What is GCP Certificate Manager (CM)
GCP Certificate Manager is a fully managed service from Google Cloud Platform (GCP) that helps you provision, manage, and deploy TLS/SSL certificates for your applications running on GCP. It was created to simplify and automate how certificates are handled for services like load balancers, cloud run services, and Google Kubernetes Engine (GKE) clusters.
GCP CM Key Features
- Certificate Lifecycle Management
- Automated management of certificates issued from Google CA service only
- Multi-region scalable deployment
- Integration with GCP Load Balancers
- Managed Certificate Authority Integration
- Google CA service only
- Automatic DNS Validation for certificates
- Internal certificates only
Types of Certificates Supported
| Type | Description |
| Google Managed Certificates | Google provisions and manages the entire lifecycle (ideal for public websites). |
| Private CA Certificates | Integrate with Google CAS to use internal PKI for issuing certificates |
| Self-Managed Certificates | You upload your own certificates and private keys from self managed or external PKIs. |
Can I request a certificate from an external CA using GCP Certificate Manager?
Google Cloud Certificate Manager does not support directly requesting certificates from an external Certificate Authority (CA) (such as SecureSMe, DigiCert, Sectigo, etc.) inside the Certificate Manager product itself.
Current Options
| Scenario | Supported? | Notes |
| Issuing certificates via Google-managed CA | ✅ | Using Google-managed CA or Certificate Authority Service (CAS). |
| Importing externally issued certificates | ✅ | You can manually import certificates issued by an external CA into Certificate Manager to manage and deploy them. |
| Requesting a new certificate directly from external CA | ❌ | GCP does not have a native feature to request a new cert from an external CA through Certificate Manager. |
Requesting and Importing a Certificate from an External CA
Process Overview
Since GCP Manager cannot request certificates from an External CA directly the following process is required:
- Generate a CSR locally
- Request a certificate from the external CA
- Receive the certificate from the CA
- Import the certificate and private key to GCP CM
Notes and Gotchas:
| Issue | What to watch for |
| Private Key must be PEM-encoded | GCP expects PEM format, not DER. |
| Full chain must be included | Always concatenate your server cert + intermediate CA certs. |
| Certificate Manager is regional/global | Certificates are always in a location (usually global). |
| Certificate rotation | If you re-issue, you’ll need to update the cert+key |
Importing the Certificate Using cURL
You can use cURL or any other HTTP client to import the certificate to GCP CM as it has a REST API available.
Steps to import the certificate using cURL the following steps need to be performed to import the certificate:
- Get an access token (OAuth 2.0 Bearer token) from gcloud
- Ensure the certificate and private key are formatted correctly in PEM format with the newlines escaped as JSON doesn’t like literal new lines
- Upload the certificate and key using curl.
As a bash script this process could look like the following:
ACCESS_TOKEN=$(gcloud auth print-access-token)
PROJECT_ID=”your-project-id”
CERT_NAME=”your-certificate-name”
LOCATION=”global”
CERTIFICATE_CONTENT=$(cat cert.pem | sed ‘:a;N;$!ba;s/\n/\\n/g’)
PRIVATE_KEY_CONTENT=$(cat privkey.pem | sed ‘:a;N;$!ba;s/\n/\\n/g’)
curl -X POST \
-H “Authorization: Bearer ${ACCESS_TOKEN}” \
-H “Content-Type: application/json” \
“https://certificatemanager.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/certificates?certificateId=${CERT_NAME}” \
-d “{
\”selfManaged\”: {
\”certificatePem\”: \”${CERTIFICATE_CONTENT}\”,
\”privateKeyPem\”: \”${PRIVATE_KEY_CONTENT}\”
}
}”
Important Notes:
- Rate Limits apply if you start doing a lot of imports
- Make sure that the account you are using has at least the “roles/certificatemanger.admin” permission
- Be extremely careful when handling private keys in scripts.
Cogito Jellyfish CLM and GCP CM
Cogito Jellyfish allows you to sync your GCP CM certificates to a single CLM service which can combine this certificate management with that of Azure Key Vault, ACM and an on premises solution. Jellyfish also allows you to generate your private keys externally, create a CSR and have it signed by your CA that is external to GCP (such as an on premises CA) and provides the mechanisms to the publish that certificate and key pair within GCP CM for use in the GCP ecosystem. This certificate can then be fully managed from Jellyfish including the generation of alerts at configurable periods prior to the certificate expiring allowing outages to be avoided because your externally generated certificated has expired.