Deploy a global Google-managed certificate with DNS authorization

This tutorial shows you how to use Certificate Manager to deploy aglobal Google-managed certificate withDNSauthorization.

The following global load balancers support Google-managed certificates with DNSauthorization:

  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Global external proxy Network Load Balancer

If you want to deploy to cross-region load balancers or regional load balancers,see the following:

Objectives

This tutorial shows you how to complete the following tasks:

  • Create a Google-managed certificate issued by a publicly trusted certificateauthority with DNS authorization by usingCertificate Manager.
  • Deploy the certificate to a supported load balancer by using a target HTTPSproxy.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine, Certificate Manager APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  5. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the Compute Engine, Certificate Manager APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  11. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. Toinitialize the gcloud CLI, run the following command:

    gcloudinit
  14. Create apublic DNS zone

Required roles

Make sure that you have the following roles to complete the tasks in this tutorial:

  • Certificate Manager Owner (roles/certificatemanager.owner)

    Required to create and manage Certificate Manager resources.

  • Compute Load Balancer Admin (roles/compute.loadBalancerAdmin) or Compute Network Admin (roles/compute.networkAdmin)

    Required to create and manage HTTPS target proxy.

  • DNS Administrator (roles/dns.admin)

    Required if you want to use Cloud DNS as your DNS solution.

For more information, see the following:

Note: If you aren't assigned the permissions or roles, request the missing rolesfrom the Identity and Access Management (IAM) administrator who has the ProjectIAM Admin role (roles/resourcemanager.projectIamAdmin).

Domain names

To create certificates, get the fully qualified domain names (FQDNs) of thedomains you own. If you don't have a domain, you can use Cloud Domainstoregister a domain.

Create the load balancer

This tutorial assumes that you've already created and configured the loadbalancer's backends, health checks, backend services, and URL maps. If you'vecreated an external Application Load Balancer, note the name of the URL map because you need itlater in this tutorial.

If you haven't created the load balancer, see the following pages to create one:

Create a Google-managed certificate with DNS authorization

Before you create the certificate, create a public DNS zone. Then, create a DNSauthorization and add the CNAME record to the target DNS zone.

Create a DNS authorization

A DNS authorization only covers a single domain name. You must create a separateDNS authorization for each domain name that you want to use with the targetcertificate.

If you're creating aDNS authorization for a wildcard certificate, such as*.myorg.example.com,configure the DNS authorization for the parent domain—for example,myorg.example.com.

Console

You can create a DNS authorization or attach an existing DNSauthorization when creating a certificate. For more information, seeCreate a Google-managed certificate referencing the DNS authorization.

gcloud

You can create two types of DNSauthorizations:FIXED_RECORD orPER_PROJECT_RECORD. For moreinformation, seeDNS authorization.

Note: Global Google-managed certificates useFIXED_RECORD as the default DNS authorization type.

FIXED_RECORD DNS authorization

To create aFIXED_RECORD DNS authorization, use the followinggcloud certificate-manager dns-authorizations create command:

gcloud certificate-manager dns-authorizations createAUTHORIZATION_NAME \    --domain="DOMAIN_NAME" \    --type=[FIXED_RECORD]

Replace the following:

  • AUTHORIZATION_NAME: the name of the DNS authorization.
  • DOMAIN_NAME: the name of the target domain for which you are creating this DNS authorization. The domain name must be a fully qualified domain name, such asmyorg.example.com.

