{"id":797,"date":"2026-04-16T04:47:25","date_gmt":"2026-04-16T04:47:25","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-certificate-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T04:47:25","modified_gmt":"2026-04-16T04:47:25","slug":"google-cloud-certificate-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-certificate-manager-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud Certificate Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Google Cloud <strong>Certificate Manager<\/strong> is a managed service for provisioning, storing, and deploying SSL\/TLS certificates used to encrypt traffic to internet-facing and internal endpoints\u2014most commonly through <strong>Cloud Load Balancing<\/strong>.<\/p>\n\n\n\n<p>In simple terms: <strong>Certificate Manager helps you get HTTPS working correctly and keep it working<\/strong> by centralizing certificates and automating issuance\/renewal for supported certificate types.<\/p>\n\n\n\n<p>Technically, Certificate Manager provides APIs and resources (such as <strong>certificates<\/strong>, <strong>certificate maps<\/strong>, and <strong>DNS authorizations<\/strong>) that let you attach the right certificate to the right hostname using <strong>SNI (Server Name Indication)<\/strong>. It integrates tightly with Google Cloud networking entry points (such as target proxies behind Cloud Load Balancing), so certificates can be rolled out and rotated without manually touching individual backends.<\/p>\n\n\n\n<p>The problem it solves is operational and security-oriented: managing certificates at scale is error-prone (expired certs, wrong hostnames, missed renewals, inconsistent deployment). Certificate Manager reduces these risks with a managed, policy-driven workflow and consistent integrations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Certificate Manager?<\/h2>\n\n\n\n<p><strong>Official purpose (scope and intent)<\/strong><br\/>\nCertificate Manager is a Google Cloud service for <strong>managing SSL\/TLS certificates<\/strong> and <strong>deploying them to supported Google Cloud endpoints<\/strong> (primarily load balancers\/proxies) using a centralized, API-driven model.<\/p>\n\n\n\n<p><strong>Core capabilities<\/strong>\n&#8211; Provision <strong>Google-managed<\/strong> SSL\/TLS certificates (domain-validated) where supported.\n&#8211; Store and deploy <strong>self-managed<\/strong> certificates (you provide the cert chain and private key).\n&#8211; Map certificates to hostnames using <strong>certificate maps<\/strong> and <strong>map entries<\/strong> (SNI routing).\n&#8211; Perform domain control validation using <strong>DNS authorizations<\/strong> (for managed cert issuance workflows that require it).<\/p>\n\n\n\n<p><strong>Major components (mental model)<\/strong>\n&#8211; <strong>Certificate<\/strong>: Represents a TLS certificate. Can be Google-managed (issued\/renewed by Google) or self-managed (uploaded by you).\n&#8211; <strong>DNS Authorization<\/strong>: A resource used to prove you control a domain via a DNS record (record details are provided by the service).\n&#8211; <strong>Certificate Map<\/strong>: A routing object that selects which certificate to present based on the requested hostname (SNI).\n&#8211; <strong>Certificate Map Entry<\/strong>: A hostname (or hostname pattern, depending on product support) mapped to one or more certificates.<\/p>\n\n\n\n<p><strong>Service type<\/strong>\n&#8211; Managed <strong>control plane<\/strong> service (API-first), integrated with Google Cloud networking datapaths (for example, load balancer target proxies).\n&#8211; Not a general-purpose PKI\/CA by itself. For private CA capabilities, Google Cloud provides <strong>Certificate Authority Service<\/strong> (a different product).<\/p>\n\n\n\n<p><strong>Resource scope (global\/regional\/project)<\/strong>\n&#8211; Certificate Manager resources are <strong>project-scoped<\/strong> and created in a <strong>location<\/strong> (commonly <code>global<\/code>, and in some cases regional\u2014depending on the target integration).<br\/>\n  Because location and supported integrations can evolve, <strong>verify the correct location (<code>global<\/code> vs regional) for your specific load balancer\/proxy type in the official docs<\/strong>.<\/p>\n\n\n\n<p><strong>How it fits into the Google Cloud ecosystem<\/strong>\n&#8211; Pairs naturally with:\n  &#8211; <strong>Cloud Load Balancing<\/strong> (HTTPS and SSL\/TLS termination)\n  &#8211; <strong>Cloud DNS<\/strong> (to publish the required validation records and A\/AAAA records)\n  &#8211; <strong>Cloud Logging \/ Cloud Audit Logs<\/strong> (for operations and change tracking)\n  &#8211; <strong>IAM<\/strong> (fine-grained access to create\/update certificates and maps)\n&#8211; Complements (but does not replace) other security services:\n  &#8211; <strong>Secret Manager<\/strong> (general secret storage; not a certificate deployment system)\n  &#8211; <strong>Certificate Authority Service<\/strong> (issuing private certs; separate lifecycle and pricing)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Certificate Manager?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduces outage risk from expired\/incorrect TLS certificates (a common production incident).<\/li>\n<li>Centralizes certificate operations for many applications\/domains across teams.<\/li>\n<li>Supports standardization: consistent naming, ownership, and automation patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SNI-based routing via <strong>certificate maps<\/strong> makes multi-domain TLS on shared IPs straightforward.<\/li>\n<li>Managed certificate lifecycle (where supported) minimizes manual issuance and renewal work.<\/li>\n<li>A single certificate management workflow integrates with Google Cloud\u2019s edge\/load balancer architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API-driven management integrates cleanly into CI\/CD and Infrastructure as Code (Terraform is commonly used; verify the latest provider resources).<\/li>\n<li>Enables safer rotation practices: update map entries and roll forward\/back quickly.<\/li>\n<li>Separation of duties: security team controls certs, platform team controls load balancers, app team controls backends.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security \/ compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps enforce HTTPS everywhere with consistent certificate handling.<\/li>\n<li>Makes it easier to implement least privilege for certificate operations using IAM roles.<\/li>\n<li>Improves auditability: changes to certificates and maps can be captured in audit logs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability \/ performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Designed for scale: many hostnames and applications can share load balancing infrastructure with correct certificate selection.<\/li>\n<li>Works with Google Cloud\u2019s global networking where supported, reducing operational burden.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Certificate Manager when:\n&#8211; You terminate TLS on <strong>Cloud Load Balancing<\/strong> and want centralized certificate management.\n&#8211; You need to host <strong>many domains<\/strong> on one or more load balancers and want clean SNI mapping.\n&#8211; You want to reduce manual certificate renewal\/rotation risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Consider alternatives when:\n&#8211; You need a full private PKI\/CA (use <strong>Certificate Authority Service<\/strong>).\n&#8211; Your endpoint is not supported for attachment via Certificate Manager (some Google Cloud products manage certificates in their own way).\n&#8211; You need advanced certificate lifecycle logic tightly coupled to Kubernetes ingress controllers (in GKE, you may prefer <strong>cert-manager<\/strong> depending on architecture\u2014though you can still integrate with Google Cloud load balancing in some models).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Certificate Manager used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and web platforms (multi-tenant domains)<\/li>\n<li>Financial services and insurance (strict change control and audit needs)<\/li>\n<li>Healthcare (compliance-driven transport security)<\/li>\n<li>Media\/e-commerce (global HTTPS delivery, CDN fronting)<\/li>\n<li>Education and public sector (standardized security posture)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams operating shared load balancers<\/li>\n<li>Security engineering teams enforcing encryption standards<\/li>\n<li>SRE\/operations teams responsible for uptime and incident response<\/li>\n<li>DevOps teams implementing IaC and CI\/CD pipelines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public web apps behind external HTTPS load balancers<\/li>\n<li>APIs behind HTTPS load balancers (REST\/gRPC over TLS termination)<\/li>\n<li>Multi-domain frontends (many hostnames on a shared global IP)<\/li>\n<li>Shared \u201cedge\u201d projects where central networking teams manage ingress<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central certificate inventory per environment (dev\/stage\/prod)<\/li>\n<li>Multi-project organizations using shared VPC and centralized ingress projects (attachment patterns vary; verify supported cross-project patterns and IAM requirements in docs)<\/li>\n<li>Gradual migration from legacy\/\u201cclassic\u201d load balancer certificate objects to Certificate Manager certificate maps<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> primary value is reliability (avoid expiry), change control, and auditability.