DigiCert® Trust Lifecycle Manager enables you to manage certificate deployments on Google Cloud Platform (GCP) Application Layer and Network Layer (Proxy) load balancers.
When you add a GCP unified connector in Trust Lifecycle Manager, it discovers supported load balancers in the linked Google Cloud projects and add the assets it finds to your Inventory to monitor and manage.
The Trust Lifecycle Manager inventory data includes certificates and unsecured endpoints and identifies the Google Cloud project, region, load balancer name, and forwarding rule name where they were discovered.
Once the connection is established, you can use Trust Lifecycle Manager to automate ongoing lifecycle management tasks and deploy new certificates to your GCP load balancers, issuing the certificates from any of the CAs available in your Trust Lifecycle Manager account.
GCP load balancer types | Load balancing layer | Protocols |
|---|---|---|
| Application (Layer 7) | HTTPS |
| Network (Layer 4)1 | TCP/SSL/Other |
1. For Network-layer load balancing, Trust Lifecycle Manager enables management of certificates for SSL offload (termination) on proxy load balancers. | ||
GCP load balancer types | Load balancing layer | Protocols |
|---|---|---|
| Application (Layer 7) | HTTPS |
For GCP unified connectors with Organization scope, Trust Lifecycle Manager traverses the parent organization or folder to find all the child projects. To view the discovered organization hierarchy in Trust Lifecycle Manager:
From the Integrations > Connectors page, select the GCP unified connector by name to view the details for it.
The Linked account section of the connector details page contains the current connector settings. The GCP scope field should show Organization. Select the View details link next to this.
The discovered GCP organization hierarchy opens in a siderail to the right. Select the folders to see the associated project names.
Notice
For GCP projects with active load balancers, the project names here match the associated certificate records in the Trust Lifecycle Manager Inventory view.
Assets discovered through a GCP unified connector may include certificates found on both GCP load balancers and Google Certificate Manager. Use the below functions to load GCP assets into Inventory and identify the load balancer assets.
The connector details page includes shortcut links to load pre-filtered inventory views of assets associated with that connector. Find these shortcut links in the Assets found section of the connector details page:
Asset type | Description |
|---|---|
Managed certificates | Use this shortcut link to load certificates Trust Lifecycle Manager found on GCP load balancers. These certificates are considered "managed" because they're associated with specific endpoints and eligible for managed lifecycle automation in Trust Lifecycle Manager. This category also includes certificates that Trust Lifecycle Manager enrolled and delivered to Google Certificate Manager using the Admin web request function. |
Discovered certificates | Use this shortcut link to load existing certificates Trust Lifecycle Manager found in Google Certificate Manager that were not enrolled/delivered from Trust Lifecycle Manager. |
Unsecured IP/ports | Use this shortcut link to load endpoints Trust Lifecycle Manager found on GCP load balancers that do not currently have certificates installed. |
Use the standard view inventory functions in Trust Lifecycle Manager to build and save custom views of your Google Cloud assets. The following inventory filters help identify certificates on GCP load balancers. If a column is not present, use the inventory table settings function to add it.
Column header | Filter value(s) |
|---|---|
Application | Select one of the following values to view assets associated with Google Certificate Manager or a particular GCP load balancer type:
|
Connector | Enter the full or partial Name of the GCP unified connector as shown on the Integrations > Connectors page. |
IP/FQDN | Enter the name of the GCP load balancer in one of the following formats:
|
Port | Enter the incoming port number for the load balancer forwarding rule. |
System name | Enter |
The IP/FQDN column of the inventory table shows the applicable GCP load balancer and forwarding rule name for each certificate or unsecured endpoint, in one of the following formats:
Global load balancers:
{project name}/Global/{load balancer name}/{forwarding rule name}Regional load balancers:
{project name}/{region}/{load balancer name}/{forwarding rule name}
For example:
Global load balancer:
my-gcp-project-1/Global/global-extrernal-application-loadbancer1/externallb-frontend-iport3Regional load balancer:
my-gcp-project-2/us-east1/internal-regional-lb/external-regional-lb-forwarding-rule
You can manage certificate deployments on GCP load balancers directly from the Trust Lifecycle Manager web console, using the managed automation functions to request, issue, and deploy certificates from any of your connected CAs.
To get started, you need certificate automation profiles for the issuing CAs and types of certificates to deploy on your GCP load balancers.
Important
Select the DigiCert sensor enrollment method in your certificate profiles for enrolling and managing certificates on GCP load balancers.
To enroll certificates with automated delivery to Google Certificate Manager, select the Admin web request enrollment method instead.