After creating theFIXED_RECORD DNS authorization, verify it with thegcloud certificate-manager dns-authorizations describe command:

gcloud certificate-manager dns-authorizations describeAUTHORIZATION_NAME

The output is similar to the following. In the output, find thednsResourceRecord section. Locate theCNAME record and add the record'sdetails (data,name, andtype) to yourDNS configuration.

createTime: '2022-01-14T13:35:00.258409106Z'dnsResourceRecord:  data: 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog.  name: _acme-challenge.myorg.example.com.  type: CNAMEdomain: myorg.example.comname: projects/myProject/locations/global/dnsAuthorizations/myAuthorizationupdateTime: '2022-01-14T13:35:01.571086137Z'

PER_PROJECT_RECORD DNS authorization

To create aPER_PROJECT_RECORD DNS authorization, use the followinggcloud certificate-manager dns-authorizations create command:

gcloud certificate-manager dns-authorizations createAUTHORIZATION_NAME \    --domain="DOMAIN_NAME" \    --type=PER_PROJECT_RECORD

Replace the following:

  • AUTHORIZATION_NAME: the name of the DNS authorization.
  • DOMAIN_NAME: the name of the target domain for which you are creating this DNS authorization. The domain name must be a fully qualified domain name, such asmyorg.example.com.

After creating thePER_PROJECT_RECORD DNS authorization, verify it withthegcloud certificate-manager dns-authorizations describe command:

gcloud certificate-manager dns-authorizations describeAUTHORIZATION_NAME

The output is similar to the following. In the output, find thednsResourceRecord section. Locate theCNAME record and add the record'sdetails (data,name, andtype) to yourDNS configuration.

createTime: '2022-01-14T13:35:00.258409106Z'dnsResourceRecord:  data: 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog.  name: _acme-challenge_ujmmovf2vn55tgye.myorg.example.com  type: CNAMEdomain: myorg.example.comname: projects/myProject/locations/global/dnsAuthorizations/myAuthorizationupdateTime: '2022-01-14T13:35:01.571086137Z'
Note: ForPER_PROJECT_RECORD DNS authorization,Certificate Manager supports only the certificates issued byGoogle Trust Services. Certificates issued by otherauthorities, such as Let's Encrypt CA, aren't supported.

Terraform

To create a DNS authorization, you can use agoogle_certificate_manager_dns_authorization resource.

resource "google_certificate_manager_dns_authorization" "default" {  name        = "${local.name}-dnsauth-${random_id.tf_prefix.hex}"  description = "The default dns auth"  domain      = local.domain  labels = {    "terraform" : true  }}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

To create a DNS authorization, make aPOST request to thednsAuthorizations.create method:

POST /v1/projects/PROJECT_ID/locations/global/dnsAuthorizations?dns_authorization_id=AUTHORIZATION_NAME"{  "domain": "DOMAIN_NAME",  "type": "PER_PROJECT_RECORD" //optional}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • AUTHORIZATION_NAME: the name of the DNS authorization.
  • DOMAIN_NAME: the name of the target domain for which you are creating this DNS authorization.The domain name must be a fully qualified domain name, such asmyorg.example.com.

Create a Google-managed certificate referencing the DNS authorization

To create a Google-managed certificate that references the DNS authorization youcreated in the previous steps, do the following:

Console

  1. In the Google Cloud console, go to theCertificate Manager page.

    Go to Certificate Manager

  2. On theCertificates tab, clickAdd Certificate.

  3. In theCertificate name field, enter a unique name for the certificate.

  4. Optional: In theDescription field, enter a description for the certificate. The description lets you identify the certificate.

  5. ForLocation, selectGlobal.

  6. ForScope, selectDefault.

  7. ForCertificate type, selectCreate Google-managed certificate.

  8. ForCertificate Authority type, selectPublic.

  9. In theDomain Names field, specify a comma-delimited list of domainnames of the certificate. Each domain name must be a fully qualifieddomain name, such asmyorg.example.com. The domain name can also be awildcard domain name, such as*.example.com.

  10. ForAuthorization type, selectDNS authorization.

    The page lists DNS authorizations of the domain names. If a domain namedoesn't have an associated DNS authorization, follow these steps tocreate one:

    1. ClickCreate missing DNS authorization.
    2. In theDNS authorization name field, specify the name of the DNS authorization.The default DNS authorization type isFIXED_RECORD. To independently manage certificates across multiple projects, select thePer projectauthorization checkbox.
    3. ClickCreate DNS authorization.