<\/li>\n<li><strong>Dev\/test:<\/strong> useful for rehearsing certificate rotations and validating DNS authorization workflows; cost is typically dominated by load balancer runtime rather than certificate objects.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Google Cloud Certificate Manager is commonly used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Centralized HTTPS for many microservices (shared load balancer)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Each service team manages its own certificates and renewal schedule; outages occur due to expiration.<\/li>\n<li><strong>Why Certificate Manager fits:<\/strong> Central certificate provisioning and mapping per hostname.<\/li>\n<li><strong>Example:<\/strong> <code>api.example.com<\/code>, <code>billing.example.com<\/code>, <code>auth.example.com<\/code> all terminate TLS on one external HTTPS load balancer using a certificate map.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Multi-tenant SaaS with customer custom domains<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Customers bring custom domains; onboarding requires adding\/rotating certificates at scale.<\/li>\n<li><strong>Why it fits:<\/strong> Certificate maps support clean hostname-to-certificate selection.<\/li>\n<li><strong>Example:<\/strong> <code>customer-a.app.com<\/code> and <code>shop.customer-b.com<\/code> each map to the right cert without separate load balancers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Standardized certificate rotation playbooks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Rotations are risky, manual, and inconsistent.<\/li>\n<li><strong>Why it fits:<\/strong> Rotate by updating certificate resources and map entries, then validate.<\/li>\n<li><strong>Example:<\/strong> Replace expiring cert with a new one, update map entry, roll back if needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Strict change control and separation of duties<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> App teams shouldn\u2019t handle private keys; security team needs control.<\/li>\n<li><strong>Why it fits:<\/strong> IAM can restrict who can upload self-managed certs and who can attach maps.<\/li>\n<li><strong>Example:<\/strong> Security team manages Certificate Manager; platform team manages load balancers; app team only deploys backend services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Migration from legacy load balancer SSL certificate objects<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Existing load balancers use legacy certificate attachments; managing multiple certs becomes messy.<\/li>\n<li><strong>Why it fits:<\/strong> Certificate maps provide a cleaner, scalable model for SNI-based host routing.<\/li>\n<li><strong>Example:<\/strong> Migrate from \u201cclassic\u201d <code>compute ssl-certificates<\/code> attachments to Certificate Manager map-based attachments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Blue\/green certificate rollouts (risk reduction)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A new cert chain causes client compatibility issues; need safe rollback.<\/li>\n<li><strong>Why it fits:<\/strong> You can maintain multiple certs and switch mapping.<\/li>\n<li><strong>Example:<\/strong> Test new intermediate chain on a subset of hostnames, then expand.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Central inventory and audit of certificates<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Certificates are scattered across teams and tooling; no clear owner.<\/li>\n<li><strong>Why it fits:<\/strong> Certificates and maps are first-class resources; changes are auditable.<\/li>\n<li><strong>Example:<\/strong> Compliance team reviews certificate list, domains, and rotation schedules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Rapid incident response (revoke\/replace compromised cert)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Private key compromise requires immediate replacement and re-deployment.<\/li>\n<li><strong>Why it fits:<\/strong> Upload replacement cert\/key and re-map quickly.<\/li>\n<li><strong>Example:<\/strong> Emergency rotate the cert used by <code>login.example.com<\/code> with minimal service disruption.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Consistent TLS termination for static sites and APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Different platforms have different certificate mechanisms; inconsistent.<\/li>\n<li><strong>Why it fits:<\/strong> Unify TLS at the load balancer edge.<\/li>\n<li><strong>Example:<\/strong> Static assets in Cloud Storage and APIs in Cloud Run both served under <code>www.example.com<\/code> via one LB with Certificate Manager.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Sandbox environments that mimic production TLS topology<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Dev\/test environments don\u2019t match production TLS setup, so issues appear late.<\/li>\n<li><strong>Why it fits:<\/strong> Same certificate map model and attachment workflow can be used in non-prod.<\/li>\n<li><strong>Example:<\/strong> Stage environment uses its own domain and Certificate Manager resources to test rotations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Google Cloud evolves quickly. For any feature\u2019s exact availability by load balancer type\/region, <strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Google-managed certificates (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Google provisions and renews domain-validated certificates for your domains.<\/li>\n<li><strong>Why it matters:<\/strong> Eliminates renewal outages and most manual CA work.<\/li>\n<li><strong>Practical benefit:<\/strong> Fewer pager incidents and less operational toil.<\/li>\n<li><strong>Caveats:<\/strong> Requires domain control validation and correct DNS\/routing. Provisioning time can be non-instant.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Self-managed certificates (upload your own)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> You upload a certificate chain and private key (PEM) to be deployed via supported integrations.<\/li>\n<li><strong>Why it matters:<\/strong> Supports enterprise PKI, custom chains, and migration scenarios.<\/li>\n<li><strong>Practical benefit:<\/strong> Keep using your preferred CA while still centralizing deployment.<\/li>\n<li><strong>Caveats:<\/strong> You are responsible for renewal and key management practices.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Certificate maps (SNI-driven certificate selection)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> A certificate map selects the right certificate based on the hostname requested by the client (SNI).<\/li>\n<li><strong>Why it matters:<\/strong> You can host multiple domains on the same IP\/load balancer cleanly.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduce infrastructure sprawl and simplify operations.<\/li>\n<li><strong>Caveats:<\/strong> You must design hostname coverage carefully (overlaps, default behavior). Verify wildcard\/priority behavior in docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Certificate map entries (hostname routing rules)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Each entry maps a hostname (or supported hostname pattern) to one or more certificates.<\/li>\n<li><strong>Why it matters:<\/strong> Fine-grained control over which cert is presented for each hostname.<\/li>\n<li><strong>Practical benefit:<\/strong> Per-domain rotations and migrations without changing the load balancer topology.<\/li>\n<li><strong>Caveats:<\/strong> Limits\/quotas apply (number of entries, hostnames, etc.); verify current quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 DNS authorizations (domain control validation)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides a DNS record you publish to prove you control a domain for managed certificate issuance.<\/li>\n<li><strong>Why it matters:<\/strong> Domain validation is required for public-trust managed certs.<\/li>\n<li><strong>Practical benefit:<\/strong> Repeatable, auditable validation workflow.<\/li>\n<li><strong>Caveats:<\/strong> DNS delegation and propagation issues are the most common cause of provisioning delays.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 API-driven lifecycle + IAM integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Manage resources through Google Cloud Console, <code>gcloud<\/code>, REST APIs, and IaC tools.<\/li>\n<li><strong>Why it matters:<\/strong> Automation and guardrails reduce manual mistakes.<\/li>\n<li><strong>Practical benefit:<\/strong> CI\/CD pipelines can update certificates\/maps safely with approvals.<\/li>\n<li><strong>Caveats:<\/strong> Use least-privilege roles; avoid granting broad <code>Owner<\/code> access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Integration with Cloud Load Balancing (primary integration)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Attach certificate maps to supported load balancer target proxies so traffic gets the correct certificate.