MMS • Renato Losio
Article originally posted on InfoQ. Visit InfoQ
Google Cloud recently announced the general availability of Certificate Manager, a service to acquire, manage, and deploy TLS certificates for use with Google Cloud workloads.
Announced in preview earlier this year, the new service supports both self-managed and Google-managed certificates, and has monitoring capabilities to alert for expiring certificates. Ryan Hurst and Babi Seal, product managers at Google Cloud, explain:
You can now deploy a new certificate globally in minutes and greatly simplify and accelerate the deployment of TLS for SaaS offerings. Coupled with support for DNS Authorizations, you can now streamline your workload migrations without major disruptions.
Google-managed certificates are certificates validated either with load balancer or DNS authorization that Google Cloud obtains, manages and renews automatically. Certificate Manager supports as well self-managed certificates, X.509 TLS certificates that the customer obtains and uploads manually to the service.
Certificate Manager integrates with External HTTP(S) load balancers and Global external HTTP(S) load balancers but they must be on Premium Network Service Tier. After validating that the requester controls the domain, the new service can also act as a public Certificate Authority to provide and deploy widely-trusted X.509 certificates. Hurst and Seal add:
During the certificate manager private preview of the ACME certificate enrollment capability, our users have acquired millions of certificates for their self-managed TLS deployments. Each of these certificates comes from Google Trust Services, which means our users get the same TLS device compatibility and scalability we demand for our own services. Our Cloud users get this benefit even when they manage the certificate and private key themselves–all for free.
Announcing the general availability, the cloud provider added a number of automation and observability features including the previews of Kubernetes integration and self-service ACME certificate enrollment. The plan to leverage Terraform automation was announced too.
Per Thorsheim, founder of PasswordsCon, comments:
Very happy to see Google Trust Services being DNSSEC signed & having a proper CAA record (obviously!). Still want to nudge towards signing google.com though (…) Similarly, seeing the lack of MTA-STS & TLS-RPT records makes for sad clown GIFs, when Google themselves is (was?) promoting their use.
With Amazon offering AWS Certificate Manager (ACM) since 2016, Google is not the only cloud provider with a managed certificate service. Certificate Manager is not the only option to manage a certificate on Google Cloud: if the deployment does not require wildcard domains and has less than 10 certificates per load balancer, Google suggests uploading the certificates directly to Cloud Load Balancing.
There are no additional charges to use Certificate Manager for the first 100 certificates, with an on a per-certificate, per-month pricing structure for further certificates.