Why do we need a Certificate Manager?

Google Cloud Compute Infrastructure
1

Why are there two methods to configure an SSL certificate:

https://cloud.google.com/load-balancing/docs/ssl-certificates#config-tech

What is the difference between creating an SSL certificate using Compute Engine SSL certificates and creating certificates using Certificate Manager.

What are the advantages and disadvantages of each?

2

Hi @mountaincode2 ,

Welcome to Google Cloud Community!

Here are the differences and advantages of the two methods:

Compute Engine SSL Certificate Resource:

  • Each target proxy resource can reference up to a non-configurable maximum number of SSL certificates per target HTTPS or target SSL proxy.
  • It supports all Network Service Tiers that are supported by the load balancer.
  • The first Compute Engine SSL certificate resource referenced by a load balancer’s target proxy is considered the default (primary) certificate for the load balancer.

Certificate Manager:

  • Certificate Manager securely stores and deploys certificates to your selected proxies, allowing you to provision certificates in advance and ensure zero downtime during migrations.
  • With a certificate map on a load balancer, each target proxy resource references a single certificate map. A certificate map references one or more certificate entries, and you can configure which certificate entry is the default (primary) certificate for the map.
  • Recommended if you need to host more than a few SSL certificates per target proxy. It also lets you deploy up to a million certificates per load balancer.
  • Provides control over the assignment and selection of certificates based on hostnames at a highly granular level that’s not available when using Cloud Load Balancing.
  • This method is only available when the load balancer uses the Premium Network Service Tier.

For more information about the advantages of Certificate Manager, you can refer to this documentation.

In summary: If you require granular and centralized management and need to use a large number of SSL certificates, Certificate Manager is recommended. However, if you are using only a few SSL certificates and prefer a direct approach, the Compute Engine SSL certificate resource is sufficient.

I hope this helps.

1 Like
3

Thank you!