<\/li>\n<li><strong>Why it matters:<\/strong> Load balancers are the common TLS termination point.<\/li>\n<li><strong>Practical benefit:<\/strong> Central TLS at the edge with consistent behavior.<\/li>\n<li><strong>Caveats:<\/strong> Not every Google Cloud product endpoint uses Certificate Manager; verify supported targets.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Certificate Manager sits in the control plane:\n1. You create certificate-related resources (certificates, DNS authorizations, maps).\n2. You attach a <strong>certificate map<\/strong> to a supported ingress datapath (typically a load balancer target proxy).\n3. Google\u2019s edge\/load balancing infrastructure presents the correct certificate during TLS handshake based on SNI.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request \/ data \/ control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane flow<\/strong><\/li>\n<li>Admin\/operator uses Console\/CLI\/API to create:<ul>\n<li>DNS authorization \u2192 publish DNS record<\/li>\n<li>Certificate \u2192 becomes ACTIVE after validation\/issuance (managed) or immediately stored (self-managed)<\/li>\n<li>Certificate map + entry \u2192 connect hostname \u2192 certificate<\/li>\n<\/ul>\n<\/li>\n<li>Attach certificate map to target proxy<\/li>\n<li><strong>Data plane flow<\/strong><\/li>\n<li>Client connects to load balancer IP\/hostname.<\/li>\n<li>TLS handshake includes SNI hostname.<\/li>\n<li>Load balancer selects the certificate from the certificate map entry and presents it.<\/li>\n<li>After TLS termination, HTTP(S) request routes to backends (VMs, NEGs, backend bucket, etc.).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Load Balancing<\/strong>: TLS termination and SNI selection via certificate maps.<\/li>\n<li><strong>Cloud DNS<\/strong>: Publish A\/AAAA records and validation records for domain authorization.<\/li>\n<li><strong>Cloud Logging \/ Monitoring<\/strong>: Observe LB traffic, error rates, and operational events.<\/li>\n<li><strong>Cloud Audit Logs<\/strong>: Track who changed certificates\/maps and when.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS provider (Cloud DNS or external) for validation records.<\/li>\n<li>Load balancer\/proxy resources for actual TLS serving.<\/li>\n<li>Optionally your CA and secure key generation processes (for self-managed).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM governs management actions:<\/li>\n<li>Creating\/updating certificates and maps.<\/li>\n<li>Viewing certificate metadata.<\/li>\n<li>Private keys for self-managed certs are sensitive; treat upload permissions as highly privileged.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate Manager resources themselves are not \u201cin your VPC.\u201d<\/li>\n<li>The certificates are used by Google-managed frontends (load balancing\/edge) when attached.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring \/ logging \/ governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Cloud Audit Logs to monitor:<\/li>\n<li>Certificate creation\/updates<\/li>\n<li>Map and map entry changes<\/li>\n<li>Permission denials (potential misconfigurations)<\/li>\n<li>Use LB logs\/metrics to detect:<\/li>\n<li>TLS handshake failures<\/li>\n<li>Sudden traffic drops after a certificate change<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[Client Browser \/ API Client] --&gt;|TLS + SNI hostname| B[Cloud Load Balancing&lt;br\/&gt;Target HTTPS Proxy]\n  B --&gt;|Select cert via map| C[Certificate Manager&lt;br\/&gt;Certificate Map]\n  C --&gt; D[Certificate&lt;br\/&gt;(Google-managed or Self-managed)]\n  B --&gt;|HTTP to backend| E[Backend Service&lt;br\/&gt;(VMs\/NEGs\/Cloud Run\/etc.)]\n  F[DNS Provider \/ Cloud DNS] --&gt;|A\/AAAA + validation records| A\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet\n    U[Users \/ Clients]\n  end\n\n  subgraph DNS\n    DNSP[Cloud DNS \/ External DNS]\n  end\n\n  subgraph GoogleCloud[Google Cloud Project: edge-ingress-prod]\n    IP[Global Static IP]\n    FR[Forwarding Rule :443]\n    THP[Target HTTPS Proxy&lt;br\/&gt;--certificate-map]\n    UM[URL Map]\n    BKS[Backend Services \/ Backends]\n    LOG[Cloud Logging \/ Monitoring]\n    AUD[Cloud Audit Logs]\n  end\n\n  subgraph Certs[Certificate Manager]\n    DMA[DNS Authorization]\n    CERT[Certificate(s)]\n    CM[Certificate Map]\n    CME[Certificate Map Entries&lt;br\/&gt;(hostnames)]\n  end\n\n  U --&gt; DNSP\n  DNSP --&gt;|A\/AAAA record| IP\n  U --&gt;|TLS + SNI| IP --&gt; FR --&gt; THP --&gt; UM --&gt; BKS\n\n  THP --&gt;|SNI lookup| CM --&gt; CME --&gt; CERT\n  CERT --&gt;|Managed cert validation| DMA\n  DNSP --&gt;|Publish validation record| DMA\n\n  THP --&gt; LOG\n  Certs --&gt; AUD\n  GoogleCloud --&gt; AUD\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account \/ project requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Google Cloud project with <strong>billing enabled<\/strong>.<\/li>\n<li>A domain name you control (recommended for managed certificate labs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You can complete this tutorial with project-level permissions such as:\n&#8211; Certificate Manager:\n  &#8211; <code>roles\/certificatemanager.admin<\/code> (or least-privileged equivalent)\n&#8211; Load Balancing \/ Compute:\n  &#8211; <code>roles\/compute.loadBalancerAdmin<\/code> (or <code>roles\/compute.admin<\/code> for broad labs)\n&#8211; Cloud DNS (if using Cloud DNS):\n  &#8211; <code>roles\/dns.admin<\/code>\n&#8211; Storage (if using a backend bucket lab):\n  &#8211; <code>roles\/storage.admin<\/code> (or narrower permissions for bucket creation and object upload)<\/p>\n\n\n\n<p>In production, prefer least privilege and separation of duties.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud CLI: <code>gcloud<\/code><br\/>\n  Install: https:\/\/cloud.google.com\/sdk\/docs\/install<\/li>\n<li>Optional but useful:<\/li>\n<li><code>openssl<\/code> for certificate and TLS verification<\/li>\n<li><code>dig<\/code> or <code>nslookup<\/code> for DNS verification<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate Manager and Cloud Load Balancing are broadly available, but specific combinations (global vs regional resources) can differ.<br\/>\n<strong>Verify supported locations and target proxy types in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas \/ limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quotas exist for certificates, maps, and entries, and for load balancer resources.<\/li>\n<li>If you hit quota errors, request increases in the Google Cloud Console \u2192 Quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services\/APIs<\/h3>\n\n\n\n<p>Enable these APIs (minimum for this lab):\n&#8211; Certificate Manager API\n&#8211; Compute Engine API (for load balancer resources)\n&#8211; Cloud DNS API (optional, if you use Cloud DNS)\n&#8211; Cloud Storage API (optional, if you use a backend bucket)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Certificate Manager cost is usually not the largest part of an HTTPS setup; <strong>Cloud Load Balancing runtime<\/strong> is commonly the main cost driver.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing sources (verify current SKUs)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate Manager pricing: https:\/\/cloud.google.com\/certificate-manager\/pricing  <\/li>\n<li>Google Cloud Pricing Calculator: https:\/\/cloud.google.com\/products\/calculator<\/li>\n<\/ul>\n\n\n\n<p>Because pricing and SKUs can change by date, feature, and location, <strong>do not rely on third-party blog numbers<\/strong>. Always confirm on the official pricing page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to understand<\/h3>\n\n\n\n<p>Verify on the official pricing page, but expect costs to fall into categories such as:\n&#8211; Certificate Manager resource charges (if any) for:\n  &#8211; Managed certificate lifecycle\n  &#8211; Stored certificates and\/or map entries\n&#8211; Dependent service charges (often larger):\n  &#8211; Cloud Load Balancing (forwarding rules, data processing, rule evaluations, etc.)\n  &#8211; Cloud DNS (zone and query charges)\n  &#8211; Cloud Storage (object storage and egress, if you use backend buckets)\n  &#8211; Data egress to the internet (varies by region and path)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud has various free tiers across products, but free tier eligibility is product-specific.<br\/>\n<strong>Verify whether Certificate Manager has a free tier and what it covers on the official pricing page.<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Main cost drivers (typical)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Load Balancer hours and traffic volume<\/strong> (often dominant)<\/li>\n<li><strong>Internet egress<\/strong> (serving content to users)<\/li>\n<li><strong>Cloud DNS queries<\/strong> (especially at scale)<\/li>\n<li><strong>Certificate inventory scale<\/strong> (number of certificates\/domains, depending on pricing model)<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden \/ indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keeping a load balancer running 24\/7 for a small test can cost more than expected.