Introducing Certificate Manager to simplify SaaS scale TLS and certificate management

We’re excited to announce the public preview of Certificate Manager and its integration with External HTTPS Load Balancing. Certificate Manager enables you to use External HTTPS Load Balancing with as many certificates or domains as you need. You can bring your own TLS certificates and keys if you have an existing certificate lifecycle management solution you’d like to use with Google Cloud, or enjoy the convenience of our fully Managed TLS offerings.

Extend the security and performance of the Google network to your customers

Certificate Manager brings support for multiple certificates per customer. When  coupled with our global anycast load balancing solution with automated autoscaling and failover, you now have a powerful platform for building robust SaaS and PaaS offerings. This enables custom domain support for your customers with the lowest latency and the highest level of availability.

Alon Kochba, the head of web performance at website-building service Wix, explained how the new features lighten their workload.

“As a SaaS product, we need to terminate SSL for millions of custom domains and certificates. GCP’s Certificate Manager and External HTTPS Load Balancing lets us do this at the edge, close to the clients, without having to rely on our own custom solution for terminating SSL,” Kochba said.

Customers who switch to External HTTPS Load Balancing can also now protect their SaaS users from denial of service attacks, OWASP Top 10 risks, and other common Web attacks by adopting Cloud Armor.

DNS authorization

This release also now enables you to provision your Google-managed certificates with DNS-based authorizations and have them ready to use before your load-balancing production environment is fully set up. This will help streamline the migration process to Google Cloud, for example. To create a DNS authorization, use the following command:

gcloud beta certificate-manager dns-authorizations create example-authorization --domain="example.com"

This command returns the CNAME record for _acme-challenge.example.com that you must add to your DNS configuration in the DNS zone of the target domain. This CNAME record points to a special Google Cloud domain, e.g.: “534959-1a8a-40cf-90b6-b1f5f8d22517.2.authorize.certificatemanager.goog” that is used  to verify domain ownership.

When you request a certificate based on the above authorization, Cloud Certificate Manager will work with the Certificate Authority automatically to get and later renew your certificate for that domain.

Wildcard support

This DNS-based domain control authorization also allows us to bring you support for wildcard certificates. To configure the use of wildcard certificates you first must configure the DNS authorization as we’ve indicated above. Once that has been completed, you can configure the use of a wildcard certificate using the following command. Our example below is for a top-level registered domain and its wildcard subdomains.

gcloud beta certificate-manager certificates create example-wildcard-certificate --domains="example.com,*.example.com" --dns-authorizations="example-authorization"

Monitoring for Certificate Expiration

Another new feature that will be enabled with this product  is the ability to monitor certificate expiration with Google Cloud Logging.  Cloud Logging creates a record of certificate expiration, uses the `certificatemanager.googleapis.com/Project` monitored resource, and is represented by the following message:

message CertificatesExpiry {
  // Expiration state of the certificate.
  enum State {
    // Unspecified state, should never be reported.
    STATE_UNSPECIFIED = 0;

    // Certificate will expire soon.
    CLOSE_TO_EXPIRY = 1;
    // Certificate is expired.
    EXPIRED = 2;
  }

  // Number of reported certificates.
  int64 count;

  // Names of reported certificates. If there are too many, the list is sampled.
  repeated string certificates = 2;

  // State of reported certificates.
  State state = 3;

  // Approximate expiration time of reported certificates.
  // Multiple certificates with close expiration time are batched 
  // together in a single log, so the timestamp is not precise.
  google.protobuf.Timestamp expire_time = 4;
}

The log message is delivered every hour and contains a sample of the certificates being close to expiry or already expired.

Pricing

The best part is that there’s no additional charge to use the Certificate Manager for the first 100 certificates. To use more than 100 certificates with the management tools, we will charge on a per-certificate, per-month pricing structure. This empowers you to scale up to as many certificates as you need, and as cost-effectively as possible. The pricing will be enabled when the solution goes to General Availability.

It is our hope that these new features, combined with the programmability offered by Certificate Manager, will enable you to simplify the way you deploy HTTPS and offer a more scalable and secure service to your customers.

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here