Explore

Certificate Manager

Certificate Manager lets you acquire and manage Transport Layer Security (TLS) certificates for use with the following load balancer resources:

Target HTTPS proxies used by Application Load Balancers:

Global external Application Load Balancer

Classic Application Load Balancer

Regional external Application Load Balancer

Regional internal Application Load Balancer

Cross-region internal Application Load Balancer

Target SSL proxies used by proxy Network Load Balancers:

Global external proxy Network Load Balancer

Classic proxy Network Load Balancer

Certificate Manager also lets you deploy regional self-managed and regional Google-managed certificates on

Secure Web Proxy⁠

proxies.

You can automatically issue and renew Google-managed certificates by using Certificate Manager. If you want to use your own trust chain rather than rely on Google-approved public certificate authorities (CAs) to issue your certificates, you can configure Certificate Manager to use a CA pool from the

Certificate Authority Service⁠

as the certificate issuer instead.

You can also manually upload the following types of certificates:

Certificates issued by third-party CAs of your choice

Certificates issued by CAs under your control

Self-signed certificates, as described in

Create a private key and certificate⁠

⁠

Certificate Manager securely stores and deploys certificates to your selected proxies, which lets you provision certificates in advance and helps ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a million certificates per load balancer. For information about default quotas and how to increase them, see

Quotas and limits⁠

Certificate Manager's flexible mapping mechanism lets you finely control the assignment of certificates to domain names in your Google Cloud environment at scale. You can manage and serve larger numbers of certificates than with Cloud Load Balancing.

Certificate Manager can also act as a public CA to provide and deploy widely trusted X.509 certificates after validating that the certificate requester controls the domains. Certificate Manager lets you directly and programmatically request publicly trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic. For more information, see

Public CA⁠

You have the option to use mutual TLS authentication (mTLS) on your load balancer. For more information, see

Mutual TLS authentication⁠

in the Cloud Load Balancing documentation.

When to use Certificate Manager?

Certificate Manager has the following advantages over directly assigning TLS (SSL) certificates to your load balancer.

Certificate Manager lets you do the following:

Control the assignment and selection of certificates based on hostnames at a highly granular level that's not available when using Cloud Load Balancing.

Manage all of your certificates in a unified way by using the Google Cloud CLI or the Certificate Manager API.

Assign more than 15 certificates per target proxy. Certificate Manager supports up to a million certificates per load balancer.

Automatically acquire and renew Google-managed certificates within Google Cloud.

Use a CA pool from the CA Service as the certificate issuer for Google-managed certificates instead of the Google or Let's Encrypt CAs.

Use DNS-based domain ownership verification for Google-managed certificates in addition to the load balancer-based method supported by Cloud Load Balancing.

Use Google-managed certificates with DNS authorization for wildcard domain names—for example, *.myorg.example.com. Google-managed certificates with load balancer authorization don't support wildcard domain names.

Provision Google-managed certificates in advance, enabling zero-downtime migration from another vendor to Google Cloud.

Use Cloud Monitoring to monitor certificate propagation and expiration.

Ref:

Certificate Manager overview | Google Cloud⁠

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.