The gcp:certificatemanager/certificate:Certificate resource, part of the Pulumi GCP provider, provisions TLS certificates for HTTP backends: either Google-managed certificates with automatic renewal or self-managed certificates uploaded from external sources. This guide focuses on four capabilities: Google-managed certificates with DNS authorization, private CA integration via issuance configs, self-managed certificate uploads, and regional and global certificate scopes.
Certificates depend on DNS authorization resources for domain validation or CA pools for private issuance. Self-managed certificates require PEM-encoded certificate and key files. The examples are intentionally small. Combine them with your own DNS zones, CA infrastructure, or certificate files.
Provision Google-managed certificates with DNS authorization
Most teams start with Google-managed certificates that handle provisioning and renewal automatically. DNS authorization proves domain ownership by creating validation records that Google checks before issuing certificates.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const instance = new gcp.certificatemanager.DnsAuthorization("instance", {
name: "dns-auth",
description: "The default dnss",
domain: "subdomain.hashicorptest.com",
});
const instance2 = new gcp.certificatemanager.DnsAuthorization("instance2", {
name: "dns-auth2",
description: "The default dnss",
domain: "subdomain2.hashicorptest.com",
});
const _default = new gcp.certificatemanager.Certificate("default", {
name: "dns-cert",
description: "The default cert",
scope: "EDGE_CACHE",
labels: {
env: "test",
},
managed: {
domains: [
instance.domain,
instance2.domain,
],
dnsAuthorizations: [
instance.id,
instance2.id,
],
},
});
import pulumi
import pulumi_gcp as gcp
instance = gcp.certificatemanager.DnsAuthorization("instance",
name="dns-auth",
description="The default dnss",
domain="subdomain.hashicorptest.com")
instance2 = gcp.certificatemanager.DnsAuthorization("instance2",
name="dns-auth2",
description="The default dnss",
domain="subdomain2.hashicorptest.com")
default = gcp.certificatemanager.Certificate("default",
name="dns-cert",
description="The default cert",
scope="EDGE_CACHE",
labels={
"env": "test",
},
managed={
"domains": [
instance.domain,
instance2.domain,
],
"dns_authorizations": [
instance.id,
instance2.id,
],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
instance, err := certificatemanager.NewDnsAuthorization(ctx, "instance", &certificatemanager.DnsAuthorizationArgs{
Name: pulumi.String("dns-auth"),
Description: pulumi.String("The default dnss"),
Domain: pulumi.String("subdomain.hashicorptest.com"),
})
if err != nil {
return err
}
instance2, err := certificatemanager.NewDnsAuthorization(ctx, "instance2", &certificatemanager.DnsAuthorizationArgs{
Name: pulumi.String("dns-auth2"),
Description: pulumi.String("The default dnss"),
Domain: pulumi.String("subdomain2.hashicorptest.com"),
})
if err != nil {
return err
}
_, err = certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("dns-cert"),
Description: pulumi.String("The default cert"),
Scope: pulumi.String("EDGE_CACHE"),
Labels: pulumi.StringMap{
"env": pulumi.String("test"),
},
Managed: &certificatemanager.CertificateManagedArgs{
Domains: pulumi.StringArray{
instance.Domain,
instance2.Domain,
},
DnsAuthorizations: pulumi.StringArray{
instance.ID(),
instance2.ID(),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var instance = new Gcp.CertificateManager.DnsAuthorization("instance", new()
{
Name = "dns-auth",
Description = "The default dnss",
Domain = "subdomain.hashicorptest.com",
});
var instance2 = new Gcp.CertificateManager.DnsAuthorization("instance2", new()
{
Name = "dns-auth2",
Description = "The default dnss",
Domain = "subdomain2.hashicorptest.com",
});
var @default = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "dns-cert",
Description = "The default cert",
Scope = "EDGE_CACHE",
Labels =
{
{ "env", "test" },
},
Managed = new Gcp.CertificateManager.Inputs.CertificateManagedArgs
{
Domains = new[]
{
instance.Domain,
instance2.Domain,
},
DnsAuthorizations = new[]
{
instance.Id,
instance2.Id,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificatemanager.DnsAuthorization;
import com.pulumi.gcp.certificatemanager.DnsAuthorizationArgs;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateManagedArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new DnsAuthorization("instance", DnsAuthorizationArgs.builder()
.name("dns-auth")
.description("The default dnss")
.domain("subdomain.hashicorptest.com")
.build());
var instance2 = new DnsAuthorization("instance2", DnsAuthorizationArgs.builder()
.name("dns-auth2")
.description("The default dnss")
.domain("subdomain2.hashicorptest.com")