<\/li>\n<li>Enabling Cloud CDN or advanced LB features increases cost.<\/li>\n<li>Operational overhead: time spent debugging DNS validation, managing domain delegation, and incident response.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost optimization tips<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use one shared load balancer where appropriate rather than many small ones.<\/li>\n<li>Keep test environments short-lived; automate teardown.<\/li>\n<li>Avoid enabling Cloud CDN for labs unless you need it.<\/li>\n<li>Use a minimal backend (small static site) to validate TLS quickly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (how to think about it)<\/h3>\n\n\n\n<p>For a small lab:\n&#8211; <strong>1 external HTTPS load balancer<\/strong> (running briefly)\n&#8211; <strong>1 static backend bucket<\/strong> with a tiny page\n&#8211; <strong>Low traffic<\/strong> (a few test requests)\n&#8211; <strong>1\u20132 domains<\/strong> for certificate testing<\/p>\n\n\n\n<p>Your cost will largely be:\n&#8211; Load balancer runtime + any minimum resource charges\n&#8211; Small Cloud Storage + egress for test downloads\n&#8211; DNS zone\/query charges if using Cloud DNS<\/p>\n\n\n\n<p>Use the pricing calculator to model a one-day lab vs a full month.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production:\n&#8211; Many hostnames (multi-tenant), potentially many certificates\n&#8211; High throughput traffic (LB processing + egress)\n&#8211; DNS query volume (including health checking and client lookups)\n&#8211; Multi-region architecture (more LBs, more IPs, more rules)\n&#8211; Operational cost of managing keys\/certs if self-managed<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Provision and deploy an HTTPS certificate using <strong>Google Cloud Certificate Manager<\/strong>, attach it to a <strong>global external HTTPS load balancer<\/strong> via a <strong>certificate map<\/strong>, and validate TLS from a client.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a minimal backend (static page in Cloud Storage) and an external HTTPS load balancer.\n2. Reserve a global IP for the load balancer.\n3. Create Certificate Manager resources:\n   &#8211; DNS authorization (for managed certificate)\n   &#8211; Managed certificate\n   &#8211; Certificate map and map entry\n4. Attach the certificate map to the target HTTPS proxy.\n5. Update DNS to point your domain to the load balancer IP and publish the DNS authorization record.\n6. Validate the certificate becomes ACTIVE and confirm HTTPS works.\n7. Clean up resources.<\/p>\n\n\n\n<blockquote>\n<p>Important: A Google-managed certificate requires you to control DNS for the domain. If you don\u2019t have a domain you can modify, skip to the <strong>Self-managed (demo) alternative<\/strong> inside Step 4.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Set up your environment and enable APIs<\/h3>\n\n\n\n<p><strong>1.1 Set environment variables<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\nexport DOMAIN=\"example.yourdomain.com\"   # a hostname you control (recommended)\nexport LOCATION=\"global\"\n\n# Load balancer resource names\nexport BUCKET_NAME=\"${PROJECT_ID}-cm-lab-bucket\"\nexport BACKEND_BUCKET_NAME=\"cm-lab-backend-bucket\"\nexport URL_MAP_NAME=\"cm-lab-url-map\"\nexport HTTPS_PROXY_NAME=\"cm-lab-https-proxy\"\nexport FORWARDING_RULE_NAME=\"cm-lab-fr-https\"\nexport ADDRESS_NAME=\"cm-lab-ip\"\n\n# Certificate Manager resource names\nexport DNS_AUTH_NAME=\"cm-lab-dns-auth\"\nexport CERT_NAME=\"cm-lab-cert\"\nexport CERT_MAP_NAME=\"cm-lab-cert-map\"\nexport CERT_MAP_ENTRY_NAME=\"cm-lab-cert-map-entry\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have consistent names to copy\/paste.<\/p>\n\n\n\n<p><strong>1.2 Set your project<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud config set project \"${PROJECT_ID}\"\n<\/code><\/pre>\n\n\n\n<p><strong>1.3 Enable required APIs<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable \\\n  certificatemanager.googleapis.com \\\n  compute.googleapis.com \\\n  storage.googleapis.com\n<\/code><\/pre>\n\n\n\n<p>If you will use Cloud DNS in this lab, also enable:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable dns.googleapis.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> APIs enabled successfully (may take a minute).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a minimal backend (Cloud Storage static content)<\/h3>\n\n\n\n<p>This creates a tiny backend to serve behind the load balancer.<\/p>\n\n\n\n<p><strong>2.1 Create a bucket<\/strong><\/p>\n\n\n\n<p>Using <code>gcloud storage<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage buckets create \"gs:\/\/${BUCKET_NAME}\" --location=US\n<\/code><\/pre>\n\n\n\n<p><strong>2.2 Upload a simple page<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt; index.html &lt;&lt;'EOF'\n&lt;!doctype html&gt;\n&lt;html&gt;\n  &lt;head&gt;&lt;meta charset=\"utf-8\"&gt;&lt;title&gt;Certificate Manager Lab&lt;\/title&gt;&lt;\/head&gt;\n  &lt;body&gt;\n    &lt;h1&gt;HTTPS is working via Google Cloud Certificate Manager&lt;\/h1&gt;\n  &lt;\/body&gt;\n&lt;\/html&gt;\nEOF\n\ngcloud storage cp index.html \"gs:\/\/${BUCKET_NAME}\/index.html\"\n<\/code><\/pre>\n\n\n\n<p><strong>2.3 Make the object publicly readable (lab only)<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage objects update \"gs:\/\/${BUCKET_NAME}\/index.html\" --add-acl-grant=entity=AllUsers,role=READER\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>index.html<\/code> is accessible publicly (only for lab simplicity).<br\/>\nIn production, use private buckets and appropriate access patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create an external HTTPS load balancer (without certificate attached yet)<\/h3>\n\n\n\n<p>You\u2019ll create the load balancer resources and reserve a global IP.<\/p>\n\n\n\n<p><strong>3.1 Reserve a global static IP<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute addresses create \"${ADDRESS_NAME}\" --global\n<\/code><\/pre>\n\n\n\n<p>Get the reserved IP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export LB_IP=\"$(gcloud compute addresses describe \"${ADDRESS_NAME}\" --global --format='value(address)')\"\necho \"Load balancer IP: ${LB_IP}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have a stable IPv4 address for DNS.<\/p>\n\n\n\n<p><strong>3.2 Create a backend bucket<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute backend-buckets create \"${BACKEND_BUCKET_NAME}\" \\\n  --gcs-bucket-name=\"${BUCKET_NAME}\"\n<\/code><\/pre>\n\n\n\n<p><strong>3.3 Create a URL map<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute url-maps create \"${URL_MAP_NAME}\" \\\n  --default-backend-bucket=\"${BACKEND_BUCKET_NAME}\"\n<\/code><\/pre>\n\n\n\n<p>At this point you have an HTTPS LB \u201cskeleton\u201d but no target HTTPS proxy yet (we\u2019ll create it after the certificate map exists).<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Backend bucket + URL map exist.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create Certificate Manager resources (managed certificate path)<\/h3>\n\n\n\n<p>This is the core of the lab.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 4A (Recommended): Google-managed certificate with DNS authorization<\/h4>\n\n\n\n<p><strong>4A.1 Create DNS authorization<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager dns-authorizations create \"${DNS_AUTH_NAME}\" \\\n  --domain=\"${DOMAIN}\" \\\n  --location=\"${LOCATION}\"\n<\/code><\/pre>\n\n\n\n<p>Now retrieve the required DNS record details that prove domain control:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager dns-authorizations describe \"${DNS_AUTH_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --format=\"value(dnsResourceRecord.name,dnsResourceRecord.type,dnsResourceRecord.data)\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The command prints a DNS record (name\/type\/data) you must publish exactly.<\/p>\n\n\n\n<p><strong>4A.2 Publish DNS records<\/strong>\nYou must publish <strong>two<\/strong> DNS things:<\/p>\n\n\n\n<p>1) The <strong>DNS authorization<\/strong> record (printed above).<br\/>\n2) An <strong>A record<\/strong> pointing your hostname to the load balancer IP:\n&#8211; <code>DOMAIN<\/code> \u2192 <code>LB_IP<\/code><\/p>\n\n\n\n<p>How you do this depends on your DNS provider:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your DNS is in <strong>Cloud DNS<\/strong>, add records using <code>gcloud dns record-sets ...<\/code> (requires an existing public zone and domain delegation).<\/li>\n<li>If your DNS is elsewhere (Route 53, Cloudflare, etc.), add records there.<\/li>\n<\/ul>\n\n\n\n<p>Because zones and delegation vary, the safest instruction is:\n&#8211; Add the record exactly as shown by <code>dns-authorizations describe<\/code>\n&#8211; Add the A record: hostname <code>${DOMAIN}<\/code> \u2192 <code>${LB_IP}<\/code><\/p>\n\n\n\n<p><strong>Verification tip (from your workstation):<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\"># verify A record\ndig +short \"${DOMAIN}\"\n\n# verify the authorization record: use the exact name printed by the describe command\n# Example:\n# dig +short CNAME _acme-challenge.example.yourdomain.