Overview
Sectigo Connector for GCP ("the connector") is a serverless solution created as a Cloud Run function to provide a secure automation layer for enrolling and managing Sectigo SSL/TLS certificates on Google Cloud Platform (GCP). In Google Cloud terms, these are called "self-managed SSL certificates".
Self-managed SSL certificates are certificates that you obtain, provision, and renew either manually or through automation from your own external Certificate Authority (CA). The connector facilitates the automatic certificate management of certificates issued by Sectigo Certificate Manager.
The connector acts as a registration authority (RA) that verifies and authenticates the Cloud Run function which connects to the Sectigo CA backend to create a self-managed SSL certificate resource.
Once the Sectigo certificates are available on the
tab of the Google Cloud console, they can be used to enable HTTPS communication on GCP load balancers for secure endpoints connection. The connector also supports automatic certificate renewal before the certificate expiry or upon revocation.Audience
This guide is intended for GCP administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with Sectigo Certificate Manager (SCM).
Scope
This guide covers instructions for communicating with SCM using the Sectigo ACME servers, Admin API, or Enrollment API; and enrolling and uploading certificates to the Certificate tab of the Google Cloud console.
Attaching the certificates to load balancers for SSL/TLS enablement is outside the scope of this guide. We assume that you will use your own script to associate an SSL/TLS certificate with a target load balancer. Example scripts for Terraform and Ansible are provided for your reference.
Architecture
The execution is controlled using the GCP resource policies. Only the specified principals (typically IAM user or role) can invoke the Cloud Function.
Users of the connector are responsible for configuring it with information about each SCM account (Enroll API, Admin API, or ACME) that will be used. Each account is identified by an name or label. Configuration information can be collected from SCM. The configuration parameters will be explained in detail. When enrolling certificates using the connector, users control which SCM account settings to use for enrollment by passing the SCM account name as a parameter.
The connector is installed in a specific region, but the provisioned certificates have a global scope.