.build());
var default_ = new Certificate("default", CertificateArgs.builder()
.name("dns-cert")
.description("The default cert")
.scope("EDGE_CACHE")
.labels(Map.of("env", "test"))
.managed(CertificateManagedArgs.builder()
.domains(
instance.domain(),
instance2.domain())
.dnsAuthorizations(
instance.id(),
instance2.id())
.build())
.build());
}
}
resources:
default:
type: gcp:certificatemanager:Certificate
properties:
name: dns-cert
description: The default cert
scope: EDGE_CACHE
labels:
env: test
managed:
domains:
- ${instance.domain}
- ${instance2.domain}
dnsAuthorizations:
- ${instance.id}
- ${instance2.id}
instance:
type: gcp:certificatemanager:DnsAuthorization
properties:
name: dns-auth
description: The default dnss
domain: subdomain.hashicorptest.com
instance2:
type: gcp:certificatemanager:DnsAuthorization
properties:
name: dns-auth2
description: The default dnss
domain: subdomain2.hashicorptest.com
The managed block configures automatic certificate provisioning. The domains property lists the hostnames to secure, while dnsAuthorizations references DnsAuthorization resources that prove you control those domains. The scope property determines where the certificate is served; EDGE_CACHE serves from edge locations for lower latency.
Issue certificates from a private Certificate Authority
Organizations with internal CAs can configure Certificate Manager to issue certificates from their own CA pool rather than using public CAs.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.certificateauthority.CaPool("pool", {
name: "ca-pool",
location: "us-central1",
tier: "ENTERPRISE",
});
const caAuthority = new gcp.certificateauthority.Authority("ca_authority", {
location: "us-central1",
pool: pool.name,
certificateAuthorityId: "ca-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
// creating certificate_issuance_config to use it in the managed certificate
const issuanceconfig = new gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig", {
name: "issuance-config",
description: "sample description for the certificate issuanceConfigs",
certificateAuthorityConfig: {
certificateAuthorityServiceConfig: {
caPool: pool.id,
},
},
lifetime: "1814400s",
rotationWindowPercentage: 34,
keyAlgorithm: "ECDSA_P256",
}, {
dependsOn: [caAuthority],
});
const _default = new gcp.certificatemanager.Certificate("default", {
name: "issuance-config-cert",
description: "The default cert",
scope: "EDGE_CACHE",
managed: {
domains: ["terraform.subdomain1.com"],
issuanceConfig: issuanceconfig.id,
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.certificateauthority.CaPool("pool",
name="ca-pool",
location="us-central1",
tier="ENTERPRISE")
ca_authority = gcp.certificateauthority.Authority("ca_authority",
location="us-central1",
pool=pool.name,
certificate_authority_id="ca-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
},
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
# creating certificate_issuance_config to use it in the managed certificate
issuanceconfig = gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig",
name="issuance-config",
description="sample description for the certificate issuanceConfigs",
certificate_authority_config={
"certificate_authority_service_config": {
"ca_pool": pool.id,
},
},
lifetime="1814400s",
rotation_window_percentage=34,
key_algorithm="ECDSA_P256",
opts = pulumi.ResourceOptions(depends_on=[ca_authority]))
default = gcp.certificatemanager.Certificate("default",
name="issuance-config-cert",
description="The default cert",
scope="EDGE_CACHE",
managed={
"domains": ["terraform.subdomain1.com"],
"issuance_config": issuanceconfig.id,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := certificateauthority.NewCaPool(ctx, "pool", &certificateauthority.CaPoolArgs{
Name: pulumi.String("ca-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
caAuthority, err := certificateauthority.NewAuthority(ctx, "ca_authority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: pool.Name,
CertificateAuthorityId: pulumi.String("ca-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
// creating certificate_issuance_config to use it in the managed certificate
issuanceconfig, err := certificatemanager.NewCertificateIssuanceConfig(ctx, "issuanceconfig", &certificatemanager.CertificateIssuanceConfigArgs{
Name: pulumi.String("issuance-config"),
Description: pulumi.String("sample description for the certificate issuanceConfigs"),
CertificateAuthorityConfig: &certificatemanager.CertificateIssuanceConfigCertificateAuthorityConfigArgs{
CertificateAuthorityServiceConfig: &certificatemanager.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs{
CaPool: pool.ID(),
},
},
Lifetime: pulumi.String("1814400s"),
RotationWindowPercentage: pulumi.Int(34),
