Terminal Geek || Explorer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams