What is GCP Certificate Manager (CM)

GCP Certificate Manager is a fully managed service from Google Cloud Platform (GCP) that helps you provision, manage, and deploy TLS/SSL certificates for your applications running on GCP. It was created to simplify and automate how certificates are handled for services like load balancers, cloud run services, and Google Kubernetes Engine (GKE) clusters.

GCP CM Key Features

  1. Certificate Lifecycle Management
    • Automated management of certificates issued from Google CA service only
  2. Multi-region scalable deployment
  3. Integration with GCP Load Balancers
  4. Managed Certificate Authority Integration
    • Google CA service only
  5. Automatic DNS Validation for certificates
    • Internal certificates only

Types of Certificates Supported

TypeDescription
Google Managed CertificatesGoogle provisions and manages the entire lifecycle (ideal for public websites).
Private CA CertificatesIntegrate with Google CAs to use internal PKI for issuing certificates
Self-Managed CertificatesYou upload your own certificates and private keys from self managed or external PKIs.

Why use Jellyfish to Manage Certificates within GCP CM?

GCP Certificate Manager does not provide a means to generate and export private keys to allow use externally, and expects you to either import a certificate and key for self managed certificates or it manages everything internally, (Goggle managed certs, including private key generation inside GCP (non-exportable)

GCP CM does not generate a private key separately for you or act as a CSR generation service to allow you to request a certificate from an external CA.

Cogito Jellyfish CLM and GCP CM

Cogito Jellyfish allows you to sync your GCP CM certificates to a single CLM service which can combine this certificate management with that of Azure Key Vault, ACM and an on premises solution. Jellyfish also allows you to generate your private keys externally, create a CSR and have it signed by your CA that is external to GCP (such as an on premises CA) and provides the mechanisms to the publish that certificate and key pair within GCP CM for use in the GCP ecosystem. This certificate can then be fully managed from Jellyfish including the generation of alerts at configurable periods prior to the certificate expiring allowing outages to be avoided because your externally generated certificated has expired.

Summary

Cogito Jellyfish allows you to create, publish, monitor and manage keys and certificates across various ecosystems allowing customers to utilise their private CAs to provided trust across the Cloud provider ecosystems.

The GCP CM provides certificate renewal only for Google managed certificates, it does not provide expiry monitoring and notifications or renewals for certificates issued from external CAs.