KeyAlgorithm: pulumi.String("ECDSA_P256"),
}, pulumi.DependsOn([]pulumi.Resource{
caAuthority,
}))
if err != nil {
return err
}
_, err = certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("issuance-config-cert"),
Description: pulumi.String("The default cert"),
Scope: pulumi.String("EDGE_CACHE"),
Managed: &certificatemanager.CertificateManagedArgs{
Domains: pulumi.StringArray{
pulumi.String("terraform.subdomain1.com"),
},
IssuanceConfig: issuanceconfig.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.CertificateAuthority.CaPool("pool", new()
{
Name = "ca-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
});
var caAuthority = new Gcp.CertificateAuthority.Authority("ca_authority", new()
{
Location = "us-central1",
Pool = pool.Name,
CertificateAuthorityId = "ca-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
// creating certificate_issuance_config to use it in the managed certificate
var issuanceconfig = new Gcp.CertificateManager.CertificateIssuanceConfig("issuanceconfig", new()
{
Name = "issuance-config",
Description = "sample description for the certificate issuanceConfigs",
CertificateAuthorityConfig = new Gcp.CertificateManager.Inputs.CertificateIssuanceConfigCertificateAuthorityConfigArgs
{
CertificateAuthorityServiceConfig = new Gcp.CertificateManager.Inputs.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs
{
CaPool = pool.Id,
},
},
Lifetime = "1814400s",
RotationWindowPercentage = 34,
KeyAlgorithm = "ECDSA_P256",
}, new CustomResourceOptions
{
DependsOn =
{
caAuthority,
},
});
var @default = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "issuance-config-cert",
Description = "The default cert",
Scope = "EDGE_CACHE",
Managed = new Gcp.CertificateManager.Inputs.CertificateManagedArgs
{
Domains = new[]
{
"terraform.subdomain1.com",
},
IssuanceConfig = issuanceconfig.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificatemanager.CertificateIssuanceConfig;
import com.pulumi.gcp.certificatemanager.CertificateIssuanceConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateIssuanceConfigCertificateAuthorityConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateManagedArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new CaPool("pool", CaPoolArgs.builder()
.name("ca-pool")
.location("us-central1")
.tier("ENTERPRISE")
.build());
var caAuthority = new Authority("caAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(pool.name())
.certificateAuthorityId("ca-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
// creating certificate_issuance_config to use it in the managed certificate
var issuanceconfig = new CertificateIssuanceConfig("issuanceconfig", CertificateIssuanceConfigArgs.builder()
.name("issuance-config")
.description("sample description for the certificate issuanceConfigs")
.certificateAuthorityConfig(CertificateIssuanceConfigCertificateAuthorityConfigArgs.builder()
.certificateAuthorityServiceConfig(CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs.builder()
.caPool(pool.id())
.build())
.build())
.lifetime("1814400s")
.rotationWindowPercentage(34)
.keyAlgorithm("ECDSA_P256")
.build(), CustomResourceOptions.builder()
.dependsOn(caAuthority)
.build());
var default_ = new Certificate("default", CertificateArgs.builder()
.name("issuance-config-cert")
.description("The default cert")
.scope("EDGE_CACHE")
.managed(CertificateManagedArgs.builder()
.domains("terraform.subdomain1.com")
.issuanceConfig(issuanceconfig.id())
.build())
.build());
}
}
resources:
default:
type: gcp:certificatemanager:Certificate
properties:
name: issuance-config-cert
description: The default cert
scope: EDGE_CACHE
managed:
domains:
- terraform.subdomain1.com
issuanceConfig: ${issuanceconfig.id}
# creating certificate_issuance_config to use it in the managed certificate
issuanceconfig:
type: gcp:certificatemanager:CertificateIssuanceConfig
properties:
name: issuance-config
description: sample description for the certificate issuanceConfigs
certificateAuthorityConfig:
certificateAuthorityServiceConfig:
caPool: ${pool.id}
lifetime: 1814400s
rotationWindowPercentage: 34
keyAlgorithm: ECDSA_P256
options:
dependsOn:
- ${caAuthority}
pool:
type: gcp:certificateauthority:CaPool
properties:
name: ca-pool
location: us-central1
tier: ENTERPRISE
caAuthority:
type: gcp:certificateauthority:Authority
name: ca_authority
properties:
location: us-central1
pool: ${pool.name}
certificateAuthorityId: ca-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
The issuanceConfig property points to a CertificateIssuanceConfig that connects to your CA pool. Certificate Manager requests certificates from your private CA and handles renewal automatically. The dependsOn ensures the CA authority is active before requesting certificates.
Upload self-managed certificates to a specific region
When you already have certificates from external CAs or need full control over certificate lifecycle, you can upload PEM-encoded certificates and private keys directly.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificatemanager.Certificate("default", {
name: "self-managed-cert",
description: "Regional cert",
location: "us-central1",
selfManaged: {
pemCertificate: std.file({
input: "test-fixtures/cert.pem",
}).then(invoke => invoke.result),
pemPrivateKey: std.file({
input: "test-fixtures/private-key.pem",
}).then(invoke => invoke.result),
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificatemanager.Certificate("default",
name="self-managed-cert",
description="Regional cert",
location="us-central1",
self_managed={
"pem_certificate": std.file(input="test-fixtures/cert.pem").result,
"pem_private_key": std.file(input="test-fixtures/private-key.pem").result,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/private-key.pem",
}, nil)
if err != nil {
return err
}
_, err = certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("self-managed-cert"),
Description: pulumi.String("Regional cert"),
Location: pulumi.String("us-central1"),
SelfManaged: &certificatemanager.CertificateSelfManagedArgs{
PemCertificate: pulumi.String(invokeFile.Result),
PemPrivateKey: pulumi.String(invokeFile1.Result),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "self-managed-cert",
Description = "Regional cert",
Location = "us-central1",
SelfManaged = new Gcp.CertificateManager.Inputs.CertificateSelfManagedArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/cert.pem",
}).Apply(invoke => invoke.Result),
PemPrivateKey = Std.File.Invoke(new()
{
Input = "test-fixtures/private-key.pem",
}).Apply(invoke => invoke.Result),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateSelfManagedArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Certificate("default", CertificateArgs.builder()
.name("self-managed-cert")
.description("Regional cert")
.location("us-central1")
.selfManaged(CertificateSelfManagedArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/cert.pem")
.build()).result())
.pemPrivateKey(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/private-key.pem")
.build()).result())
.build())
.build());
}
}
resources:
default:
type: gcp:certificatemanager:Certificate
properties:
name: self-managed-cert
description: Regional cert
location: us-central1
selfManaged:
pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/cert.pem
return: result
pemPrivateKey:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/private-key.pem
return: result
The selfManaged block accepts PEM-encoded certificate and private key data. The location property pins the certificate to a specific region (us-central1 here). Unlike managed certificates, you’re responsible for renewing self-managed certificates before they expire.
Deploy managed certificates across all GCP regions
Global applications that serve traffic from multiple regions can deploy certificates with ALL_REGIONS scope to ensure consistent TLS configuration everywhere.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.certificateauthority.CaPool("pool", {
name: "ca-pool",
location: "us-central1",
tier: "ENTERPRISE",
});
const caAuthority = new gcp.certificateauthority.Authority("ca_authority", {
location: "us-central1",
pool: pool.name,
certificateAuthorityId: "ca-authority",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: true,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
// creating certificate_issuance_config to use it in the managed certificate
const issuanceconfig = new gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig", {
name: "issuance-config",
description: "sample description for the certificate issuanceConfigs",
certificateAuthorityConfig: {
certificateAuthorityServiceConfig: {
caPool: pool.id,
},
},
lifetime: "1814400s",
rotationWindowPercentage: 34,
keyAlgorithm: "ECDSA_P256",
}, {
dependsOn: [caAuthority],
});
const _default = new gcp.certificatemanager.Certificate("default", {
name: "issuance-config-cert",
description: "sample google managed all_regions certificate with issuance config for terraform",
scope: "ALL_REGIONS",
managed: {
domains: ["terraform.subdomain1.com"],
issuanceConfig: issuanceconfig.id,
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.certificateauthority.CaPool("pool",
name="ca-pool",
location="us-central1",
tier="ENTERPRISE")
ca_authority = gcp.certificateauthority.Authority("ca_authority",
location="us-central1",
pool=pool.name,
certificate_authority_id="ca-authority",
config={
"subject_config": {
"subject": {
"organization": "HashiCorp",
"common_name": "my-certificate-authority",
},
"subject_alt_name": {
"dns_names": ["hashicorp.com"],
},
},
"x509_config": {
"ca_options": {
"is_ca": True,
},
"key_usage": {
"base_key_usage": {
"cert_sign": True,
"crl_sign": True,
},
"extended_key_usage": {
"server_auth": True,
},
},
},
},
key_spec={
"algorithm": "RSA_PKCS1_4096_SHA256",
},
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
# creating certificate_issuance_config to use it in the managed certificate
issuanceconfig = gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig",
name="issuance-config",
description="sample description for the certificate issuanceConfigs",
certificate_authority_config={
"certificate_authority_service_config": {
"ca_pool": pool.id,
},
},
lifetime="1814400s",
rotation_window_percentage=34,
key_algorithm="ECDSA_P256",
opts = pulumi.ResourceOptions(depends_on=[ca_authority]))
default = gcp.certificatemanager.Certificate("default",
name="issuance-config-cert",
description="sample google managed all_regions certificate with issuance config for terraform",
scope="ALL_REGIONS",
managed={
"domains": ["terraform.subdomain1.com"],
"issuance_config": issuanceconfig.id,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := certificateauthority.NewCaPool(ctx, "pool", &certificateauthority.CaPoolArgs{
Name: pulumi.String("ca-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
})
if err != nil {
return err
}
caAuthority, err := certificateauthority.NewAuthority(ctx, "ca_authority", &certificateauthority.AuthorityArgs{
Location: pulumi.String("us-central1"),
Pool: pool.Name,
CertificateAuthorityId: pulumi.String("ca-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
// creating certificate_issuance_config to use it in the managed certificate
issuanceconfig, err := certificatemanager.NewCertificateIssuanceConfig(ctx, "issuanceconfig", &certificatemanager.CertificateIssuanceConfigArgs{
Name: pulumi.String("issuance-config"),
Description: pulumi.String("sample description for the certificate issuanceConfigs"),
CertificateAuthorityConfig: &certificatemanager.CertificateIssuanceConfigCertificateAuthorityConfigArgs{
CertificateAuthorityServiceConfig: &certificatemanager.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs{
CaPool: pool.ID(),
},
},
Lifetime: pulumi.String("1814400s"),
RotationWindowPercentage: pulumi.Int(34),
KeyAlgorithm: pulumi.String("ECDSA_P256"),
}, pulumi.DependsOn([]pulumi.Resource{
caAuthority,
}))
if err != nil {
return err
}
_, err = certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("issuance-config-cert"),
Description: pulumi.String("sample google managed all_regions certificate with issuance config for terraform"),
Scope: pulumi.String("ALL_REGIONS"),
Managed: &certificatemanager.CertificateManagedArgs{
Domains: pulumi.StringArray{
pulumi.String("terraform.subdomain1.com"),
},
IssuanceConfig: issuanceconfig.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.CertificateAuthority.CaPool("pool", new()
{
Name = "ca-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
});
var caAuthority = new Gcp.CertificateAuthority.Authority("ca_authority", new()
{
Location = "us-central1",
Pool = pool.Name,
CertificateAuthorityId = "ca-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
// creating certificate_issuance_config to use it in the managed certificate
var issuanceconfig = new Gcp.CertificateManager.CertificateIssuanceConfig("issuanceconfig", new()
