Google Cloud recently announced the general availability of Certificate Manager, a service for acquiring, managing, and deploying TLS certificates for use with Google Cloud workloads.
Announced in preview earlier this year, the new service supports self-managed and Google-managed certificates, and has monitoring features to alert when certificates expire. Ryan Hurst and Sceau Babi, Product Managers at Google Cloud, explain:
Now you can deploy a new certificate globally in minutes and dramatically simplify and accelerate the deployment of TLS offerings for SaaS. Coupled with DNS authorization support, you can now streamline your workload migrations without major disruptions.
Google-managed certificates are certificates validated with a load balancer or DNS authorization that Google Cloud automatically obtains, manages, and renews. Certificate Manager also supports self-managing Certificates, TLS X.509 certificates that the client manually obtains and uploads to the service.
– Advertising –
Certificate Manager integrates with External HTTP(S) Load Balancers and Global External HTTP(S) Load Balancers but they must be on Premium Network Service Tier. After validating that the requester controls the domain, the new service can also act as a public certificate authority to provision and deploy widely trusted X.509 certificates. Hurst and Seal add:
During the Certificate Manager private preview of the ACME Certificate Enrollment feature, our users have acquired millions of certificates for their self-managed TLS deployments. Each of these certificates is from Google Trust Services, which means our users get the same TLS device compatibility and scalability that we require for our own services. Our Cloud users get this benefit even when they manage the certificate and private key themselves, all for free.
In announcing general availability, the cloud provider added a number of automation and observability features, including Kubernetes integration previews and self-service ACME certificate enrollment. The plan to take advantage of Terraform automation was also announced.
Per Thorsheim, founder of PasswordsCon, Comments:
Very happy to see Google Trust Services being DNSSEC signed and having a proper CAA record (obviously!). I still want to push towards the google.com signature (…) Likewise, seeing the absence of MTA-STS & TLS-RPT records makes clown GIFs sad, while Google itself is (was?) promoting their usage.
With Amazon’s AWS Certificate Manager (ACM) offering since 2016, Google isn’t the only cloud provider to have a managed certificate service. Certificate Manager is not the only option for managing a certificate on Google Cloud: if the deployment does not require wildcard domains and has less than 10 certificates per load balancer, Google suggests uploading the certificates directly to Cloud Load Balancer.
There is no additional charge to use Certificate Manager for the first 100 certificates, with a per certificate per month pricing structure for other certificates.