Member-only story
Say goodbye to Let’s Encrypt, welcome Google-managed SSL certificates
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit and it’s been a huge change to the whole industry. Now, when everyone has adopted the idea of free SSL certificates, the logical evolution step is at hand — managed certificates. What are the options across major cloud providers?
The cloud providers for 2021 with significant market share are Google’s GCP, Microsoft Azure and by far the most used cloud provider Amazon’s AWS. Each of the three mentioned providers has some sort of support for managed SSL certificates. Let’s dive into Google’s Managed SSL Certificates, and see if it is a production-ready GCP feature. The main features to look for are:
- out-of-the-box support for Kubernetes
- automatical certificate renewal and/or revocation
- possibility to upload a custom certificate
- automation via helm and terraform
based on comments, added a better comparison of cert-manager / LE benefits
added drawbacks of using managed certificates
The current state of the art
Nowadays, the defacto standard for Kubernetes deployments is to use cert-manager and offload the management and lifecycle of SSL certificates to Let’s Encrypt.
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
It can issue certificates from a variety of supported sources, including Let’s Encrypt, HashiCorp Vault, and Venafi as well as private PKI.
For sure, using cert-manager and LE has been a game-changer back in the day when an ordinary SSL certificate for a single domain was $10 per year but there are some drawbacks to this approach as well:
- the solution is a bit black box
- enterprise support — if it works, works well, but when you run into any sort of issues, you’re on your own
- compatibility varies across different providers and certificates