{
Name = "issuance-config",
Description = "sample description for the certificate issuanceConfigs",
CertificateAuthorityConfig = new Gcp.CertificateManager.Inputs.CertificateIssuanceConfigCertificateAuthorityConfigArgs
{
CertificateAuthorityServiceConfig = new Gcp.CertificateManager.Inputs.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs
{
CaPool = pool.Id,
},
},
Lifetime = "1814400s",
RotationWindowPercentage = 34,
KeyAlgorithm = "ECDSA_P256",
}, new CustomResourceOptions
{
DependsOn =
{
caAuthority,
},
});
var @default = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "issuance-config-cert",
Description = "sample google managed all_regions certificate with issuance config for terraform",
Scope = "ALL_REGIONS",
Managed = new Gcp.CertificateManager.Inputs.CertificateManagedArgs
{
Domains = new[]
{
"terraform.subdomain1.com",
},
IssuanceConfig = issuanceconfig.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificatemanager.CertificateIssuanceConfig;
import com.pulumi.gcp.certificatemanager.CertificateIssuanceConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateIssuanceConfigCertificateAuthorityConfigArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateManagedArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new CaPool("pool", CaPoolArgs.builder()
.name("ca-pool")
.location("us-central1")
.tier("ENTERPRISE")
.build());
var caAuthority = new Authority("caAuthority", AuthorityArgs.builder()
.location("us-central1")
.pool(pool.name())
.certificateAuthorityId("ca-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
// creating certificate_issuance_config to use it in the managed certificate
var issuanceconfig = new CertificateIssuanceConfig("issuanceconfig", CertificateIssuanceConfigArgs.builder()
.name("issuance-config")
.description("sample description for the certificate issuanceConfigs")
.certificateAuthorityConfig(CertificateIssuanceConfigCertificateAuthorityConfigArgs.builder()
.certificateAuthorityServiceConfig(CertificateIssuanceConfigCertificateAuthorityConfigCertificateAuthorityServiceConfigArgs.builder()
.caPool(pool.id())
.build())
.build())
.lifetime("1814400s")
.rotationWindowPercentage(34)
.keyAlgorithm("ECDSA_P256")
.build(), CustomResourceOptions.builder()
.dependsOn(caAuthority)
.build());
var default_ = new Certificate("default", CertificateArgs.builder()
.name("issuance-config-cert")
.description("sample google managed all_regions certificate with issuance config for terraform")
.scope("ALL_REGIONS")
.managed(CertificateManagedArgs.builder()
.domains("terraform.subdomain1.com")
.issuanceConfig(issuanceconfig.id())
.build())
.build());
}
}
resources:
default:
type: gcp:certificatemanager:Certificate
properties:
name: issuance-config-cert
description: sample google managed all_regions certificate with issuance config for terraform
scope: ALL_REGIONS
managed:
domains:
- terraform.subdomain1.com
issuanceConfig: ${issuanceconfig.id}
# creating certificate_issuance_config to use it in the managed certificate
issuanceconfig:
type: gcp:certificatemanager:CertificateIssuanceConfig
properties:
name: issuance-config
description: sample description for the certificate issuanceConfigs
certificateAuthorityConfig:
certificateAuthorityServiceConfig:
caPool: ${pool.id}
lifetime: 1814400s
rotationWindowPercentage: 34
keyAlgorithm: ECDSA_P256
options:
dependsOn:
- ${caAuthority}
pool:
type: gcp:certificateauthority:CaPool
properties:
name: ca-pool
location: us-central1
tier: ENTERPRISE
caAuthority:
type: gcp:certificateauthority:Authority
name: ca_authority
properties:
location: us-central1
pool: ${pool.name}
certificateAuthorityId: ca-authority
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: true
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
Setting scope to ALL_REGIONS makes the certificate available in all GCP regions. This extends the private CA issuance pattern from earlier, but distributes the certificate globally. This scope only works with global certificates (no location property).
