Edit domains associated with Google Managed SSL Certificate [148809372]

Assigned

Feature Request

Status Update

No update yet.

Description

da...@noldor.co.za

created issue #1

Feb 4, 2020 03:35AM

We need to be able to add/remove domains associated to a managed certificate in order to fully benefit from this feature.
Currently the only way to change the list of associated domains is to create a new certificate, duplicating the domain list whilst adding/removing as required. This is an error prone and tedious process, which also requires that 1 of the 15 certificates be available at all times, a waste of this resource

We should be able to edit a certificate on the fly and add/remove the relevant domains and have the certificate update once complete

Comments

se...@google.com <se...@google.com> #2Feb 4, 2020 10:01AM

Accepted by se...@google.com.

Hello Daniel,

As I can see, you want to obtain more efficient and quick way to work with SSL certificates. An SSL certificate is not just a public cryptographic key signed by a Certificate Authority. An end entity certificate is hard coded to a specific domain or domains (if it is multi-domain) and organization. These pieces of information assure your visitors that your website isn't just a front set up by a hacker.

Unfortunately, there's no other way than creating a new certificate in case of any changes.

da...@noldor.co.za <da...@noldor.co.za> #3Feb 4, 2020 10:12AM

Hi

I understand, this. My request is that you make this process easy to do via the cli or interface
As an example, I would simply "edit" a current certificate on the UI add/remove domains to that cert and save, but in the background you are actually creating a new cert and associating it as well as dissociating the old one

se...@google.com <se...@google.com> #4Feb 4, 2020 11:21AM

Thank you for clarification of your request. I'm going to create internal Feature Request. Unfortunately, I can't provide you any ETA, but I'll let you know as soon as I get any updates.

da...@noldor.co.za <da...@noldor.co.za> #5Feb 4, 2020 11:23AM

Thanks

se...@google.com <se...@google.com> Feb 11, 2020 07:50AM

Assigned to gc...@google.com.

[Deleted User] <[Deleted User]> #6Feb 27, 2021 01:46PM

I agree with this feature request. Any ETAs yet?

st...@gmail.com <st...@gmail.com> #7Jun 12, 2021 07:22PM

I'll second this too.
It would be nice to be able to edit ssl certificates.

mi...@gmail.com <mi...@gmail.com> #8Oct 4, 2021 01:30AM

Would love to see this feature as well

[Deleted User] <[Deleted User]> #9Feb 4, 2022 08:29PM

Comment has been deleted.

Message last modified on Feb 4, 2022 08:29PM

[Deleted User] <[Deleted User]> #10Feb 4, 2022 08:30PM

This is kind of an issue for us. We are migrating to using a load balancer in front of GAE. However, we can't provision a new certificate because we have to prove on our DNS that the domains point towards the IP address we create for the load balancer. Meaning that while we're waiting for the certificate to be provisioned, our users will hit a dead IP address. If I could edit a certificate, I could create it on a "test" subdomain, verify it there, edit the certificate to include our actual subdomains, and then switch our DNS records on the actual subdomains to point towards the new load balancer. To make it worse you can't configure the load balancer to show a maintenance page so its just an hour of downtime.

Instead of verifying ownership of a domain via subdomain to IP address mapping, why can't that just be proven via TXT records? That way a certificate could be verified before its required to be active and in use.

subdomain.mydomain.com TXT "google-site-verification=randomTokenVerificationKey;target-ip:1.2.3.4"

[Deleted User] <[Deleted User]> #11Apr 25, 2022 09:42AM

ho...@gmail.com <ho...@gmail.com> #12Apr 25, 2022 07:02PM

ca...@gmail.com <ca...@gmail.com> #13May 12, 2022 05:39PM

ma...@chainguard.dev <ma...@chainguard.dev> #14Jun 18, 2022 02:02AM

I haven't seen anyone on this thread mention IaC, so I'll chime in. I want to use this to manage certs for a list of domains terminated by GCLB and configured via terraform.

However, since adding domains requires replacement (due to the lack of an update), and you cannot replace an in-use certificate, users are left to do a complex / errorprone orchestration themselves.

co...@sercanto.com <co...@sercanto.com> #15Sep 27, 2022 01:56AM

This blog post by a Google engineer offers a potential solution to the downtime problem:

https://www.sethvargo.com/zero-downtime-rotation-for-google-managed-ssl-certificates/

Quoting the relevant parts in case the article gets de-published:

[...] we cannot simply update the load balancer to use the new certificate. That would cause downtime as it can take up to 60 minutes to provision the certificate and up to 30 more minutes for the certificate to be available on the load balancer. That means changing the certificate could result in up to 90 minutes of downtime. Instead, we need to update the target HTTPS proxy to use both certificates simultaneously. This will give the DV validation time to succeed without removing the already-provisioned certificates.
gcloud compute target-https-proxies update "example-com" \
  --ssl-certificates "projects/MY_PROJECT/global/sslCertificates/example-com-certs,projects/MY_PROJECT/global/sslCertificates/example-com-certs-2"
During this time, the initial certificate will remain green while the new certificate provisions. After the new certificate is finished provisioning, you can safely update the HTTPS proxy to remove the old one:
gcloud compute target-https-proxies update "example-com" \
  --ssl-certificates "projects/MY_PROJECT/global/sslCertificates/example-com-certs-2"

HTH

na...@gmail.com <na...@gmail.com> #16Apr 4, 2023 09:09AM

I am Nasidul. I am a digital marketer. Social media profile creation backlink are the most important means of promoting any business. Social profile setup backlink is a successful way to promote your product or service around the world. I build backlinks manually with white hat SEO methods. I think profile backlinks are an important part of any SEO strategy.