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> DNS resolves correctly (may take time due to TTL\/propagation).<\/p>\n\n\n\n<p><strong>4A.3 Create a Google-managed certificate<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager certificates create \"${CERT_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --domains=\"${DOMAIN}\" \\\n  --dns-authorizations=\"${DNS_AUTH_NAME}\"\n<\/code><\/pre>\n\n\n\n<p>Check status:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager certificates describe \"${CERT_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --format=\"value(managed.state)\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Initially the state is typically <code>PROVISIONING<\/code>. It should later become <code>ACTIVE<\/code>.<\/p>\n\n\n\n<p>Provisioning can take time depending on DNS propagation and validation.<\/p>\n\n\n\n<p><strong>4A.4 Create a certificate map and entry<\/strong><\/p>\n\n\n\n<p>Create the map:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager maps create \"${CERT_MAP_NAME}\" \\\n  --location=\"${LOCATION}\"\n<\/code><\/pre>\n\n\n\n<p>Create the map entry for your hostname:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager maps entries create \"${CERT_MAP_ENTRY_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --map=\"${CERT_MAP_NAME}\" \\\n  --hostname=\"${DOMAIN}\" \\\n  --certificates=\"${CERT_NAME}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The certificate map has an entry mapping <code>${DOMAIN}<\/code> to <code>${CERT_NAME}<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h4 class=\"wp-block-heading\">Step 4B (Alternative): Self-managed certificate (demo path)<\/h4>\n\n\n\n<p>Use this if you cannot complete DNS authorization. This path demonstrates attachment and SNI mapping, but browsers will not trust a self-signed cert.<\/p>\n\n\n\n<p><strong>4B.1 Generate a self-signed certificate locally<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">openssl req -x509 -newkey rsa:2048 -nodes \\\n  -keyout key.pem -out cert.pem -days 7 \\\n  -subj \"\/CN=${DOMAIN}\"\n<\/code><\/pre>\n\n\n\n<p><strong>4B.2 Create a self-managed certificate resource<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager certificates create \"${CERT_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --certificate-file=\"cert.pem\" \\\n  --private-key-file=\"key.pem\"\n<\/code><\/pre>\n\n\n\n<p><strong>4B.3 Create certificate map and entry (same as Step 4A.4)<\/strong><br\/>\nRun the same <code>maps create<\/code> and <code>maps entries create<\/code> commands as above.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can proceed with the load balancer attachment and test TLS with <code>curl -k<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create the target HTTPS proxy and forwarding rule (attach the certificate map)<\/h3>\n\n\n\n<p><strong>5.1 Create the target HTTPS proxy with the certificate map attached<\/strong><\/p>\n\n\n\n<p>Certificate map full resource name:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export CERT_MAP_RESOURCE=\"projects\/${PROJECT_ID}\/locations\/${LOCATION}\/certificateMaps\/${CERT_MAP_NAME}\"\necho \"${CERT_MAP_RESOURCE}\"\n<\/code><\/pre>\n\n\n\n<p>Create the proxy:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute target-https-proxies create \"${HTTPS_PROXY_NAME}\" \\\n  --url-map=\"${URL_MAP_NAME}\" \\\n  --certificate-map=\"${CERT_MAP_RESOURCE}\" \\\n  --global\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Target HTTPS proxy exists and references the certificate map.<\/p>\n\n\n\n<p><strong>5.2 Create a global forwarding rule for port 443<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute forwarding-rules create \"${FORWARDING_RULE_NAME}\" \\\n  --global \\\n  --address=\"${ADDRESS_NAME}\" \\\n  --target-https-proxy=\"${HTTPS_PROXY_NAME}\" \\\n  --ports=443\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The load balancer is reachable on <code>${LB_IP}:443<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Wait for certificate activation (managed cert path) and verify HTTPS<\/h3>\n\n\n\n<p>If you used a Google-managed certificate, wait until it becomes ACTIVE:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager certificates describe \"${CERT_NAME}\" \\\n  --location=\"${LOCATION}\" \\\n  --format=\"yaml(managed.state,managed.authorizationAttemptInfo)\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>managed.state: ACTIVE<\/code><\/p>\n\n\n\n<p>Now validate from a client.<\/p>\n\n\n\n<p><strong>6.1 Validate TLS and HTTP response<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -v \"https:\/\/${DOMAIN}\/index.html\"\n<\/code><\/pre>\n\n\n\n<p>If using the self-managed demo certificate, use:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -vk \"https:\/\/${DOMAIN}\/index.html\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You should receive the HTML page and see a successful TLS handshake.<\/p>\n\n\n\n<p><strong>6.2 Verify certificate details (optional, recommended)<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">openssl s_client -connect \"${DOMAIN}:443\" -servername \"${DOMAIN}\" &lt; \/dev\/null 2&gt;\/dev\/null \\\n  | openssl x509 -noout -subject -issuer -dates\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Subject\/issuer\/dates are printed. For Google-managed certs, the issuer will be a public CA chain used by Google at issuance time.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<p>1) Certificate Manager resources exist:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager certificates list --location=\"${LOCATION}\"\ngcloud certificate-manager maps list --location=\"${LOCATION}\"\ngcloud certificate-manager maps entries list --location=\"${LOCATION}\" --map=\"${CERT_MAP_NAME}\"\n<\/code><\/pre>\n\n\n\n<p>2) Target HTTPS proxy uses the certificate map:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute target-https-proxies describe \"${HTTPS_PROXY_NAME}\" --global \\\n  --format=\"value(certificateMap)\"\n<\/code><\/pre>\n\n\n\n<p>3) DNS points to the load balancer IP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig +short \"${DOMAIN}\"\n<\/code><\/pre>\n\n\n\n<p>4) HTTPS works:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -I \"https:\/\/${DOMAIN}\/index.html\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<p><strong>1) Managed certificate stuck in PROVISIONING<\/strong>\n&#8211; <strong>Cause:<\/strong> DNS authorization record is missing\/incorrect or not propagated.\n&#8211; <strong>Fix:<\/strong> Re-run:\n  <code>bash\n  gcloud certificate-manager dns-authorizations describe \"${DNS_AUTH_NAME}\" --location=\"${LOCATION}\"<\/code>\n  Ensure your DNS record matches exactly (name\/type\/data). Verify with <code>dig<\/code>.<\/p>\n\n\n\n<p><strong>2) DNS resolves to the wrong IP<\/strong>\n&#8211; <strong>Cause:<\/strong> A record not updated, or multiple records exist.\n&#8211; <strong>Fix:<\/strong> Ensure <code>${DOMAIN}<\/code> points to <code>${LB_IP}<\/code> and wait for TTL.<\/p>\n\n\n\n<p><strong>3) TLS handshake fails \/ connection refused<\/strong>\n&#8211; <strong>Cause:<\/strong> Forwarding rule or proxy not created properly.\n&#8211; <strong>Fix:<\/strong> Check forwarding rule and proxy:\n  <code>bash\n  gcloud compute forwarding-rules describe \"${FORWARDING_RULE_NAME}\" --global\n  gcloud compute target-https-proxies describe \"${HTTPS_PROXY_NAME}\" --global<\/code><\/p>\n\n\n\n<p><strong>4) Certificate name mismatch<\/strong>\n&#8211; <strong>Cause:<\/strong> You connected by IP or wrong hostname; SNI didn\u2019t match.\n&#8211; <strong>Fix:<\/strong> Always connect using the hostname in the map entry:\n  <code>bash\n  curl -v \"https:\/\/${DOMAIN}\/\"<\/code><\/p>\n\n\n\n<p><strong>5) Public DNS managed zone issues (Cloud DNS)<\/strong>\n&#8211; <strong>Cause:<\/strong> Domain not delegated to Cloud DNS name servers.\n&#8211; <strong>Fix:<\/strong> Update NS records at your domain registrar to delegate to the Cloud DNS zone (or use your existing DNS provider instead).<\/p>\n\n\n\n<p><strong>6) CAA record blocks issuance<\/strong>\n&#8211; <strong>Cause:<\/strong> Your domain has CAA records allowing only certain CAs.\n&#8211; <strong>Fix:<\/strong> Update CAA records to allow the CA used for Google-managed certificates (details vary). <strong>Verify the correct CAA settings in official docs.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs (especially load balancer costs), delete resources when done.<\/p>\n\n\n\n<p><strong>Delete load balancer resources<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud compute forwarding-rules delete \"${FORWARDING_RULE_NAME}\" --global --quiet\ngcloud compute target-https-proxies delete \"${HTTPS_PROXY_NAME}\" --global --quiet\ngcloud compute url-maps delete \"${URL_MAP_NAME}\" --quiet\ngcloud compute backend-buckets delete \"${BACKEND_BUCKET_NAME}\" --quiet\ngcloud compute addresses delete \"${ADDRESS_NAME}\" --global --quiet\n<\/code><\/pre>\n\n\n\n<p><strong>Delete Certificate Manager resources<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud certificate-manager maps entries delete \"${CERT_MAP_ENTRY_NAME}\" \\\n  --location=\"${LOCATION}\" --map=\"${CERT_MAP_NAME}\" --quiet\n\ngcloud certificate-manager maps delete \"${CERT_MAP_NAME}\" \\\n  --location=\"${LOCATION}\" --quiet\n\ngcloud certificate-manager certificates delete \"${CERT_NAME}\" \\\n  --location=\"${LOCATION}\" --quiet\n\ngcloud certificate-manager dns-authorizations delete \"${DNS_AUTH_NAME}\" \\\n  --location=\"${LOCATION}\" --quiet\n<\/code><\/pre>\n\n\n\n<p><strong>Delete storage resources<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud storage rm -r \"gs:\/\/${BUCKET_NAME}\"\nrm -f index.html cert.pem key.pem\n<\/code><\/pre>\n\n\n\n<p>If you created DNS records for the lab, remove them from your DNS provider.