Configure client authentication certificates for mTLS
Backend services that require mutual TLS need client certificates that load balancers present when connecting to backend servers.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const _default = new gcp.certificatemanager.Certificate("default", {
name: "client-auth-cert",
description: "Global cert",
scope: "CLIENT_AUTH",
selfManaged: {
pemCertificate: std.file({
input: "test-fixtures/cert.pem",
}).then(invoke => invoke.result),
pemPrivateKey: std.file({
input: "test-fixtures/private-key.pem",
}).then(invoke => invoke.result),
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
default = gcp.certificatemanager.Certificate("default",
name="client-auth-cert",
description="Global cert",
scope="CLIENT_AUTH",
self_managed={
"pem_certificate": std.file(input="test-fixtures/cert.pem").result,
"pem_private_key": std.file(input="test-fixtures/private-key.pem").result,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificatemanager"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/cert.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/private-key.pem",
}, nil)
if err != nil {
return err
}
_, err = certificatemanager.NewCertificate(ctx, "default", &certificatemanager.CertificateArgs{
Name: pulumi.String("client-auth-cert"),
Description: pulumi.String("Global cert"),
Scope: pulumi.String("CLIENT_AUTH"),
SelfManaged: &certificatemanager.CertificateSelfManagedArgs{
PemCertificate: pulumi.String(invokeFile.Result),
PemPrivateKey: pulumi.String(invokeFile1.Result),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateManager.Certificate("default", new()
{
Name = "client-auth-cert",
Description = "Global cert",
Scope = "CLIENT_AUTH",
SelfManaged = new Gcp.CertificateManager.Inputs.CertificateSelfManagedArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/cert.pem",
}).Apply(invoke => invoke.Result),
PemPrivateKey = Std.File.Invoke(new()
{
Input = "test-fixtures/private-key.pem",
}).Apply(invoke => invoke.Result),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificatemanager.Certificate;
import com.pulumi.gcp.certificatemanager.CertificateArgs;
import com.pulumi.gcp.certificatemanager.inputs.CertificateSelfManagedArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Certificate("default", CertificateArgs.builder()
.name("client-auth-cert")
.description("Global cert")
.scope("CLIENT_AUTH")
.selfManaged(CertificateSelfManagedArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/cert.pem")
.build()).result())
.pemPrivateKey(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/private-key.pem")
.build()).result())
.build())
.build());
}
}
resources:
default:
type: gcp:certificatemanager:Certificate
properties:
name: client-auth-cert
description: Global cert
scope: CLIENT_AUTH
selfManaged:
pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/cert.pem
return: result
pemPrivateKey:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/private-key.pem
return: result
The CLIENT_AUTH scope designates this certificate for backend authentication rather than serving client requests. Load balancers present this certificate when connecting to backends that validate client certificates. The selfManaged block provides the certificate data.
Beyond these examples
These snippets focus on specific certificate-level features: Google-managed and self-managed certificate types, DNS authorization and private CA issuance, and regional and global certificate scopes. They’re intentionally minimal rather than full TLS deployments.
The examples may reference pre-existing infrastructure such as DNS zones for domain validation, Certificate Authority pools and authorities, and PEM certificate and private key files. They focus on configuring the certificate rather than provisioning the surrounding infrastructure.
To keep things focused, common certificate patterns are omitted, including:
- Certificate rotation and renewal policies
- Label-based organization and filtering
- EDGE_CACHE scope for edge locations
- Certificate lifecycle monitoring and alerts
These omissions are intentional: the goal is to illustrate how each certificate feature is wired, not provide drop-in TLS modules. See the Certificate Manager Certificate resource reference for all available configuration options.
Let's create GCP Certificate Manager Certificates
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Certificate Types & Configuration
What's the difference between managed and self-managed certificates?
Managed certificates use the
managed property and are automatically provisioned and renewed by Certificate Manager. Self-managed certificates use the selfManaged property with your own PEM certificate and private key, and you’re responsible for renewing them before they expire.How do I create a Google-managed certificate with DNS authorization?
Configure the
managed property with domains and dnsAuthorizations arrays. The dnsAuthorizations should reference DnsAuthorization resource IDs that validate your domain ownership.How do I create a Google-managed certificate with a certificate issuance config?
Configure the
managed property with domains and issuanceConfig, where issuanceConfig references a CertificateIssuanceConfig resource ID that defines the certificate authority and settings.What certificate scopes are available and when should I use them?
Four scopes are available:
- DEFAULT: Served from core Google data centers (use if unsure)
- EDGE_CACHE: Special-purpose certificates served from Edge Points of Presence
- ALL_REGIONS: Served from all GCP regions (global certificates only)
- CLIENT_AUTH: Used for backend mTLS (load balancer presents to backend)
Immutability & Constraints
What properties can't I change after creating a certificate?
The following properties are immutable:
name, location, scope, managed, and selfManaged. You’ll need to create a new certificate to change any of these.What are the naming requirements for certificates?
Certificate names must be 1-64 characters long and match the regex
[a-zA-Z][a-zA-Z0-9_-]*. The first character must be a letter, and subsequent characters can be letters, digits, dashes, or underscores.Can I use ALL_REGIONS scope with regional certificates?
No, ALL_REGIONS scope only works with global certificates. Don’t specify
location or set it to “global” when using ALL_REGIONS scope.Labels & Metadata
Why aren't my labels being removed when I delete them from my configuration?
The
labels field is non-authoritative and only manages labels present in your Pulumi configuration. It won’t remove labels set by other clients or services. Use effectiveLabels to see all labels on the resource.