  11. In theLabels field, specify labels to associate to thecertificate. To add a label, clickAdd label, and specifya key and a value for your label.

  12. ClickCreate.

    The new certificate appears in the list of certificates.

gcloud

To create a global Google-managed certificate with DNS authorization, runthecertificate-manager certificates create command with thedns-authorizations flag:

gcloud certificate-manager certificates createCERTIFICATE_NAME \    --domains="DOMAIN_NAME,*.DOMAIN_NAME" \    --dns-authorizations="AUTHORIZATION_NAMES"

Replace the following:

  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such asmyorg.example.com, or a wildcard domain, such as*.myorg.example.com. The asterisk dot prefix(*.) signifies a wildcard certificate.
  • AUTHORIZATION_NAMES: a comma-delimited list of names of the DNS authorizations you created for the certificate.

Terraform

Use agoogle_certificate_manager_certificate resource.

resource "google_certificate_manager_certificate" "root_cert" {  name        = "${local.name}-rootcert-${random_id.tf_prefix.hex}"  description = "The wildcard cert"  managed {    domains = [local.domain, "*.${local.domain}"]    dns_authorizations = [      google_certificate_manager_dns_authorization.default.id    ]  }  labels = {    "terraform" : true  }}

API

Create the certificate by making aPOST request to thecertificates.create method as follows:

POST /v1/projects/PROJECT_ID/locations/global/certificates?certificate_id=CERTIFICATE_NAME{ "managed": {  "domains": ["DOMAIN_NAME"],  "dnsAuthorizations": [   "projects/PROJECT_ID/locations/global/dnsAuthorizations/AUTHORIZATION_NAME",  ], }}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project.
  • CERTIFICATE_NAME: the name of the certificate.
  • DOMAIN_NAME: the name of the target domain. The domain name must be a fully qualified domain name, such asmyorg.example.com, or a wildcard domain, such as*.myorg.example.com. The asterisk dot prefix(*.) signifies a wildcard certificate.
  • AUTHORIZATION_NAMES: a comma-delimited list of names of the DNS authorizations.
Note: To specify multiple domains or DNS authorizations, provide acomma-delimited list of values in their respective fields.

Add the CNAME record to your DNS configuration

If you're using a third-party DNS solution to manage your DNS, refer to itsdocumentation to add the CNAME record to the DNS configuration. If you're usingGoogle Cloud to manage your DNS, complete the steps in this section.

Important: You must ensure that yourCNAME is theonly resourcerecord for a specific DNS name. Although some DNS providers allow you toconfigure bothCNAME andTXT resource records for thesame DNS name, this type of configuration is incorrect and can lead toconflicts, preventing reliable certificate issuance or renewal. If such aconflict occurs, then you can either delete yourTXT records or usetheper-project DNS authorization method.

Console

To create a record set, follow these steps:

  1. In the Google Cloud console, go to theDNS zones page.

    Go to Cloud DNS zones

  2. Click the name of the DNS zone where you want to add the record.

  3. On theZone details page, clickAdd standard.

  4. On theCreate record set page, in theDNS name field, enterthe subdomain of the DNS zone.

    When entering the subdomain name, make sure that the subdomain name,including the greyed-out textdisplayed in theDNS name field, matches the full value of thednsResourceRecord.name field as displayed in theoutput of thegcloud certificate-manager dns-authorizations describe command.

    See the following examples:

    • If thednsResourceRecord.name field value is_acme-challenge.myorg.example.com., and the greyed-out text in theDNS name field is.example.com., then enter_acme-challenge.myorg.

    • If thednsResourceRecord.name field value is_acme-challenge.myorg.example.com. , and the greyed-out text in theDNS name field is.myorg.example.com., then enter_acme-challenge.

