With a GCP unified connector, you can use DigiCert® Trust Lifecycle Manager to manage certificate deployments on Google Cloud Platform (GCP) Application Layer and Network Layer (Proxy) load balancers.
When you add a GCP unified connector in Trust Lifecycle Manager, it discovers supported load balancer types in the linked Google Cloud projects. It add the load balancer assets to your centralized Inventory so you can monitor and manage them.
The Trust Lifecycle Manager inventory data includes certificates and unsecured endpoints and identifies the Google Cloud project, region, load balancer name, and forwarding rule name where they were discovered.
Once the connection is established, you can use Trust Lifecycle Manager to automate lifecycle management and deploy new certificates to your GCP load balancers, issuing the certificates from any of the CAs available in your Trust Lifecycle Manager account.
GCP load balancer types | Load balancing layer | Protocols |
|---|---|---|
| Application (Layer 7) | HTTPS |
| Network (Layer 4)1 | TCP/SSL/Other |
1. For Network-layer load balancing, Trust Lifecycle Manager enables management of certificates for SSL offload (termination) on proxy load balancers. | ||
GCP load balancer types | Load balancing layer | Protocols |
|---|---|---|
| Application (Layer 7) | HTTPS |
For GCP unified connectors with Organization scope, Trust Lifecycle Manager traverses the parent organization or folder to find all the child projects. To view the discovered organization hierarchy in Trust Lifecycle Manager:
From the Integrations > Connectors page, select the GCP unified connector by name to view the details for it.
The Linked account section of the connector details page contains the current connector settings. The GCP scope field should show Organization. Select the View details link next to this.
The discovered GCP organization hierarchy opens in a siderail to the right. Select the folders to see the associated project names.
Hinweis
For GCP projects with active load balancers, the project names here match the associated certificate records in the Trust Lifecycle Manager Inventory view.
Assets discovered through a GCP unified connector may include certificates found on both GCP load balancers and Google Certificate Manager. Use the below functions to load GCP assets into Inventory and identify the load balancer assets.
The connector details page includes shortcut links to load pre-filtered inventory views of assets associated with that connector. Find these shortcut links in the Assets found section of the connector details page:
Asset type | Description |
|---|---|
Managed certificates | Use this shortcut link to load certificates Trust Lifecycle Manager found on GCP load balancers. These certificates are considered "managed" because they're associated with specific endpoints and eligible for managed lifecycle automation in Trust Lifecycle Manager. This category also includes certificates that Trust Lifecycle Manager enrolled and delivered to Google Certificate Manager using the Admin web request function. |
Discovered certificates | Use this shortcut link to load existing certificates Trust Lifecycle Manager found in Google Certificate Manager that were not enrolled/delivered from Trust Lifecycle Manager. |
Unsecured IP/ports | Use this shortcut link to load endpoints Trust Lifecycle Manager found on GCP load balancers that do not currently have certificates installed. |
Use the standard view inventory functions in Trust Lifecycle Manager to build and save custom views of your Google Cloud assets. The following inventory filters help identify certificates on GCP load balancers. If a column is not present, use the inventory table settings function to add it.
Column header | Filter value(s) |
|---|---|
Application | Select one of the following values to view assets associated with Google Certificate Manager or a particular GCP load balancer type:
|
Connector | Enter the full or partial Name of the GCP unified connector as shown on the Integrations > Connectors page. |
IP/FQDN | Enter the name of the GCP load balancer in one of the following formats:
|
Port | Enter the incoming port number for the load balancer forwarding rule. |
System name | Enter |
The IP/FQDN column of the inventory table shows the applicable GCP load balancer and forwarding rule name for each certificate or unsecured endpoint, in one of the following formats:
Global load balancers:
{project name}/Global/{load balancer name}/{forwarding rule name}Regional load balancers:
{project name}/{region}/{load balancer name}/{forwarding rule name}
For example:
Global load balancer:
my-gcp-project-1/Global/global-extrernal-application-loadbancer1/externallb-frontend-iport3Regional load balancer:
my-gcp-project-2/us-east1/internal-regional-lb/external-regional-lb-forwarding-rule
You can manage certificate deployments on GCP load balancers directly from the Trust Lifecycle Manager web console, using the automation functions to enroll and deploy certificates from any of your connected CAs.
