Manage certificate map entries
A certificate map entry associates a certificate with a target hostname and atargetcertificate map. This page describes how tocreate and manage certificate map entries.
For more information, seeCertificate mapentries.
Note: The Google Cloud CLI instructions on this page assume that you are usingCloud Shell or another environment withbash installed. Formore information about the gcloud CLI commands used on this page, seetheCertificate Manager CLIreference.Create a certificate map entry
You can create a certificate map entry and associate a maximum of fourcertificates with it. We recommend that you use a different key algorithm foreach certificate when specifying multiple certificates for a hostname. Forexample, you can use ECDSA for one certificate and RSA for another. Associatingmultiple certificates with a single certificate map entry also helps whenmigrating self-managed certificates to Google-managed certificates.
To associate multiple certificates with a certificate map entry, provide acomma-delimited list of certificate names. For each subdomain, you must create aseparate certificate map entry.
Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Editor role (
roles/certificatemanager.editor) - Certificate Manager Owner role (
roles/certificatemanager.owner)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
gcloud
To create a certificate map entry, use thegcloud certificate-manager mapsentries createcommand:
gcloud certificate-manager maps entries createCERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME" \ --certificates="CERTIFICATE_NAMES" \ --hostname="HOSTNAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_NAMES: a comma-delimited list of the names of the certificates you want to associate with this certificate map entry.HOSTNAME: the hostname that you want to associate with the certificate map entry.
API
Create the certificate map entry by making aPOST request to thecertificateMaps.certificateMapEntries.createmethod as follows:
POST /v1/projects/PROJECT_ID/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries?certificate_map_entry_id=CERTIFICATE_MAP_ENTRY_NAME"{ hostname: "HOSTNAME" certificates: ["projects/PROJECT_ID/locations/global/certificates/CERTIFICATE_NAME1","projects/PROJECT_ID/locations/global/certificates/CERTIFICATE_NAME2"]}Replace the following:
PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.HOSTNAME: the hostname that you want to associate with the certificate map entry.CERTIFICATE_NAME1: the name of the first certificateyou want to associate with this certificate map entry.CERTIFICATE_NAME2: the name of the second certificateyou want to associate with this certificate map entry.
Terraform
To create a certificate map entry, you can use agoogle_certificate_manager_certificate_map_entryresource.
resource "google_certificate_manager_certificate_map_entry" "default" { name = "${local.name}-first-entry-${random_id.tf_prefix.hex}" description = "example certificate map entry" map = google_certificate_manager_certificate_map.default.name labels = { "terraform" : true } certificates = [google_certificate_manager_certificate.default.id] hostname = local.domain}To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.
For information about how the load balancer selects certificates during ahandshake, seeCertificate selectionlogic.
Create a primary certificate map entry
You can specify a primary certificate for the load balancer to serve if theclient doesn't provide a hostname, or if the load balancer can't match thehostname to a configured certificate map entry.
Note: When using Certificate Manager withIdentity-Aware Proxy (IAP), create a dedicated certificate map entry for eachhostname. Primary certificate map entry is incompatible with IAP.Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Editor role (
roles/certificatemanager.editor) - Certificate Manager Owner role (
roles/certificatemanager.owner)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
gcloud
To create a primary certificate map entry, use thegcloudcertificate-manager maps entries createcommandwith theset-primary flag:
gcloud certificate-manager maps entries createCERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME" \ --certificates="CERTIFICATE_NAMES" \ --set-primary
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_NAMES: a comma-delimited list of the names of the certificates you want to associate with this certificate map entry.
API
Create the certificate map entry by making aPOST request to thecertificateMaps.certificateMapEntries.create method as follows:
POST /v1/projects/PROJECT_ID/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries?certificate_map_entry_id=CERTIFICATE_MAP_ENTRY_NAME"{ matcher: "PRIMARY", certificates: ["projects/PROJECT_ID/locations/global/certificates/CERTIFICATE_NAME1","projects/PROJECT_ID/locations/global/certificates/CERTIFICATE_NAME2"]}Replace the following:
PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_NAME1: the name of the first certificateyou want to associate with the primary certificate map entry.CERTIFICATE_NAME2: the name of the second certificateyou want to associate with the primary certificate map entry.
For information about how the load balancer selects certificates during ahandshake, seeCertificate selectionlogic.
Update a certificate map entry
When you update a certificate map entry, you can do the following:
- Assign or unassign certificates
- Modify the description
- Modify the labels
Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Editor role (
roles/certificatemanager.editor) - Certificate Manager Owner role (
roles/certificatemanager.owner)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
gcloud
To update a certificate map entry, use thegcloud certificate-manager mapsentries updatecommand:
gcloud certificate-manager maps entries updateCERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME" \ --certificates="CERTIFICATE_NAME,CERTIFICATE_NAME" \ --description="DESCRIPTION" \ --update-labels="LABELS"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_NAME: the name of the certificate you want to associate with the certificate map entry.DESCRIPTION: a meaningful description for thiscertificate map entry.LABELS: a list of labels applied to this certificatemap entry.