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Terminate TLS at a small number of well-managed ingress points (load balancers) rather than distributing certs across many backends.<\/li>\n<li>Use certificate maps to support multi-domain hosting cleanly with SNI.<\/li>\n<li>Separate environments (dev\/stage\/prod) by project and\/or domain hierarchy:<\/li>\n<li><code>dev.example.com<\/code>, <code>staging.example.com<\/code>, <code>example.com<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM \/ security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege:<\/li>\n<li>Allow only a small group to upload <strong>self-managed<\/strong> private keys.<\/li>\n<li>Separate roles for managing certs vs attaching to load balancers.<\/li>\n<li>Prefer short-lived, approved change windows for certificate rotations.<\/li>\n<li>Use IAM Conditions where appropriate (for example, restrict access by resource name prefix). Verify best practices and feasibility in your org.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid leaving lab load balancers running.<\/li>\n<li>Consolidate hostnames behind fewer load balancers where it makes sense.<\/li>\n<li>Consider whether you need premium edge features (CDN, WAF, etc.)\u2014those drive cost more than certificates.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep TLS at the edge; avoid re-terminating TLS multiple times unless required.<\/li>\n<li>Use modern TLS policies\/ciphers supported by your load balancer configuration (policy controls may live in load balancer configuration rather than Certificate Manager\u2014verify current controls).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor certificate expiration even for managed certs (managed renewals are robust but operational visibility is still important).<\/li>\n<li>Run regular DNS validation checks for critical domains.<\/li>\n<li>Maintain runbooks:<\/li>\n<li>\u201cCertificate stuck provisioning\u201d<\/li>\n<li>\u201cUnexpected certificate served\u201d<\/li>\n<li>\u201cEmergency rotation\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize resource naming, for example:<\/li>\n<li><code>cm-${env}-${app}-cert<\/code><\/li>\n<li><code>cm-${env}-map<\/code><\/li>\n<li>Use labels\/tags where supported for cost allocation and ownership.<\/li>\n<li>Record domain ownership and DNS provider ownership in your CMDB or internal docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define domain onboarding requirements:<\/li>\n<li>Approved DNS zones<\/li>\n<li>Required CAA record policy<\/li>\n<li>Required contact and escalation path<\/li>\n<li>Use change management: PR-based IaC with approvals for certificate map changes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate Manager uses <strong>IAM<\/strong>. Control access to:<\/li>\n<li>Create\/update\/delete certificates<\/li>\n<li>Create\/update\/delete certificate maps and map entries<\/li>\n<li>View certificate metadata<\/li>\n<li>Treat self-managed certificate upload permissions as highly sensitive because private keys are involved.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TLS provides encryption in transit for client-to-edge connections.<\/li>\n<li>For self-managed certs, protect private keys at rest and in CI\/CD systems:<\/li>\n<li>Generate keys in controlled environments<\/li>\n<li>Limit who can access and upload them<\/li>\n<li>Avoid storing private keys in source code repositories<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificates are presented by the load balancer; exposure depends on:<\/li>\n<li>Whether the load balancer is external vs internal<\/li>\n<li>Firewall and backend access controls<\/li>\n<li>Ensure you do not accidentally expose internal services via an external LB.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not pass private keys around in chat tools or tickets.<\/li>\n<li>Avoid long-lived copies of private keys on developer laptops.<\/li>\n<li>Consider using dedicated secure pipelines for key handling and enforce approvals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit \/ logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and review <strong>Cloud Audit Logs<\/strong> for:<\/li>\n<li>Certificate Manager admin actions<\/li>\n<li>Compute\/load balancer configuration changes<\/li>\n<li>Keep logs for an appropriate retention period for compliance needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use managed certificates for standardized public trust and renewal automation where policy allows.<\/li>\n<li>For regulated environments requiring private PKI, evaluate <strong>Certificate Authority Service<\/strong> plus controlled issuance workflows (and then deploy resulting certs as self-managed, if appropriate).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granting broad project <code>Owner<\/code> to many users \u201cjust to get TLS working.\u201d<\/li>\n<li>Uploading self-managed private keys without clear ownership and rotation policies.<\/li>\n<li>DNS misconfigurations leading to domain takeover risks (e.g., dangling records). Maintain DNS hygiene.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer managed certificates where possible and allowed.<\/li>\n<li>Enforce least privilege and separation of duties.<\/li>\n<li>Keep DNS zones secured (registrar lock, MFA, restricted admin access).<\/li>\n<li>Monitor for unexpected certificate map changes (alert on audit logs).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Treat this section as a practical checklist; <strong>verify current limits and supported integrations in official docs<\/strong> because they can change.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ constraints (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Not every Google Cloud endpoint<\/strong> can directly use Certificate Manager. Many products manage certificates independently.<\/li>\n<li><strong>DNS propagation<\/strong> can delay managed certificate issuance.<\/li>\n<li><strong>SNI requires correct hostname<\/strong>: testing by IP can result in mismatched certificates.<\/li>\n<li><strong>Quotas<\/strong> apply to certificates, maps, and entries.<\/li>\n<li><strong>Location scope matters<\/strong>: Some target proxies are global; some are regional. Resource location must be compatible (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deleting a certificate that is still referenced by a map entry can fail or cause outages\u2014plan dependency order.<\/li>\n<li>Overlapping hostname entries can cause confusion about which certificate is served\u2014use clear naming and avoid ambiguous patterns.<\/li>\n<li>CAA records can unexpectedly block issuance.<\/li>\n<li>If you use external DNS providers with proxy\/CDN features (e.g., \u201corange cloud\u201d proxying), ensure the validation and routing requirements are met.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The load balancer cost can dwarf certificate-related costs.<\/li>\n<li>DNS query charges can be significant at scale.<\/li>\n<li>Internet egress is often the largest cost for public apps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Migrating from legacy load balancer certificate attachments to certificate maps may require careful planning:<\/li>\n<li>Avoid downtime by attaching maps and verifying SNI behavior before removing legacy attachments.<\/li>\n<li>Use staged cutovers by hostname.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Options to consider<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Google Cloud legacy SSL certificate attachments (Compute Engine SSL certificates)<\/strong><br\/>\n  Historically used directly on load balancers; in many architectures, certificate maps are now preferred for scale and manageability. Treat older patterns as legacy if docs recommend migrating.<\/li>\n<li><strong>Google Cloud Certificate Authority Service (CAS)<\/strong><br\/>\n  A private CA \/ PKI service\u2014different scope than Certificate Manager.<\/li>\n<li><strong>AWS Certificate Manager (ACM)<\/strong><br\/>\n  Similar managed cert service for AWS-integrated endpoints.<\/li>\n<li><strong>Azure Key Vault Certificates<\/strong><br\/>\n  Certificate lifecycle integrated with Key Vault and Azure services.