Member-only story

Say goodbye to Let’s Encrypt, welcome Google-managed SSL certificates

Lukas Beranek
4 min readFeb 17, 2022

--

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit and it’s been a huge change to the whole industry. Now, when everyone has adopted the idea of free SSL certificates, the logical evolution step is at hand — managed certificates. What are the options across major cloud providers?

Photo by Markus Winkler on Unsplash

The cloud providers for 2021 with significant market share are Google’s GCP, Microsoft Azure and by far the most used cloud provider Amazon’s AWS. Each of the three mentioned providers has some sort of support for managed SSL certificates. Let’s dive into Google’s Managed SSL Certificates, and see if it is a production-ready GCP feature. The main features to look for are:

  • out-of-the-box support for Kubernetes
  • automatical certificate renewal and/or revocation
  • possibility to upload a custom certificate
  • automation via helm and terraform

Update 4. April 2022:

based on comments, added a better comparison of cert-manager / LE benefits

added drawbacks of using managed certificates

The current state of the art

Nowadays, the defacto standard for Kubernetes deployments is to use cert-manager and offload the management and lifecycle of SSL certificates to Let’s Encrypt.

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.

It can issue certificates from a variety of supported sources, including Let’s Encrypt, HashiCorp Vault, and Venafi as well as private PKI.

For sure, using cert-manager and LE has been a game-changer back in the day when an ordinary SSL certificate for a single domain was $10 per year but there are some drawbacks to this approach as well:

  • the solution is a bit black box
  • enterprise support — if it works, works well, but when you run into any sort of issues, you’re on your own
  • compatibility varies across different providers and certificates

--

--

Lukas Beranek
Lukas Beranek

Written by Lukas Beranek

Cloud and DevOps enthusiast, programmer, movie lover and a foosball player

Responses (18)

Write a response