Google Cloud Certificate Commands

Install and configure gcloud CLI

# Install gcloud (macOS)
brew install google-cloud-sdk

# Install gcloud (Linux)
curl https://sdk.cloud.google.com | bash
exec -l $SHELL

# Initialize gcloud
gcloud init

# Set default project
gcloud config set project PROJECT_ID

# Enable required APIs
gcloud services enable certificatemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable privateca.googleapis.com

Enable Certificate Manager, Compute Engine, and Certificate Authority Service APIs as needed for your use case.

Create Google-managed SSL certificate

# Create managed SSL certificate for use with load balancers
gcloud compute ssl-certificates create example-cert \
  --domains=example.com,www.example.com \
  --global

Google-managed certificates are automatically provisioned and renewed. Domain ownership is validated during load balancer setup.

Upload self-managed SSL certificate

# Upload certificate and private key for use with load balancers
gcloud compute ssl-certificates create my-cert \
  --certificate=server.crt \
  --private-key=server.key \
  --global

# Upload regional self-managed certificate
gcloud compute ssl-certificates create my-regional-cert \
  --certificate=server.crt \
  --private-key=server.key \
  --region=us-central1

Self-managed certificates require you to provide the certificate and key files. You are responsible for renewal.

List and describe SSL certificates

# List all global SSL certificates
gcloud compute ssl-certificates list

# Describe a specific certificate
gcloud compute ssl-certificates describe example-cert --global

# List with filter for managed certificates
gcloud compute ssl-certificates list \
  --filter="type=MANAGED"

# Check provisioning status of managed certificate
gcloud compute ssl-certificates describe example-cert --global \
  --format="get(managed.status, managed.domainStatus)"

Managed certificate status shows PROVISIONING, ACTIVE, or PROVISIONING_FAILED. Domain status shows per-domain validation state.

Delete SSL certificate

# Delete a global SSL certificate (must not be in use by a target proxy)
gcloud compute ssl-certificates delete example-cert --global

Remove the certificate from any target HTTPS proxy before deleting.

Attach certificate to HTTPS load balancer

# Set SSL certificate on an existing target HTTPS proxy
gcloud compute target-https-proxies update my-https-proxy \
  --ssl-certificates=example-cert \
  --global

# Attach multiple certificates (SNI)
gcloud compute target-https-proxies update my-https-proxy \
  --ssl-certificates=cert-one,cert-two \
  --global

Multiple certificates enable SNI-based serving. The first certificate in the list is the default.

Create Google-managed certificate with DNS authorization

# Step 1: Create DNS authorization
gcloud certificate-manager dns-authorizations create example-auth \
  --domain=example.com

# Step 2: Get the CNAME record to add to your DNS
gcloud certificate-manager dns-authorizations describe example-auth \
  --format="get(dnsResourceRecord.name, dnsResourceRecord.type, dnsResourceRecord.data)"

# Step 3: Create the managed certificate (after adding DNS record)
gcloud certificate-manager certificates create example-cert \
  --domains=example.com,www.example.com \
  --dns-authorizations=example-auth

DNS authorization allows provisioning certificates before the load balancer is set up. Add the CNAME record to your DNS provider and wait for propagation before creating the certificate.

Create Google-managed wildcard certificate

# DNS authorization is required for wildcard certificates
gcloud certificate-manager dns-authorizations create wildcard-auth \
  --domain=example.com

# Create wildcard certificate
gcloud certificate-manager certificates create wildcard-cert \
  --domains="*.example.com,example.com" \
  --dns-authorizations=wildcard-auth

Wildcard certificates require DNS authorization. Include the root domain as a SAN if you want it covered.

Upload self-managed certificate to Certificate Manager

# Upload certificate and private key
gcloud certificate-manager certificates create my-uploaded-cert \
  --certificate-file=server.crt \
  --private-key-file=server.key

# Upload with description and labels
gcloud certificate-manager certificates create my-uploaded-cert \
  --certificate-file=server.crt \
  --private-key-file=server.key \
  --description="Production certificate for example.com" \
  --labels=env=production,team=platform

Self-managed certificates in Certificate Manager are not automatically renewed. Monitor expiration and re-upload as needed.

List and describe certificates

# List all certificates in Certificate Manager
gcloud certificate-manager certificates list

# Describe a certificate
gcloud certificate-manager certificates describe example-cert

# List with format for expiration details
gcloud certificate-manager certificates list \
  --format="table(name, managed.state, expireTime, sanDnsnames.join(','))"

# Delete a certificate
gcloud certificate-manager certificates delete example-cert

The managed.state field indicates ACTIVE, PROVISIONING, FAILED, or RENEWAL_FAILED for managed certificates.

Create a certificate map and map entries

# Create a certificate map
gcloud certificate-manager maps create my-cert-map

# Create a map entry matching a specific hostname
gcloud certificate-manager maps entries create example-entry \
  --map=my-cert-map \
  --hostname=example.com \
  --certificates=example-cert

# Create a map entry for wildcard matching
gcloud certificate-manager maps entries create wildcard-entry \
  --map=my-cert-map \
  --hostname="*.example.com" \
  --certificates=wildcard-cert

# Create a primary (default) map entry
gcloud certificate-manager maps entries create default-entry \
  --map=my-cert-map \
  --certificates=default-cert

Certificate maps route SNI hostnames to specific certificates. A primary entry (without --hostname) serves as the default. Attach the map to a target HTTPS proxy.