<\/li>\n<li><strong>Kubernetes cert-manager (open source)<\/strong><br\/>\n  Good for Kubernetes-native issuance\/renewal, especially inside clusters or with Ingress controllers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Google Cloud Certificate Manager<\/td>\n<td>Centralized TLS cert management for Google Cloud ingress (esp. Cloud Load Balancing)<\/td>\n<td>SNI mapping via certificate maps; managed cert lifecycle; IAM + audit integration<\/td>\n<td>Limited to supported integrations; DNS validation complexity<\/td>\n<td>You terminate TLS on Cloud Load Balancing and want scalable, auditable cert operations<\/td>\n<\/tr>\n<tr>\n<td>Compute Engine SSL certificates (legacy pattern)<\/td>\n<td>Older load balancer setups<\/td>\n<td>Simple for single-cert cases<\/td>\n<td>Less scalable for many hostnames; may be legacy vs certificate maps (verify current guidance)<\/td>\n<td>Existing deployments that haven\u2019t migrated yet; short-term compatibility<\/td>\n<\/tr>\n<tr>\n<td>Google Cloud Certificate Authority Service<\/td>\n<td>Private PKI and internal certificates<\/td>\n<td>Managed CA hierarchy, policy, issuance, revocation<\/td>\n<td>Different product and cost; still need deployment mechanism<\/td>\n<td>You need enterprise\/private PKI for internal mTLS or regulated issuance<\/td>\n<\/tr>\n<tr>\n<td>AWS Certificate Manager (ACM)<\/td>\n<td>AWS-native certificate management<\/td>\n<td>Tight AWS integration; managed renewals<\/td>\n<td>Not usable on Google Cloud endpoints<\/td>\n<td>You host workloads primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td>Azure Key Vault Certificates<\/td>\n<td>Azure-native certificate lifecycle<\/td>\n<td>Central secrets + certificate lifecycle<\/td>\n<td>Not a Google Cloud ingress deployment tool<\/td>\n<td>You host workloads primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td>cert-manager (Kubernetes)<\/td>\n<td>Kubernetes-native certificate automation<\/td>\n<td>ACME support; integrates with Ingress; GitOps-friendly<\/td>\n<td>Operational overhead; cluster-centric; still need edge integration<\/td>\n<td>You want cert lifecycle managed in-cluster and accept operating it<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Multi-business-unit shared ingress platform<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA large enterprise runs dozens of business-unit applications behind shared global load balancers. Certificates are managed inconsistently, and several teams have experienced outages due to expiration and last-minute renewals.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Central \u201cedge ingress\u201d project with:\n  &#8211; External HTTPS load balancers\n  &#8211; Certificate Manager certificate maps per environment (prod\/stage)\n&#8211; Domain ownership and DNS managed by a central DNS team (Cloud DNS or approved provider)\n&#8211; Security team controls managed certificate issuance workflow and certificate maps\n&#8211; Application teams own backends (NEGs, services) and URL map routing (via controlled change process)<\/p>\n\n\n\n<p><strong>Why Certificate Manager was chosen<\/strong>\n&#8211; Centralized certificate lifecycle and SNI mapping across many hostnames.\n&#8211; IAM-based separation of duties.\n&#8211; Easier auditing of changes for compliance.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced certificate-related incidents.\n&#8211; Faster onboarding of new domains.\n&#8211; Standardized rotation procedures with clear ownership and audit trails.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup \/ small-team example: SaaS with customer subdomains<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA startup runs a SaaS platform where each customer has a subdomain. They need HTTPS across many hostnames without manually issuing\/renewing certificates.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Single external HTTPS load balancer\n&#8211; Certificate Manager managed certificates (where supported) for customer-facing domains\n&#8211; Certificate map entries created via automation when new customers are provisioned\n&#8211; Observability via LB logs and basic alerting<\/p>\n\n\n\n<p><strong>Why Certificate Manager was chosen<\/strong>\n&#8211; Minimal ops burden: managed renewals and central mapping.\n&#8211; Clean integration with load balancer used as the ingress for multiple backends.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Rapid customer onboarding with HTTPS by default.\n&#8211; Lower operational risk of certificate expiry.\n&#8211; Simple scaling model without adding a load balancer per customer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is \u201cCertificate Manager\u201d the official Google Cloud product name?<\/strong><br\/>\nYes. Google Cloud\u2019s service is called <strong>Certificate Manager<\/strong>. Always confirm capabilities and supported integrations in the official docs because related certificate features also exist in other products.<\/p>\n\n\n\n<p>2) <strong>What\u2019s the difference between Certificate Manager and Certificate Authority Service?<\/strong><br\/>\nCertificate Manager focuses on <strong>managing and deploying TLS certificates<\/strong> (and mapping them to hostnames) for supported endpoints. <strong>Certificate Authority Service<\/strong> is for <strong>issuing and operating private CAs<\/strong> (PKI).<\/p>\n\n\n\n<p>3) <strong>Do I need to use Cloud DNS with Certificate Manager?<\/strong><br\/>\nNo, but you must be able to publish DNS records for domain authorization and point your domain to the load balancer IP. Cloud DNS is convenient but not required.<\/p>\n\n\n\n<p>4) <strong>How does Certificate Manager choose which certificate to present?<\/strong><br\/>\nTypically via <strong>SNI<\/strong> and <strong>certificate map entries<\/strong> that match the requested hostname.<\/p>\n\n\n\n<p>5) <strong>Can I upload my own certificate?<\/strong><br\/>\nYes, using a <strong>self-managed certificate<\/strong> workflow where you provide the certificate chain and private key.<\/p>\n\n\n\n<p>6) <strong>Who should be allowed to upload self-managed private keys?<\/strong><br\/>\nA small, trusted group (security\/platform). Treat it as a privileged action and enforce least privilege.<\/p>\n\n\n\n<p>7) <strong>How long does a Google-managed certificate take to become ACTIVE?<\/strong><br\/>\nIt varies\u2014often minutes to hours\u2014depending on DNS propagation and validation. If it takes too long, check DNS authorization records and A\/AAAA records.<\/p>\n\n\n\n<p>8) <strong>Why is my certificate stuck in PROVISIONING?<\/strong><br\/>\nMost commonly: DNS authorization record not published correctly, not propagated, or domain not properly pointed to the load balancer (depending on validation requirements).<\/p>\n\n\n\n<p>9) <strong>Can I use Certificate Manager for internal-only services?<\/strong><br\/>\nIt depends on the supported integrations (for example, internal load balancer types). <strong>Verify in official docs<\/strong> for your specific internal LB and location constraints.<\/p>\n\n\n\n<p>10) <strong>Do certificate maps work with multiple domains on a single IP?<\/strong><br\/>\nYes\u2014this is a primary use case. SNI allows the load balancer to present the correct certificate.<\/p>\n\n\n\n<p>11) <strong>Can I use wildcard certificates?<\/strong><br\/>\nSupport depends on certificate type and validation method. <strong>Verify wildcard support for managed certificates and map entries in the official docs.<\/strong><\/p>\n\n\n\n<p>12) <strong>What happens if I delete a certificate that is referenced by a map entry?<\/strong><br\/>\nIt can fail or lead to service disruption. Always remove references (update map entries) before deletion.<\/p>\n\n\n\n<p>13) <strong>Is Certificate Manager a replacement for storing certificates in Secret Manager?<\/strong><br\/>\nNot exactly. Secret Manager is general secret storage. Certificate Manager is for certificate lifecycle + deployment to supported ingress points.<\/p>\n\n\n\n<p>14) <strong>Can I manage Certificate Manager with Terraform?<\/strong><br\/>\nOften yes, via Google Cloud provider resources, but exact resource coverage can change. <strong>Verify current Terraform support and versions<\/strong>.<\/p>\n\n\n\n<p>15) <strong>What\u2019s the safest way to rotate a certificate?<\/strong><br\/>\nCreate the new certificate, update the certificate map entry to point to it, validate, then remove the old certificate after a safe window.<\/p>\n\n\n\n<p>16) <strong>How do I know which certificate is being served in production?<\/strong><br\/>\nUse <code>openssl s_client<\/code> with <code>-servername<\/code>, browser inspection tools, and monitor logs\/metrics for TLS handshake errors.<\/p>\n\n\n\n<p>17) <strong>Do I pay for Certificate Manager itself?<\/strong><br\/>\nPricing can change; consult the official pricing page: https:\/\/cloud.google.com\/certificate-manager\/pricing. In many setups, load balancer runtime and egress dominate cost.