    • If the value of thednsResourceRecord.name field is_acme-challenge_ujmmovf2vn55tgye.myorg.example.com., and thegreyed-out text in theDNS name field is.myorg.example.com.,then enter_acme-challenge_ujmmovf2vn55tgye.

      Note: Adding the @ symbol in this field causes the record to fail.

  5. In theResource record type field, selectCNAME.

  6. In theTTL field, enter a positive numeric value for the resource record'stime to live, which is the amount of time that it can be cached.

  7. From theTTL unit list, select the unit of time—for example,30 minutes.

  8. In theCanonical name field, enter the full value of thednsResourceRecord.data field as displayed in theoutput of thegcloudcertificate-manager dns-authorizations describe command.

  9. To enter additional information, clickAdd item.

  10. ClickCreate.

gcloud

When you create a DNS authorization, the gcloud CLI commandreturns the corresponding CNAME record. To add the CNAME record to your DNSconfiguration in the DNS zone of the target domain, follow these steps:

  1. Initiate the DNS record transaction:

    gcloud dns record-sets transaction start --zone="DNS_ZONE_NAME"

    ReplaceDNS_ZONE_NAME with the name of the target DNSzone.

  2. Add the CNAME record to the target DNS zone:

    gcloud dns record-sets transaction addCNAME_RECORD \    --name="VALIDATION_SUBDOMAIN_NAME.DOMAIN_NAME." \    --ttl="30" \    --type="CNAME" \    --zone="DNS_ZONE_NAME"

    Replace the following:

    • CNAME_RECORD: the full data value of the CNAMErecord returned by the Google Cloud CLI command that created thecorresponding DNS authorization.
    • VALIDATION_SUBDOMAIN_NAME: the prefix subdomainof the DNS zone, such as_acme-challenge. You can copy the namefrom thegcloud certificate-manager dns-authorizations describecommand log, as described inCreate a DNS authorization.
    • DOMAIN_NAME: the name of the target domain.The domain name must be a fully qualified domain name, such asmyorg.example.com. You must also include the trailing periodafter the target domain name.
    • DNS_ZONE_NAME: the name of the target DNS zone.

    For more information about the difference betweenFIXED_RECORD andPER_PROJECT_RECORD DNSauthorizations, see the followingexamples. The only difference between the two examples is the valueof the--name flag.

    FIXED_RECORD DNS authorization

    gcloud dns record-sets transaction add 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog. \    --name="_acme-challenge.myorg.example.com." \    --ttl="30" \    --type="CNAME" \    --zone="myorg-example-com"

    PER_PROJECT_RECORD DNS authorization

    gcloud dns record-sets transaction add 0e40fc77-a37d-4eb8-8fe1-eea2e18d12d9.4.authorize.certificatemanager.goog. \    --name="_acme-challenge_ujmmovf2vn55tgye.myorg.example.com." \    --ttl="30" \    --type="CNAME" \    --zone="myorg-example-com"

  3. Run the DNS record transaction to save your changes:

    gcloud dns record-sets transaction execute --zone="DNS_ZONE_NAME"

    ReplaceDNS_ZONE_NAME with the name of the target DNSzone.

Terraform

To add the CNAME record to your DNS configuration, you can use agoogle_dns_record_set resource.

resource "google_dns_record_set" "cname" {  name         = google_certificate_manager_dns_authorization.default.dns_resource_record[0].name  managed_zone = google_dns_managed_zone.default.name  type         = google_certificate_manager_dns_authorization.default.dns_resource_record[0].type  ttl          = 300  rrdatas      = [google_certificate_manager_dns_authorization.default.dns_resource_record[0].data]}

Verify the status of the certificate

Before deploying a certificate to a load balancer, verify that it's active. Itcan take several minutes for the certificate state to change toACTIVE.

Console

  1. In the Google Cloud console, go to theCertificate Manager page.

    Go to Certificate Manager

  2. On theCertificates tab, check theStatus column for thecertificate.

gcloud

To verify the status of the certificate, run the following command:

gcloud certificate-manager certificates describeCERTIFICATE_NAME

ReplaceCERTIFICATE_NAME with the name of the targetGoogle-managed certificate.

