bg-tutorials

How to Install an SSL Certificate on Google Cloud Platform

This tutorial explains how to install an SSL certificate on Google Cloud Platform using Certificate Manager. You will also learn how to generate a CSR (Certificate Signing Request) for Google Cloud, and how to deploy the certificate to an HTTPS load balancer.

Generate a CSR code on Google Cloud Platform

You cannot order an SSL certificate without a CSR code. CSR stands for Certificate Signing Request, a block of encoded text that contains the applicant’s details. The Certificate Authority uses the CSR to verify your domain and organization before it issues the certificate.

Google Cloud has no built-in form that creates a CSR for you, so you generate the CSR and its private key with OpenSSL on your own machine. You have two options:

Keep the private key safe. You will need it again when you upload the certificate to Certificate Manager. Submit the CSR to the Certificate Authority during your order, and once the certificate is issued, continue with the installation below.

Install an SSL certificate on Google Cloud Platform

On Google Cloud, a third-party (self-supplied) certificate is called a self-managed certificate. You upload it to Certificate Manager, then deploy it to an HTTPS load balancer. Before you begin, make sure you have:

  • Your signed certificate files from the Certificate Authority.
  • The private key you generated with the CSR.
  • Access to the Google Cloud Console and the gcloud CLI.
  • An existing HTTPS load balancer (an external Application Load Balancer with a target HTTPS proxy) that serves your domain. The certificate attaches to this load balancer.

Step 1: Prepare your certificate files

After the Certificate Authority validates your request, it emails you a ZIP archive. Extract it and look for:

  • yourdomain.crt, your server certificate.
  • yourdomain.ca-bundle, the intermediate certificates.
  • yourdomain.key, the private key you created with the CSR.

Step 2: Combine the certificate and chain

Certificate Manager expects one PEM file that holds your server certificate first, then the intermediate certificates, in that order. Open a terminal in the folder where your files are stored and run:

cat yourdomain.crt yourdomain.ca-bundle > fullchain.crt

This creates a PEM-formatted file with your certificate and the intermediate chain in the correct order. The certificate file must begin with —–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–.

Now check the private key. Certificate Manager requires it to be:

  • PEM-formatted and unencrypted (no passphrase).
  • In PKCS#8 form, so it starts with —–BEGIN PRIVATE KEY—–, not —–BEGIN RSA PRIVATE KEY—–.
  • RSA (2048, 3072, or 4096 bits) or ECDSA (P-256 or P-384).

If your key starts with —–BEGIN RSA PRIVATE KEY—– (PKCS#1), convert it to the PKCS#8 form Certificate Manager accepts:

openssl pkcs8 -topk8 -nocrypt -in yourdomain.key -out yourdomain_pkcs8.key

Use the resulting yourdomain_pkcs8.key in the upload steps below. If your key is passphrase-protected, this command also prompts you for the passphrase and writes out an unencrypted copy.

Step 3: Upload the certificate to Certificate Manager

You can upload the self-managed certificate from the Console or with gcloud. Use whichever you prefer; the result is the same Certificate Manager resource.

Option A, Google Cloud Console:

  1. Sign in to the Google Cloud Console and select your project.
  2. Open Certificate Manager (under Security, in the Network Security area), then select the Certificates tab.
  3. Select Add Certificate.
  4. Give the certificate a name, then for Certificate type choose Create self-managed certificate.
  5. For Location, choose Global with Scope Default for a global load balancer, or Regional and your region for a regional load balancer.
  6. Upload fullchain.crt as the certificate and your PKCS#8 private key as the private key, then select Create.

Option B, gcloud CLI: create the same certificate in one command. Replace MY_CERT with a name of your choice:

gcloud certificate-manager certificates create MY_CERT \
  --certificate-file=fullchain.crt \
  --private-key-file=yourdomain_pkcs8.key

Either way, the certificate now lives in Certificate Manager, but it is not connected to any traffic yet. The next step deploys it.

Step 4: Deploy the certificate to your load balancer

Certificate Manager deploys a certificate through a certificate map. You create a map, add an entry that points a hostname at your certificate, then attach the map to your load balancer’s target HTTPS proxy. Run these commands with gcloud.

Create a certificate map:

gcloud certificate-manager maps create MY_MAP

Add a map entry for your hostname. Replace MY_CERT with your uploaded certificate name and yourdomain.com with the domain you want to secure:

gcloud certificate-manager maps entries create my-entry \
  --map=MY_MAP \
  --certificates=MY_CERT \
  --hostname=yourdomain.com

Attach the map to your existing target HTTPS proxy. Replace MY_PROXY with the name of the proxy that fronts your load balancer:

gcloud compute target-https-proxies update MY_PROXY \
  --certificate-map=MY_MAP \
  --global

Drop the --global flag and add --region=YOUR_REGION if your load balancer is regional. The load balancer now serves your certificate for incoming HTTPS traffic to that hostname. Certificate changes can take a few minutes to propagate across the load balancer.

Test your SSL installation

After you deploy the certificate, confirm that the load balancer serves it correctly and that the chain is complete. From any machine with OpenSSL, connect to your domain and read the certificate it returns:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, the subject, and the validity dates of the certificate now in use. For a full report on the certificate and its configuration, including chain and protocol checks, run your domain through our SSL Checker, or open the site in a browser and check the padlock.

Frequently Asked Questions

Can I generate a CSR directly in Google Cloud?

No. Google Cloud has no console form that generates a CSR or a private key for a self-managed certificate. You create the CSR and the key with OpenSSL on your own machine (or with our CSR Generator), order the certificate, then upload the issued certificate and the private key to Certificate Manager.

What is the difference between a self-managed and a Google-managed certificate?

A self-managed certificate is one you obtain from a Certificate Authority and upload yourself, and you are responsible for renewing it. A Google-managed certificate is provisioned and renewed automatically by Google. This tutorial covers self-managed certificates, which is the path you use for a paid certificate from SSL Dragon.

Why does Certificate Manager reject my private key?

The most common cause is the key format. Certificate Manager needs an unencrypted PKCS#8 key that starts with —–BEGIN PRIVATE KEY—–. If yours starts with —–BEGIN RSA PRIVATE KEY—– or is passphrase-protected, convert it with openssl pkcs8 -topk8 -nocrypt -in yourdomain.key -out yourdomain_pkcs8.key and upload the converted file.

I uploaded the certificate but the site still shows “not secure”. Why?

Uploading a certificate to Certificate Manager only stores it. It does not serve traffic until you deploy it. Create a certificate map, add a map entry for your hostname, and attach the map to your load balancer’s target HTTPS proxy (Step 4). Until the map is attached, the load balancer does not present your certificate.

In what order should the certificate file be?

Your server (leaf) certificate goes first, followed by the intermediate certificates, in a single PEM file. The command cat yourdomain.crt yourdomain.ca-bundle > fullchain.crt produces this order. A missing or out-of-order chain is a frequent reason browsers and SSL checkers report an incomplete certificate path.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.