To get started, create certificate automation profiles for the issuing CAs and types of certificates to deploy on your GCP load balancers.
Wichtig
Select the DigiCert sensor enrollment method in any certificate profiles you create for managing certificates on GCP load balancers.
To instead deliver certificates to Google Certificate Manager, select the Admin web request enrollment method in your certificate profiles. Submit the requests using the Admin web request function.
You can use Trust Lifecycle Manager to add HTTP-to-HTTPS redirects for the following GCP load balancer types:
Regional external Application Load Balancer
Global external Application Load Balancer
Global external Classic Application Load Balancer
To enable encryption for an HTTP endpoint, use the Inventory functions to request a certificate and redirect traffic to HTTPS for it. Trust Lifecycle Manager installs the certificate and configures the required forwarding rules for you.
Hinweis
To learn more about how HTTP-to-HTTPS redirects work on GCP load balancers, refer to the official Google Cloud documentation.
When you connect to one of the supported GCP load balancer types above, Trust Lifecycle Manager looks for unsecured HTTP endpoints on it.
To see the HTTP endpoints, load the Unsecured inventory view. Filter them using the same fields described in the View inventory on GCP load balancers section above.
The IP/FQDN column identifies the load balancer name and port number for the endpoint. HTTP endpoints typically use port number 80, but may be configured for other port numbers.
Wichtig
To manage an HTTP endpoint from Trust Lifecycle Manager, it must have a static IP address on the GCP load balancer. Applicable HTTP endpoints have an Automation status of Configured in Trust Lifecycle Manager inventory.
When you request a certificate for an HTTP endpoint on a GCP load balancer, Trust Lifecycle Manager prompts you to configure the HTTPS redirect options for it.
First, view the HTTP endpoint in your inventory and make sure it shows Configured in the Automation status column. Add the HTTP-to-HTTPS redirect for it as follows:
From the actions menu (three dots) menu for the HTTP endpoint, select Request certificate.
Fill out the Automation request form as usual, selecting the automation profile and options for issuing the new certificate. To configure the HTTP-to-HTTPS redirect, provide values for the additional fields described below.
For all GCP load balancer types:
HTTPS redirect port: Enter the port number for the target HTTPS proxy used to terminate the encrypted connection.
For Global GCP load balancers:
Attach certificate: Select one of the options for whether to add the certificate to a new or existing certificate map entry.
Existing certificate map and certificate map entry: Add the certificate to an existing entry in an existing certificate map.
Existing certificate map with new certificate map entry: Create a new certificate map entry for the certificate in an existing certificate map.
New certificate map with new certificate map entry: Create both a new certificate map and a new certificate map entry for the certificate.
Certificate map name: Enter the name of the certificate map to add the certificate to.
For delivery to an existing certificate map, the name you enter must exactly match the existing map.
For delivery to a new certificate map, the name you enter is used to create the new map.
Certificate map entry name: Enter the name of the specific certificate map entry to add the certificate to.
For delivery to an existing certificate map entry, the name you enter must exactly match the existing entry.
For delivery to a new certificate map entry, the name you enter is used to create the new entry.
Select Submit to issue and deploy the certificate and set up the HTTP-to-HTTPS redirect for it on the GCP load balancer.
After you submit the request, Trust Lifecycle Manager takes the following actions:
Creates a new partial GCP load balancer for the URL map that redirects HTTP traffic to HTTPS, per Google Cloud requirements. The partial load balancer has the same name as the original load balancer, plus
-partialat the end.Configures a forwarding rule and target HTTPS proxy on the original load balancer to terminate the encrypted traffic.
Issues the certificate and installs it to the target HTTPS proxy on the original GCP load balancer, creating a certificate map entry if needed (Global load balancers only).