Attach certificate map to load balancer

# Attach certificate map to target HTTPS proxy
gcloud compute target-https-proxies update my-https-proxy \
  --certificate-map=my-cert-map \
  --global

When a certificate map is attached, it takes precedence over any ssl-certificates directly assigned to the proxy.

Manage certificate map entries

# List map entries
gcloud certificate-manager maps entries list --map=my-cert-map

# Describe a map entry
gcloud certificate-manager maps entries describe example-entry \
  --map=my-cert-map

# Update a map entry to use a different certificate
gcloud certificate-manager maps entries update example-entry \
  --map=my-cert-map \
  --certificates=new-cert

# Delete a map entry
gcloud certificate-manager maps entries delete example-entry \
  --map=my-cert-map

# Delete the certificate map (must have no entries)
gcloud certificate-manager maps delete my-cert-map

Create a CA pool and root CA

# Create a CA pool
gcloud privateca pools create my-pool \
  --location=us-central1 \
  --tier=devops

# Create a root CA in the pool
gcloud privateca roots create my-root-ca \
  --pool=my-pool \
  --location=us-central1 \
  --subject="CN=My Root CA, O=My Organization" \
  --key-algorithm=ec-p256-sha256 \
  --max-chain-length=1

CAS tiers: "devops" for high-volume automated issuance, "enterprise" for compliance and audit features. Key algorithms include rsa-pkcs1-2048-sha256, rsa-pkcs1-4096-sha256, ec-p256-sha256, and ec-p384-sha384.

Create a subordinate CA

gcloud privateca subordinates create my-sub-ca \
  --pool=my-pool \
  --location=us-central1 \
  --issuer-pool=my-pool \
  --issuer-location=us-central1 \
  --subject="CN=My Subordinate CA, O=My Organization" \
  --key-algorithm=ec-p256-sha256

Subordinate CAs issue end-entity certificates and are signed by the root CA.

Issue a certificate from CAS

# Issue certificate using a CSR file
gcloud privateca certificates create my-server-cert \
  --issuer-pool=my-pool \
  --issuer-location=us-central1 \
  --csr=server.csr \
  --validity=P365D \
  --cert-output-file=server.crt

# Issue certificate without a CSR (auto-generate key)
gcloud privateca certificates create my-server-cert \
  --issuer-pool=my-pool \
  --issuer-location=us-central1 \
  --subject="CN=server.example.com" \
  --dns-san=server.example.com,www.example.com \
  --key-output-file=server.key \
  --cert-output-file=server.crt \
  --validity=P365D

Validity uses ISO 8601 duration format: P365D = 365 days, P1Y = 1 year. When using --dns-san, provide comma-separated hostnames.

List and revoke certificates

# List certificates issued by a CA pool
gcloud privateca certificates list \
  --issuer-pool=my-pool \
  --location=us-central1

# Describe a certificate
gcloud privateca certificates describe my-server-cert \
  --issuer-pool=my-pool \
  --location=us-central1

# Revoke a certificate
gcloud privateca certificates revoke my-server-cert \
  --issuer-pool=my-pool \
  --location=us-central1 \
  --reason=cessation-of-operation

Revocation reasons: unspecified, key-compromise, certificate-authority-compromise, affiliation-changed, superseded, cessation-of-operation, privilege-withdrawn.

Manage CA pools and CAs

# List CA pools
gcloud privateca pools list --location=us-central1

# List CAs in a pool
gcloud privateca roots list --pool=my-pool --location=us-central1

# Disable a CA
gcloud privateca roots disable my-root-ca \
  --pool=my-pool \
  --location=us-central1

# Enable a CA
gcloud privateca roots enable my-root-ca \
  --pool=my-pool \
  --location=us-central1

# Get the CA certificate (PEM)
gcloud privateca roots describe my-root-ca \
  --pool=my-pool \
  --location=us-central1 \
  --format="value(pemCaCertificates[0])" > ca-cert.pem

Create and manage SSL policies

# Create SSL policy with minimum TLS 1.2
gcloud compute ssl-policies create my-ssl-policy \
  --profile=MODERN \
  --min-tls-version=1.2

# Create restrictive SSL policy
gcloud compute ssl-policies create strict-policy \
  --profile=RESTRICTED \
  --min-tls-version=1.2

# Create custom SSL policy with specific ciphers
gcloud compute ssl-policies create custom-policy \
  --profile=CUSTOM \
  --min-tls-version=1.2 \
  --custom-features=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

# Attach SSL policy to target HTTPS proxy
gcloud compute target-https-proxies update my-https-proxy \
  --ssl-policy=my-ssl-policy \
  --global

# List SSL policies
gcloud compute ssl-policies list

# List available cipher features for CUSTOM profile
gcloud compute ssl-policies list-available-features

Profiles: COMPATIBLE (widest client support), MODERN (recommended), RESTRICTED (strictest), CUSTOM (pick specific ciphers). Use MODERN or RESTRICTED for production workloads.

Manage DNS authorizations

# List all DNS authorizations
gcloud certificate-manager dns-authorizations list

# Describe a DNS authorization (shows required DNS record)
gcloud certificate-manager dns-authorizations describe example-auth

# Get the CNAME record details for your DNS provider
gcloud certificate-manager dns-authorizations describe example-auth \
  --format="table(dnsResourceRecord.name, dnsResourceRecord.type, dnsResourceRecord.data)"

# Delete a DNS authorization (not in use by any certificate)
gcloud certificate-manager dns-authorizations delete example-auth

DNS authorizations produce a CNAME record you must add to your DNS zone. The authorization stays valid as long as the CNAME record exists, allowing certificate renewals without re-validation.