The output is similar to the following:

createTime: '2021-10-20T12:19:53.370778666Z'expireTime: '2022-05-07T05:03:49Z'managed:  authorizationAttemptInfo:  - domain: myorg.example.com    state: AUTHORIZED  dnsAuthorizations:    - projects/myProject/locations/global/dnsAuthorizations/myCert  domains:  - myorg.example.com  state: ACTIVEname: projects/myProject/locations/global/certificates/myCertpemCertificate: |  -----BEGIN CERTIFICATE-----  [...]  -----END CERTIFICATE-----sanDnsnames:  -   myorg.example.comupdateTime: '2021-10-20T12:19:55.083385630Z'

If the certificate state is notACTIVE after several hours, check that you correctly added theCNAME record to your DNS configuration.

For more troubleshooting steps, seeTroubleshoot Certificate Manager.

Deploy the certificate to a load balancer

To deploy a global Google-managed certificate, deploy the certificate by using acertificate map.

Create a certificate map

Create a certificate map that references the certificate map entry associatedwith your certificate:

gcloud

To create a certificate map, use thegcloud certificate-manager maps create command:

gcloud certificate-manager maps createCERTIFICATE_MAP_NAME

ReplaceCERTIFICATE_MAP_NAME with the name of the targetcertificate map.

Terraform

To create a certificate map, you can use agoogle_certificate_manager_certificate_map resource.

resource "google_certificate_manager_certificate_map" "certificate_map" {  name        = "${local.name}-certmap-${random_id.tf_prefix.hex}"  description = "${local.domain} certificate map"  labels = {    "terraform" : true  }}

Create a certificate map entry

Create a certificate map entry and associate it with your certificate andcertificate map:

gcloud

To create a certificate map entry, use thegcloud certificate-manager maps entries create command:

gcloud certificate-manager maps entries createCERTIFICATE_MAP_ENTRY_NAME \    --map="CERTIFICATE_MAP_NAME" \    --certificates="CERTIFICATE_NAME" \    --hostname="HOSTNAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
  • CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.
  • CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.

  • HOSTNAME: the hostname that you want to associate with the certificate map entry.

    If you want to create a certificate that covers both a wildcard domainand a root domain, then specify the hostname with a root and a wildcard,such asexample.com and*.example.com. In addition, you must specifytwo certificate map entries - one forexample.com and the other for*.example.com.

Terraform

To create a certificate map entry with a root domain, use agoogle_certificate_manager_certificate_map_entry resource.

resource "google_certificate_manager_certificate_map_entry" "first_entry" {  name        = "${local.name}-first-entry-${random_id.tf_prefix.hex}"  description = "example certificate map entry"  map         = google_certificate_manager_certificate_map.certificate_map.name  labels = {    "terraform" : true  }  certificates = [google_certificate_manager_certificate.root_cert.id]  hostname     = local.domain}

To create a certificate map entry with a wildcard domain, use agoogle_certificate_manager_certificate_map_entry resource.

resource "google_certificate_manager_certificate_map_entry" "second_entry" {  name        = "${local.name}-second-entity-${random_id.tf_prefix.hex}"  description = "example certificate map entry"  map         = google_certificate_manager_certificate_map.certificate_map.name  labels = {    "terraform" : true  }  certificates = [google_certificate_manager_certificate.root_cert.id]  hostname     = "*.${local.domain}"}

Verify that the certificate map entry is active

Verify that the certificate map entry is active before attaching itscorresponding certificate map to the target proxy.

To verify the certificate map entry, use thegcloud certificate-manager maps entries describe command:

gcloud certificate-manager maps entries describeCERTIFICATE_MAP_ENTRY_NAME \    --map="CERTIFICATE_MAP_NAME"

Replace the following:

  • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
  • CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.

