Certificate Manager API

Name: Certificate Manager API API
Brand: Google Cloud Certificate Manager API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth218 EndpointsREST

For Agents

Provision and rotate TLS certificates, manage certificate maps and trust configs, and operate Google-managed or self-managed certs across Google Cloud load balancers.

Quickstart

Get started with Certificate Manager API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"provision a Google-managed TLS certificate"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Certificate Manager API API.

Provision Google-managed TLS certificates that auto-renew before expiry

Upload and rotate self-managed TLS certificates with their private keys

Build certificate maps that bind hostnames to specific certificates via SNI

Configure certificate issuance configs that source certs from a Certificate Authority Service CA pool

GET STARTED

Start building with Certificate Manager API API

Explore with Jentic

View OpenAPI Document

Use for: Provision a Google-managed TLS certificate for example.com, Upload a self-managed certificate and private key, List all certificates in a Google Cloud project location, Create a certificate map entry binding a hostname to a certificate

Not supported: Does not issue private CAs, manage DNS records, or terminate TLS at the application layer — use for managing TLS certificates and trust configs on Google Cloud load balancers only.

Google Cloud Certificate Manager API provisions, stores, and deploys TLS certificates and private trust configurations across Google Cloud load balancers and edge services. It supports Google-managed and self-managed certificates, certificate maps that route SNI-based hostnames to specific certificates, certificate issuance configurations for Certificate Authority Service, and trust configs that pin private CAs. Operations teams use it to automate certificate lifecycle and avoid manual rotation across global load balancer fleets.

Use Cases

Patterns agents use Certificate Manager API API for, with concrete tasks.

★ Automated TLS Rotation for Global Load Balancers

Platform teams replace manual certificate uploads with Google-managed certificates that auto-renew, then attach them to global external HTTPS load balancers via certificate maps. The API orchestrates provisioning, validation, and binding so that hostnames behind a single load balancer can each carry their own certificate. Rotation requires no traffic switch and no downtime.

Create a Google-managed Certificate resource for example.com via POST /v1/{parent}/certificates and bind it through a certificate map entry.

mTLS with Pinned Private CAs

Security engineers configure trust configs that pin specific private root and intermediate CAs, then attach them to load balancers that require client certificates. This enables zero-trust mutual TLS for service-to-service traffic without trusting the public web PKI. Trust configs are versioned and updated atomically.

Create a TrustConfig under /v1/{parent}/trustConfigs containing the customer's private root CA PEM and intermediate CA chain.

Multi-Hostname SNI Routing

SaaS providers serve hundreds of customer domains behind a single global IP using certificate maps and certificate map entries. Each entry binds an SNI hostname to a specific certificate, and entries can be added or removed without recreating the map. Onboarding a new customer domain is a single POST.

Create a certificate map entry binding hostname customer1.app.example.com to a previously provisioned certificate via POST /v1/{parent}/certificateMapEntries.

AI Agent Certificate Operator via Jentic

An AI agent through Jentic responds to a user request to issue a certificate for a new hostname, runs the provisioning operation, polls until status is ACTIVE, and binds it to the relevant certificate map. Jentic isolates the Google Cloud OAuth credentials so the agent never sees the service account key directly. The whole flow runs through three Jentic calls.

Through Jentic, search certificatemanager_create_certificate, load schema, and execute with project, location, and a managed certificate config for hostname app.example.com.

Key Endpoints

18 endpoints — google cloud certificate manager api provisions, stores, and deploys tls certificates and private trust configurations across google cloud load balancers and edge services.

METHOD

PATH

DESCRIPTION

POST

/v1/{+parent}/certificates

Create a managed or self-managed TLS certificate

GET

/v1/{+parent}/certificates

List certificates in a location

POST

/v1/{+parent}/certificateMaps

Create a certificate map for SNI routing

POST

/v1/{+parent}/certificateMapEntries

Bind a hostname to a certificate within a map

POST

/v1/{+parent}/trustConfigs

Create a trust config pinning private CAs

POST

/v1/{+name}:cancel

Cancel a long-running operation

POST

/v1/{+parent}/certificates

Create a managed or self-managed TLS certificate

GET

/v1/{+parent}/certificates

List certificates in a location

POST

/v1/{+parent}/certificateMaps

Create a certificate map for SNI routing

POST

/v1/{+parent}/certificateMapEntries

Bind a hostname to a certificate within a map

POST

/v1/{+parent}/trustConfigs

Create a trust config pinning private CAs

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Cloud service account keys with the cloud-platform scope are stored encrypted in the Jentic vault (MAXsystem). Agents receive scoped short-lived access tokens — service account JSON never enters the agent context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'provision a TLS certificate for example.com on Google Cloud') and Jentic returns the certificates.create operation with its full input schema.

Time to first call

Direct integration: 2-3 days for service account setup, IAM role configuration, and operation polling. Through Jentic: under 1 hour — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud KMS API

Manage cryptographic keys that may sign or wrap certificate private keys.

Use Cloud KMS to protect signing keys; use Certificate Manager to deploy the resulting certificates to load balancers.

Complementary

Cloud DNS API

Manage the DNS records that prove domain ownership for managed certificate issuance.

Use Cloud DNS to create the validation CNAME or TXT records that Certificate Manager checks before issuing a managed certificate.

Complementary

Google Cloud IAM API

Grant and revoke roles such as roles/certificatemanager.editor on certificate resources.

Use IAM to authorise principals before delegating Certificate Manager operations to them.

FAQs

Specific to using Certificate Manager API API through Jentic.

What authentication does the Certificate Manager API use?

It requires OAuth 2.0 with the cloud-platform scope, typically via a Google Cloud service account key. Through Jentic, that service account credential lives in the Jentic vault and the agent receives only short-lived access tokens scoped to the request.

Can I provision a Google-managed TLS certificate via the API?

Yes. POST a Certificate resource to /v1/{parent}/certificates with managed.domains set to the hostnames to cover. The provisioning is asynchronous; poll the returned operation under /v1/{+name}/operations until done is true and the certificate state is ACTIVE.

What are the rate limits for the Certificate Manager API?

Google Cloud applies per-project per-minute quotas (typically 60 write operations per minute and higher read quotas). Long-running operations such as managed certificate issuance can take several minutes to reach ACTIVE due to domain validation, not API throttling.

How do I create a certificate map entry through Jentic?

Use the Jentic search query "create a certificate map entry" to discover the certificateMaps.certificateMapEntries.create operation, load its schema, then execute it with the parent map, the hostname, and the certificate resource name. Run pip install jentic to get started.

Does the Certificate Manager API support self-managed certificates?

Yes. Provide selfManaged.pemCertificate and selfManaged.pemPrivateKey when creating a Certificate resource. Self-managed certificates do not auto-renew — the caller must rotate them by patching or replacing the resource before expiry.

Is the Certificate Manager API free?

API calls themselves are free. Google Cloud charges for active certificates and trust configs based on the load balancer pricing tier they are attached to. See the Google Cloud Certificate Manager pricing page for current rates.