9

I would like to use Google-managed certificates for wildcard hostnames—for example, *.example.com.

I know I could use Certificate Manager from the doc to do that in GCP, but I cannot find a concrete example.

Could you please show me some examples?

ikhvjs
  • 5,316
  • 2
  • 13
  • 36
  • [Request a certificate using Certificate Manager Public CA](https://cloud.google.com/certificate-manager/docs/public-ca-tutorial) – John Hanley Sep 15 '22 at 18:34
  • Example terraform configs: https://github.com/hashicorp/terraform-provider-google/issues/11037#issuecomment-1362628852 – Neara Apr 09 '23 at 12:42

3 Answers3

14

Thanks @James' s answer. I also reference this doc.

I would like to post a concret example for this question in case anyone have the same doubts as me.

Most of the steps could reference to the doc, I would like to point out two steps you need to take care of.

In Create a Google-managed certificate referencing the DNS authorization step, provide your single domain and your wildcard hostname in the --domains options.

gcloud certificate-manager certificates create "my-cert" \
    --domains="example.com,*.example.com" \
    --dns-authorizations=my-dns-auth

In Create a certificate map entry step, create two entries for both single hostname and wildcard hostname.

gcloud certificate-manager maps entries create "my-entry1" \
    --map=my-map \
    --certificates=my-cert \
    --hostname="example.com"

gcloud certificate-manager maps entries create "my-entry2" \
    --map=my-map \
    --certificates=my-cert \
    --hostname="*.example.com"
ikhvjs
  • 5,316
  • 2
  • 13
  • 36
  • THANK YOU SO MUCH. This is life-saving information!!! – Clifford Cheefoon Jan 08 '23 at 09:36
  • 1
    Some other notes would be that adding a certificate to a load balancer will remove any legacy ssl certs already attached. As such you'll need to recreate them add attach them with map-entries to the new cert you wish to attach. – toxaq Jan 11 '23 at 22:09
1

For your use case, it will be best to use DNS authorization since Load balancer authorization does not support wildcard certificates. Each DNS authorization stores information about the DNS record that you need to set up and covers a single domain plus its wildcard—for example, example.com and *.example.com.

While this may not be a concrete example, this document is a helpful guide in creating a Google-managed certificate with DNS authorization and its deployment to your Load Balancer. Hope this helps.

James S
  • 1,181
  • 1
  • 7
0

I created a wildcard certificate for a Google App Engine app. But my domain and DNS are managed by godaddy

I generated the certificate using CERTBOT. The important part here is the --key-type argument. Otherwise GAE will reject the certificate:

sudo certbot certonly --manual --preferred-challenges=dns --key-type rsa

This command generated 4 files. The ones that I used are the fullchain.pem and the privkey.pem. For the privkey I also changed the header and footer from this:

-----BEGIN PRIVATE KEY-----
           <key>
-----END PRIVATE KEY-----

to this:

-----BEGIN RSA PRIVATE KEY-----
           <key>
-----END RSA PRIVATE KEY-----

And then I uploaded those files here. For some reason the input for importing the private key did not work properly. I had to copy/past directly.

David Valdivieso
  • 449
  • 1
  • 5
  • 11
  • You cannot change `BEGIN PRIVATE KEY` to `BEGIN RSA PRIVATE KEY`. They are two different DER encodings. – John Hanley Jun 14 '23 at 21:20
  • @JohnHanley I'm just describing what I did. Without that change the Google Cloud UI does not let me upload the certificates. Perhaps its an error with the CERTBOT cli if I add the argument `--key-type RSA`. That header and footer should change. – David Valdivieso Jun 15 '23 at 17:20
  • RSA means different things in encryption, signing, certificates, and file formats. The term is used too often due to history. – John Hanley Jun 15 '23 at 18:17