The output is similar to the following:

certificates:createTime: '2021-09-06T10:01:56.229472109Z'hostname: example.comname: projects/my-project/locations/global/certificateMaps/myCertMap/certificateMapEntries/myCertMapEntrystate: ACTIVEupdateTime: '2021-09-06T10:01:58.277031787Z'

Attach the certificate map to the target proxy

You can attach the certificate map to a new target proxy or an existing targetproxy.

gcloud

To attach the certificate map to a new target proxy, use thegcloud compute target-https-proxies create command:

gcloud compute target-https-proxies createPROXY_NAME \    --certificate-map="CERTIFICATE_MAP_NAME" \    --url-map="URL_MAP" \    --global

Replace the following:

  • PROXY_NAME: the name of the target proxy.
  • CERTIFICATE_MAP_NAME: the name of the certificate map referencing the certificate map entry and theassociated certificate.
  • URL_MAP: the name of the URL map

To attach the certificate map to an existing target HTTPS proxy, use thegcloud compute target-https-proxies update command. If you don't know the name of the existingtarget proxy, go to theTarget proxies page and note the name of thetarget proxy.

gcloud compute target-https-proxies updatePROXY_NAME \    --certificate-map="CERTIFICATE_MAP_NAME" \    --global

After creating or updating the target proxy, run the following command toverify it:

gcloud compute target-https-proxies list

Terraform

To attach the certificate map to the target proxy, you can use agoogle_compute_target_https_proxy resource.

When configuring a target proxy, if you attach TLS (SSL) certificates directlyand also through a certificate map, the proxy uses the certificates referencedby the certificate map and ignores the directly attached TLS (SSL) certificates.

Clean up

To avoid incurring charges to your Google Cloud account for the resourcesused in this tutorial, delete them.

  1. Delete the load balancer and its resources.

    SeeClean up a load balancing setup.

  2. Delete or detach the certificate map from the proxy.

    To delete the certificate map, run the following command:

    gcloud compute target-https-proxies deletePROXY_NAME

    If you want to keep the target HTTPS proxy, then detach thecertificate map from the proxy.

    Caution: Before you detach the certificate map, notethe following considerations.
    • If there are any TLS (SSL) certificates attached directly to the proxy,then detaching the certificate map causes the proxy to resume using thosedirectly attached TLS (SSL) certificates.
    • If there are no TLS (SSL) certificates attached directly to the proxy,then the certificate map can't be detached from the proxy. You must firstattach at least one TLS (SSL) certificate directly to the proxy beforeyou can detach the certificate map.

    To detach the certificate map, run the following command:

    gcloud compute target-https-proxies updatePROXY_NAME \    --clear-certificate-map

    ReplacePROXY_NAME with the name of the target proxy.

  3. Delete the certificate map entry from the certificate map:

    gcloud certificate-manager maps entries deleteCERTIFICATE_MAP_ENTRY_NAME \    --map="CERTIFICATE_MAP_NAME"

    Replace the following:

    • CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
    • CERTIFICATE_MAP_NAME: the name of the certificate map.

  4. Delete the certificate map:

    gcloud certificate-manager maps deleteCERTIFICATE_MAP_NAME

    ReplaceCERTIFICATE_MAP_NAME with the name of thecertificate map.

  5. Delete the Google-managed certificate:

    Console

    1. In the Google Cloud console, go to theCertificate Manager page.

      Go to Certificate Manager

    2. On theCertificates tab, select the checkbox of thecertificate.

    3. ClickDelete.

    4. In the dialog that appears, clickDelete to confirm.

    gcloud

    gcloud certificate-manager certificates deleteCERTIFICATE_NAME

    ReplaceCERTIFICATE_NAME with the name of the targetcertificate.

  6. Delete the DNS authorization:

    gcloud certificate-manager dns-authorizations deleteAUTHORIZATION_NAME

    ReplaceAUTHORIZATION_NAME with the name of the DNS authorization.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.