Create Google Cloud Managed SSL Certificate for a subdomain

google-cloud-dnsgoogle-cloud-platformssl-certificate

I have my main domain www.example.com hosted on Route 53 on AWS.

I've created the custom domain on Google Cloud sub.example.com and set the appropriate NS records.

What I want to do now is create a new managed SSL certificate for this subdomain as shown below:

Is this possible? Is it good practice given that I want to continue adding more subdomains like sub1.example.com and creating a certificate for each one? Since I am keeping example.com hosted at Route 53, I don't think I can create a single managed SSL certificate for all of the possible subdomains that I may have on Google Cloud?

Best Answer

Answer already posted here by John H. Re-posting as a community wiki.

I have my main domain www.example.com hosted on Route 53 on AWS.

Good choice. Route 53 is a very good service for DNS. If your services will be hosted in AWS even better. If your services will be hosted in Google Cloud, consider changing the Name Servers to Google DNS. All depends on which services you plan to use and where they are located (e.g. cloud vendor, not geo location).

I've created the custom domain on Google Cloud sub.example.com and set the appropriate NS records.

I hope you mean that you changed NS records at the registrar and not within Route 53.

What I want to do now is create a new managed SSL certificate for this subdomain as shown below: Is this possible?

Depends. Google Managed SSL certificates can only be used with Google services such as load balancers. However, the backend services can be anywhere provided that they have public IP addresses. AWS also offers managed SSL certificates for their services such as load balancers, CloudFront, etc. If your goal is to use Google Managed SSL certificates directly on your compute instances, etc. you cannot. Google does not provide the private key that is required for installation and setup of SSL.

Is it good practice given that I want to continue adding more subdomains like sub1.example.com and creating a certificate for each one?

Depends. For Google self-managed SSL certificates you can create a single SSL certificate with wildcards and / or specific domain names. If you are a typical user, wildcard certificates are fine (*.example.com). Multiple names are also fine (site1.example.com, site2.example.com, etc.). You can also create individual SSL certificates for each domain name. For the www domain name, typically you want to create a certificate with two names (example.com and www.example.com). For financial institutions, etc. usually EV (Extended Validation) certificates are used (which Google does not offer).

Google Managed SSL certificates have limitations over standard SSL certificates:

Wildcards are not supported.
Only DV (Domain Validation) SSL certificates are issued.
Single hostname per certificate.
Load balancers support up to 10 certificates.

Since I am keeping example.com hosted at Route 53, I don't think I can create a single managed SSL certificate for all of the possible subdomains that I may have on Google Cloud?

Route 53 had no impact on your choice or stategy for SSL certificates. Route 53 is a DNS server that resolves dns names. SSL (TLS / HTTPS) is a protocol that is not affected by or managed by Route 53.

Google Managed SSL certificates are limited to one name per certificate. Google Self-managed SSL certificates can have multiple names per certificate.

Related Solutions

Creating subdomain in google cloud LAMP stack

As this is an old question without an answer that is still getting views, I am posting Kamran's last comment as an answer which points to the solution in this thread.

Ssl – Generate subdomain certificate from valid wildcard certificate

First, I agree that it's a bad idea to spread wildcard certificates around. Best practice is to use either separate certificates (when the domains live on different servers or virtual hosts), or SAN certificates (when they all live in the same place).

However, you shouldn't be able to use your existing certificate to sign a sub-domain's certificate. SSL certificates are normally issued with a restriction on how they can be used. If you run openssl x509 -in /path/to/cert.pem -noout -text, you will see a part looking like

        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication

This means that the certificate can only be used to authenticate a web server or client. It can not be used to sign other certificates (or, at least, no client will trust a certificate signed by this one).

The reason why you can't do this is that there is currently no way for a CA to issue a certificate that can be used to sign other certificates within a given domain only. Therefore, if a trusted CA was to give you a certificate that you could use to sign other certificates, they would in effect give you the ability to impersonate any other site on the internet. This would be bad and that's why they don't do it.

Best Answer

Related Solutions

Creating subdomain in google cloud LAMP stack

Ssl – Generate subdomain certificate from valid wildcard certificate

Related Topic