Overview
Sectigo Connector for GCP ("the connector") is a serverless solution created as a Cloud Function to provide a secure automation layer for enrolling and managing Sectigo SSL/TLS certificates on Google Cloud Platform (GCP). In Google Cloud terms, this is called "self-managed SSL certificates".
Self-managed SSL certificates are certificates that you obtain, provision, and renew either manually or through automation from your own Certificate Authority (CA) or a third-party CA. The connector facilitates the automatic certificate management of certificates issued by a Sectigo private or public CA.
The connector acts as a registration authority (RA) that verifies and authenticates the Cloud Function which connects to the Sectigo CA backend to create a self-managed SSL certificate resource.
Once the Sectigo certificates are available on the tab of the Google Cloud console, they can be used to enable HTTPS communication on GCP load balancers for secure endpoints connection. The connector also supports automatic certificate renewal before the certificate expiry or upon revocation.
Audience
This guide is intended for GCP administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with Sectigo Certificate Manager (SCM).
Scope
This guide covers instructions for connecting to the Sectigo ACME servers, enrolling, and uploading certificates to the Certificate tab of the Google Cloud console. Attaching the certificates to load balancers for SSL/TLS enablement is outside the scope of this guide. We assume that you will use your own script to associate an SSL/TLS certificate with a target load balancer. Example scripts for Terraform and Ansible are provided for your reference.
Architecture
The execution is controlled using the GCP resource policies. Only the specified principals (typically IAM user or role) can invoke the Cloud Function.
Users of the connector are responsible for configuring it with information about each ACME account that will be used. Each account is identified by an alias. Some configuration information, such as external account binding (EAB) parameters, can be collected from SCM. The configuration parameters will be explained in detail. When enrolling certificates using the connector, users control which ACME account settings to use for enrollment by passing the ACME account alias as a parameter.
| Since the connector uses Certbot as the ACME client, it only allows EAB information corresponding to one ACME account to be used for each ACME endpoint. To control other parameters (for example, the key size), you can define multiple aliases for the same ACME account. |
The connector is installed in a specific region, but the provisioned certificates have a global scope.
Deployment overview
The connector is deployed to GCP with the Terraform CLI.
The Google Cloud CLI is used to invoke the Cloud Function.
The gloud command is also used in the install.sh and destroy.sh scripts.
Modules
The connector uses nested modules, one module per GCP service:
-
cloud_storage: A Cloud Storage bucket for securely storing the
acme-account.yamlfile and the SectigoGCPCM source code files -
cloud_function: A Cloud Function for providing the enroll and renew actions via Python
-
cloud_scheduler: A Cloud Scheduler crobjob for renewing certificates on a schedule
GCP resources
| Resource Name | Description |
|---|---|
|
A Cloud Storage bucket for storing the |
|
A zip archive that contains the Python code |
|
A Cloud Function for running the code |
|
The IAM member that has permission to invoke the function |
|
A service account for invoking the Cloud Function |
|
The proper role for the service account |
|
A Cloud Scheduler cronjob for invoking the Cloud Function |