API
Update the certificate map entry by making aPATCH request to thecertificateMaps.certificateMapEntries.patchmethod as follows:
PATCH /v1/projects/example-project/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries/CERTIFICATE_MAP_ENTRY_NAME?updateMask=labels,description,certificates{ "certificates": ["projects/PROJECT_ID/locations/global/certificates/CERTIFICATE_NAME"], "description": "DESCRIPTION", "labels": { "LABEL_KEY": "LABEL_VALUE" }}Replace the following:
CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_NAME: the name of the certificate.DESCRIPTION: a meaningful description for thiscertificate map entry.LABEL_KEY: a label key applied to this certificatemap entry.LABEL_VALUE: a label value applied to thiscertificate map entry.
List certificate map entries
You can list, filter, and sort all configured certificate map entries of theproject.
Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Viewer role (
roles/certificatemanager.viewer) - Certificate Manager Editor role (
roles/certificatemanager.editor) - Certificate Manager Owner role (
roles/certificatemanager.owner)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
Console
In the Google Cloud console, go to theCertificate maps tab on theCertificate Manager page.
Click the name of the certificate map that contains the map entries. TheCertificate Map Details page shows detailed information about theselected certificate map and its associated list of map entries.
gcloud
gcloud certificate-manager maps entries list --map=CERTIFICATE_MAP_NAME \ --filter="FILTER" \ --page-size="PAGE_SIZE" \ --limit="LIMIT" \ --sort-by="SORT_BY"
Replace the following:
CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.FILTER: an expression that constrains the returned results to specific values.For example, you can filter the results by the following criteria:
- Serving state:
--filter='state=ACTIVE' - Matcher (set as primary):
--filter='-matcher=PRIMARY' - Hostname:
--filter='hostname=example.com' - Assigned certificates:
--filter='certificates:my-cert' - Labels and creation time:
--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'
For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.
- Serving state:
PAGE_SIZE: the number of results to return per page.LIMIT: the maximum number of results to return.SORT_BY: a comma-delimited list ofnamefields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).
API
List certificate map entries configured within a given certificate map bymaking aLIST request to thecertificateMaps.certificateMapEntries.listmethod as follows:
GET /v1/projects/PROJECT_ID/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries?filter=FILTER&pageSize=PAGE_SIZE&sortBy=SORT_BY
Replace the following:
PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_MAP_NAME: the name of the target certificate map.FILTER: an expression that constrains the returned results to specific values.For example, you can filter the results by the following criteria:
- Serving state:
--filter='state=ACTIVE' - Matcher (set as primary):
--filter='-matcher=PRIMARY' - Hostname:
--filter='hostname=example.com' - Assigned certificates:
--filter='certificates:my-cert' - Labels and creation time:
--filter='labels.key:value AND create_time > "2021-09-01T00:00:00Z"'
For more filtering examples that you can use withCertificate Manager, seeSorting and filtering listresults in the Cloud Key Management Servicedocumentation.
- Serving state:
PAGE_SIZE: the number of results to return per page.SORT_BY: a comma-delimited list ofnamefields by whichthe returned results are sorted. The default sort order is ascending; fordescending sort order, prefix the field with a tilde (~).
View the state of a certificate map entry
You can view the state of a certificate map entry.
Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Viewer role (
roles/certificatemanager.viewer) - Certificate Manager Editor role (
roles/certificatemanager.editor) - Certificate Manager Owner role (
roles/certificatemanager.owner)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
Console
In the Google Cloud console, go to theCertificate maps tab on theCertificate Manager page.
Click the name of the certificate map that contains the map entries.TheCertificate Map Details page shows detailed information aboutthe selected certificate map and its associated list of map entries.
In theMap entries section, click the name of the map entry thatyou want to view. TheMap entry details page displays detailedinformation about the selected map entry.
gcloud
gcloud certificate-manager maps entries describeCERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.
API
View the state of the certificate map entry by making aGET request to thecertificateMaps.certificateMapEntries.getmethod as follows:
GET /v1/projects/PROJECT_ID/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries/CERTIFICATE_MAP_ENTRY_NAME
Replace the following:
PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
Delete a certificate map entry
Deleting a certificate map entry detaches the certificates associated with thecertificate map entry from the target proxy. Deleting a certificate map entrydoesn't delete the associated certificates from Google Cloud. You mustmanually delete thosecertificates.
Roles required for this task
To perform this task, you must have one of the following IAM roles on the target Google Cloud project.
- Certificate Manager Editor role (
roles/certificatemanager.editor)
For more information, seeRoles and permissions.
Note: If you aren't assigned the required roles, contact the IAM Administrator who has theProject IAM Admin role (roles/resourcemanager.projectIamAdmin) to grant you the missing roles.
gcloud
gcloud certificate-manager maps entries deleteCERTIFICATE_MAP_ENTRY_NAME \ --map="CERTIFICATE_MAP_NAME"
Replace the following:
CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.
API
Delete a certificate map entry by making aDELETE request to thecertificateMaps.certificateMapEntries.deletemethod as follows:
DELETE /v1/projects/PROJECT_ID/locations/global/certificateMaps/CERTIFICATE_MAP_NAME/certificateMapEntries/CERTIFICATE_MAP_ENTRY_NAME
Replace the following:
PROJECT_ID: the ID of the Google Cloud project.CERTIFICATE_MAP_NAME: the name of the certificate map to which the certificate map entry is attached.CERTIFICATE_MAP_ENTRY_NAME: the name of the certificate map entry.
What's next
- Manage certificates
- Manage certificate maps
- Manage DNS authorizations
- Manage certificate issuance configuration resources
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.