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Certificate Manager<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Certificate Manager docs \u2014 https:\/\/cloud.google.com\/certificate-manager\/docs<\/td>\n<td>Primary source for current features, supported integrations, and workflows<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Certificate Manager pricing \u2014 https:\/\/cloud.google.com\/certificate-manager\/pricing<\/td>\n<td>Authoritative pricing model and SKU details<\/td>\n<\/tr>\n<tr>\n<td>Pricing tool<\/td>\n<td>Google Cloud Pricing Calculator \u2014 https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Helps estimate load balancer + DNS + egress + certificate-related costs<\/td>\n<\/tr>\n<tr>\n<td>CLI reference<\/td>\n<td>gcloud CLI \u2014 https:\/\/cloud.google.com\/sdk\/gcloud<\/td>\n<td>Practical commands for creating certificates, maps, and DNS authorizations<\/td>\n<\/tr>\n<tr>\n<td>Load balancing docs<\/td>\n<td>Cloud Load Balancing docs \u2014 https:\/\/cloud.google.com\/load-balancing\/docs<\/td>\n<td>Required to understand target proxies, forwarding rules, and HTTPS LB architecture<\/td>\n<\/tr>\n<tr>\n<td>DNS docs<\/td>\n<td>Cloud DNS docs \u2014 https:\/\/cloud.google.com\/dns\/docs<\/td>\n<td>How to publish A\/AAAA and validation records correctly<\/td>\n<\/tr>\n<tr>\n<td>Audit logging<\/td>\n<td>Cloud Audit Logs \u2014 https:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\n<td>Track configuration changes for security and compliance<\/td>\n<\/tr>\n<tr>\n<td>Hands-on labs<\/td>\n<td>Cloud Skills Boost catalog search \u2014 https:\/\/www.cloudskillsboost.google\/catalog?keywords=certificate%20manager<\/td>\n<td>Find up-to-date labs related to certificates and load balancing (availability varies)<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Google Cloud Architecture Center \u2014 https:\/\/cloud.google.com\/architecture<\/td>\n<td>Patterns for edge design, multi-domain routing, and security controls<\/td>\n<\/tr>\n<tr>\n<td>Community learning (verify)<\/td>\n<td>Google Cloud community\/tutorials \u2014 https:\/\/cloud.google.com\/community<\/td>\n<td>Practical posts; validate against official docs before production use<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>DevOps + cloud operations; may include Google Cloud security and networking basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps tooling; may include cloud fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations practitioners<\/td>\n<td>CloudOps practices, monitoring, reliability, deployments<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations, platform engineers<\/td>\n<td>Reliability engineering, incident response, production readiness<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>Automation, monitoring analytics, operational tooling<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Engineers seeking practical guidance<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training (verify course catalog)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training (treat as a platform; verify)<\/td>\n<td>Teams needing hands-on assistance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support\/training (verify scope)<\/td>\n<td>Ops teams needing implementation support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact offerings)<\/td>\n<td>Cloud architecture, DevOps pipelines, operational readiness<\/td>\n<td>TLS termination design, LB standardization, certificate rotation runbooks<\/td>\n<td>https:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps\/cloud consulting and training (verify consulting scope)<\/td>\n<td>Platform engineering, CI\/CD, cloud adoption<\/td>\n<td>Implement IaC for Certificate Manager + load balancers, IAM hardening, migration from legacy cert attachments<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify service catalog)<\/td>\n<td>DevOps process, automation, operations<\/td>\n<td>Production readiness reviews, logging\/auditing setup for certificate changes, cost optimization<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Certificate Manager<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TLS basics: certificates, chains, private keys, SNI, SANs<\/li>\n<li>DNS basics: A\/AAAA, CNAME\/TXT, delegation, TTL<\/li>\n<li>Google Cloud fundamentals:<\/li>\n<li>Projects, IAM, APIs<\/li>\n<li>VPC basics (helpful even though Certificate Manager is control plane)<\/li>\n<li>Cloud Load Balancing fundamentals:<\/li>\n<li>Forwarding rules, target proxies, URL maps, backends<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Certificate Manager<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Advanced Cloud Load Balancing:<\/li>\n<li>Multi-region designs<\/li>\n<li>CDN and caching strategies<\/li>\n<li>Security controls around edge routing (WAF\/Cloud Armor, where applicable)<\/li>\n<li>Incident response for edge systems:<\/li>\n<li>Monitoring, alerting, rollback strategies<\/li>\n<li>Private PKI:<\/li>\n<li>Certificate Authority Service<\/li>\n<li>mTLS patterns (service-to-service), where applicable<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer<\/li>\n<li>Platform Engineer<\/li>\n<li>SRE<\/li>\n<li>DevOps Engineer<\/li>\n<li>Cloud Network Engineer \/ Load Balancing Specialist<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Google Cloud)<\/h3>\n\n\n\n<p>Certificate Manager appears as a supporting skill in broader certifications. Consider:\n&#8211; Associate Cloud Engineer\n&#8211; Professional Cloud Architect\n&#8211; Professional Cloud Security Engineer\n&#8211; Professional Cloud Network Engineer<\/p>\n\n\n\n<p>(Always verify the latest exam guides and skill domains on the official certification pages.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a multi-domain HTTPS ingress:<\/li>\n<li>5 hostnames \u2192 1 LB \u2192 different backends<\/li>\n<li>Automate certificate map entry creation for a \u201ctenant onboarding\u201d workflow<\/li>\n<li>Implement a certificate rotation pipeline with pre- and post-validation checks<\/li>\n<li>Create an audit report:<\/li>\n<li>List all certificates, their domains, and map usage<\/li>\n<li>Alert on unexpected changes (audit logs)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TLS (Transport Layer Security):<\/strong> Protocol that encrypts client-server traffic (HTTPS is HTTP over TLS).<\/li>\n<li><strong>SSL:<\/strong> Legacy term often used interchangeably with TLS; modern deployments use TLS.<\/li>\n<li><strong>Certificate (X.509):<\/strong> Data structure binding a public key to identity (domain name), signed by a CA.<\/li>\n<li><strong>Private key:<\/strong> Secret key corresponding to the certificate\u2019s public key; must be protected.<\/li>\n<li><strong>Public CA:<\/strong> Certificate authority trusted by browsers\/OSes.<\/li>\n<li><strong>Domain validation (DV):<\/strong> CA verifies you control the domain (commonly via DNS or HTTP challenge).<\/li>\n<li><strong>SNI (Server Name Indication):<\/strong> TLS extension where the client indicates the hostname it wants, enabling multiple certs on one IP.<\/li>\n<li><strong>SAN (Subject Alternative Name):<\/strong> List of hostnames a certificate covers.<\/li>\n<li><strong>Certificate chain:<\/strong> Leaf certificate + intermediate certificates up to a trusted root.<\/li>\n<li><strong>PEM:<\/strong> Common text encoding for certificates and keys (<code>-----BEGIN CERTIFICATE-----<\/code>).<\/li>\n<li><strong>Certificate map:<\/strong> Certificate Manager resource used to select a certificate based on hostname\/SNI.<\/li>\n<li><strong>Certificate map entry:<\/strong> Rule mapping a hostname to one or more certificates.<\/li>\n<li><strong>DNS authorization:<\/strong> Resource representing proof of domain control via a required DNS record.<\/li>\n<li><strong>Forwarding rule:<\/strong> Load balancer resource that binds IP:port to a target proxy.<\/li>\n<li><strong>Target HTTPS proxy:<\/strong> Load balancer resource that terminates HTTPS and routes requests using a URL map.<\/li>\n<li><strong>URL map:<\/strong> Load balancer routing rules (host\/path \u2192 backend).<\/li>\n<li><strong>Backend bucket:<\/strong> Cloud Load Balancing backend that serves content from Cloud Storage.<\/li>\n<li><strong>Cloud Audit Logs:<\/strong> Logs of administrative actions affecting Google Cloud resources.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Google Cloud <strong>Certificate Manager<\/strong> is a Security service for <strong>centralized TLS certificate management and deployment<\/strong>, most commonly used with <strong>Cloud Load Balancing<\/strong>. It helps teams deliver HTTPS reliably by supporting <strong>Google-managed<\/strong> certificates (automated issuance\/renewal where supported) and <strong>self-managed<\/strong> certificates, and by routing certificates to hostnames with <strong>certificate maps<\/strong> and <strong>map entries<\/strong>.<\/p>\n\n\n\n<p>Where it fits best is at the edge of your architecture: a standardized ingress layer that terminates TLS and serves multiple domains safely at scale. Cost-wise, the certificate objects are often not the main expense\u2014<strong>load balancer runtime, DNS, and egress<\/strong> typically dominate\u2014so you should optimize around those. From a security perspective, focus on <strong>least privilege<\/strong>, careful <strong>DNS control<\/strong>, strong <strong>private key handling<\/strong> (for self-managed), and <strong>auditability<\/strong>.<\/p>\n\n\n\n<p>Use Certificate Manager when you need scalable, auditable HTTPS certificate operations in Google Cloud. Next step: deepen your Cloud Load Balancing knowledge and practice a certificate rotation workflow end-to-end, including validation and rollback.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-797","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=797"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/797\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}