The Google Cloud console doesn’t allow you to add multiple Google managed SSL certificates to the front end, meaning that going by the UI, there will be downtime if you need to modify the domains that the SSL certificate contains. There is an open feature request to get this implemented - https://issuetracker.google.com/issues/148809372
However, using the terminal we can create multiple certificates and associate them with the front end in the load balancer.
First let’s understand the flow of traffic through the load balancer, and the terminology:
- The Forwarding Rule consists of an ip address and port, which will point traffic to a target proxy (this can also be non-TCP protocols as well).
- The Target HTTPS Proxy contains the certificate, and points to a URL map
- The URL Map is defined in the load balancer and points URL routes to various backends
- The Backend Service is the service that your’re using, can be either app engine, cloud run, a VM or something else
Since the console doesn’t allow editing target proxies to update SSL certificates, we need to follow these steps:
1. Create a new certificate
This certificate should contain all the domains you need in the certificate:
gcloud compute ssl-certificates create "domain-cert-2" --domains "domain.com,app.domain.com,api.domain.com"
You can also do this via the console here:
https://console.cloud.google.com/security/ccm/list/lbCertificates
Once created, Google will provision the certificates, but the domains need to be pointing to the load balancer. So update DNS for the domains to point to the IP address configured in front end for the load balancer.
2. Add the SSL certificate to the target proxy
The target proxy is the
gcloud compute target-https-proxies update "domain-load-balancer-target-proxy" --ssl-certificates "projects/MY_PROJECT/global/sslCertificates/domain-cert-1,projects/MY_PROJECT/global/sslCertificates/domain-cert-2"
At this stage you should have configured the DNS settings for the new domains as well, and certificates should be in the provisioning state.
3. Clean up - remove the old certificate
Once both certs are green (i.e. have been provisioned correctly) you can remove the old certificate:
gcloud compute target-https-proxies update "domain-load-balancer-target-proxy" --ssl-certificates "projects/MY_PROJECT/global/sslCertificates/domain-cert-2"
Make sure to check the provisioning status of the new cert before running this command. You can check this by visiting the Certificates manager page:
https://console.cloud.google.com/security/ccm/list/lbCertificates