Google Cloud Certificate Manager generally available

Google Cloud recently announced the Certificate Manager general availabilitya service to acquire, manage, and deploy TLS certificates for use with Google Cloud workloads.

First announced earlier this year, the new service supports self-managed and Google-managed certificates, and has monitoring capabilities to alert when certificates expire. Ryan Hurst and Babi Sealproduct managers at Google Cloud, explain:

Now you can deploy a new certificate globally in minutes and dramatically simplify and accelerate deployment of TLS for SaaS offerings. Coupled with support for DNS permissions, you can now streamline your workload migrations without major downtime.

Google-managed certificates are certificates validated with a load balancer or DNS authorization that Google Cloud automatically obtains, manages, and renews. Certificate Manager also supports self-management certificatesTLS X.509 certificates that the client manually obtains and uploads to the service.

Certificate Manager integrates with External HTTP(S) Load Balancers and Global External HTTP(S) Load Balancers but they must be lit Premium network service level. After validating that the supplicant controls the domain, the new service can also act as public certificate authority to provide and deploy widely trusted X.509 certificates. Hurst and Seal add:

During the Certificate Manager Private Preview of the ACME Certificate Enrollment Capability, our users have acquired millions of certificates for their self-managed TLS deployments. Each of these certificates comes from Google Trust Services, which means our users get the same TLS device compatibility and scalability that we require for our own services. Our Cloud users get this benefit even when they manage the certificate and private key themselves, all for free.

Announcing general availability, the cloud provider added a number of automation and observability features, including Kubernetes integration previews and self-service ACME certificate enrollment. The plan to take advantage of Terraform’s automation was also announced.

Per Thorsheim, founder of PasswordsCon, comments:

Very happy to see Google Trust Services being DNSSEC signed and having a proper CAA record (obviously!). I still want to push towards google.com signing (…) Likewise, seeing the lack of MTA-STS and TLS-RPT records makes clown GIFs sad, while Google itself does (did?) Promoting their use.

With the Amazon offer AWS Certificate Manager (ACM) since 2016, Google is not the only cloud provider to offer a managed certificate service. The certificate manager is not the only option for managing a certificate on Google Cloud: if the deployment does not require wildcard domains and has less than 10 certificates per load balancer, Google suggests uploading the certificates directly to Cloud Load Balancing.

There is no additional charge to use Certificate Manager for the first 100 certificates, with a per-certificate-per-month pricing structure for subsequent certificates.