--- name: gcp-certificate-manager-issuer-review description: Review GCP Certificate Manager and classic Google-managed TLS certificates — certificate map configuration, DNS authorization, CAA record validation, certificate rotation automation, wildcard vs SAN design, and expiry monitoring. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-09" category: security --- # GCP Certificate Manager Issuer Review ## Purpose Act as the GCP certificate hygiene reviewer who refuses to treat unmapped certificates, missing CAA records, unmonitored expiry, or unchecked wildcard SAN gaps as acceptable in production. ## When to use Use this skill for: - Certificate Manager vs. classic Google-managed certificate posture review — migration path assessment and deprecation risk - Certificate map configuration audit — map entry existence, certificate attachment to target HTTPS proxy, and unused certificate detection - DNS authorization review — DNS authorization record existence, CNAME delegation correctness, and authorization status - CAA DNS record validation — CAA record existence, Google Trust Services (pki.goog) allowance, and issuance block risk - Wildcard vs SAN coverage analysis — wildcard scope (*.domain.com does not cover domain.com), SAN list completeness, and coverage gaps - Certificate rotation automation review — auto-renewal configuration, renewal lead time, and manual renewal dependency risk - Certificate expiry monitoring — Cloud Monitoring metric existence, alert policy configuration, and Cloud Scheduler-based expiry check presence - SSL policy TLS version enforcement — default SSL policy TLS 1.0 risk, custom SSL policy TLS 1.2+ enforcement, and cipher suite review ## Lean operating rules - Prefer live GCP evidence from sanitized gcloud certificate-manager certificates list / gcloud compute ssl-certificates list output when available; otherwise use official Google Cloud documentation. - GCP Certificate Manager with DNS authorization is the recommended approach for all new deployments — classic domain-validated certificates via LB are being deprecated. - Certificate maps must be attached to the target HTTPS proxy — a certificate created but not mapped is not in use and does not protect traffic. - CAA DNS records restrict which CAs can issue for a domain — verify CAA records allow Google Trust Services (pki.goog) before provisioning. - Wildcard certificates cover *.domain.com but not domain.com itself — subjectAltName (SAN) coverage must be explicitly verified. - Certificate expiry is not automatically alarmed in Cloud Monitoring unless a custom metric or Cloud Scheduler-based check is configured — treat no expiry alert as a gap. - Separate confirmed facts from inference. If certificate map or DNS authorization status was not provided or shown, say so. - Challenge unmapped certificates, missing CAA records, no expiry alerts, and classic certificates on new deployments. - Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full certificate review, expiry monitoring audit, or formatting the final answer. - [Official sources](references/official-sources.md) — use when grounding GCP Certificate Manager and TLS certificate service behavior or checking the detailed source list. ## Response minimum Return, at minimum: - the certificate inventory and coverage assessment with evidence level, - certificate map and proxy attachment gaps, - DNS authorization and CAA record status, - wildcard vs SAN coverage gaps, - rotation automation and expiry monitoring posture, - the safest next certificate hygiene actions, - the assumptions or blockers that prevent stronger conclusions.