Provision certificates to Google Cloud Classic Load Balancers¶
After you create a Google Cloud Classic Load Balancer machine in Certificate Manager - SaaS, you can provision certificates to it. Provisioning allows Certificate Manager - SaaS to deploy certificates directly to your Google Cloud load balancers, automating certificate deployment and renewal.
Before you begin¶
- Your Google Cloud Classic Load Balancer machine must be created and verified in Certificate Manager - SaaS. See Create a Google Cloud Classic Load Balancer machine.
- The machine must have "VERIFIED" status under the Access tab.
- You must have a certificate with a private key available in Certificate Manager - SaaS:
- Certificate Manager - SaaS-generated certificates
- User-imported certificates with private keys
- You must have appropriate permissions to provision certificates (System Administrator, PKI Administrator, or Resource Owner for certificates you own).
- Your target load balancer resources must already exist in GCP:
- Global Target HTTPS Proxy
- Global Target SSL Proxy, or
- Regional Target HTTPS Proxy
Note
- Provisioning creates a new classic SSL certificate resource in GCP with a timestamp suffix appended to the certificate name.
- During renewal, Certificate Manager - SaaS creates a new timestamped certificate, updates the proxy reference, and removes the previous certificate version.
- Only classic SSL certificates are supported. Certificate Manager certificates and Certificate Map attachment methods are not available.
Provision a certificate¶
To provision a certificate to your Google Cloud Classic Load Balancer, follow these steps:
- Sign in to Certificate Manager - SaaS.
- Click Installations > Machines.
- Select the Google Cloud Classic Load Balancer machine where you want to provision the certificate.
- Select the Installations tab.
- Click Provision.
- Search for and select the certificate you want to provision.
-
Configure the GCP Certificate Location:
-
From the Certificate Type drop-down, select one of the following:
- Compute Engine SSL Certificate (Global) – For global load balancers
- Compute Engine SSL Certificate (Regional) – For regional load balancers
-
In the Certificate Name field, enter a name for the SSL certificate resource in GCP.
Note
Certificate Manager - SaaS automatically appends a timestamp suffix (YYYYMMDD-HHMMSS) to the certificate name to support versioning during renewals.
-
(Conditional) If you selected Compute Engine SSL Certificate (Regional), select the Location (region) where the certificate should be created from the drop-down. This must match the region of your Regional Target HTTPS Proxy.
-
-
Configure the Load Balancer Binding:
-
From the Proxy Type drop-down, select one of the following:
- Global Target HTTPS Proxy – For global HTTPS load balancers
- Global Target SSL Proxy – For global TCP SSL load balancers
- Regional Target HTTPS Proxy – For regional HTTPS load balancers
-
From the Proxy Name drop-down, select the target proxy where the certificate should be attached.
Note
The proxy list is dynamically populated based on your selected proxy type and region.
-
(Conditional) If you selected Regional Target HTTPS Proxy, select the Proxy Region from the drop-down. This must match the location you selected for the certificate.
Note
The Certificate Attachment Method is automatically set to Classic SSL Certificates. This is the only supported method for Google Cloud Classic Load Balancers.
-
-
(Optional) Enable Push certificate on save to provision the certificate immediately after clicking Save.
-
Click Save.
-
If you enabled Push certificate on save, the provisioning begins immediately. Otherwise, click Push from the Installations tab to provision the certificate.
-
Monitor the installation status:
- Pending – The provisioning request is queued
- Installing – The certificate is being deployed to GCP
- Installed – The certificate was successfully provisioned
- Error – Provisioning failed (review the Event Log for details)
Verify the certificate in GCP¶
To verify that the certificate was successfully provisioned:
-
For global certificates, run:
gcloud compute ssl-certificates list --global --project=YOUR_PROJECT_ID -
For regional certificates, run:
gcloud compute ssl-certificates list --regions=REGION_NAME --project=YOUR_PROJECT_ID -
Verify the proxy reference:
-
For Global Target HTTPS Proxy:
gcloud compute target-https-proxies list --project=YOUR_PROJECT_ID -
For Global Target SSL Proxy:
gcloud compute target-ssl-proxies list --project=YOUR_PROJECT_ID -
For Regional Target HTTPS Proxy:
gcloud compute target-https-proxies list --filter='region:REGION_NAME' --project=YOUR_PROJECT_ID
-
Schedule certificate provisioning¶
You can configure Certificate Manager - SaaS to automatically provision certificates on a recurring schedule:
- From your machine's Provisioning tab, enable the Schedule toggle.
- Configure the schedule:
- Repeat every: Select Day, Week, or Month
- At time: Specify the time in UTC
- (Conditional) For weekly schedules, select the day of the week
- (Conditional) For monthly schedules, select the day of the month
- Click Save.
The scheduled provisioning job runs at the specified time and provisions any certificates that have been configured but not yet deployed.
Tip
Combine scheduled provisioning with auto-renewal to fully automate certificate lifecycle management for your Google Cloud load balancers.
What's next?¶
- Set up scheduled provisioning to automate certificate deployment
- Enable auto-renewal to automatically renew and reprovision certificates before they expire
- Discover certificates on machines to track certificates already deployed to your load balancers