Certificate Manager overview  |  Google Cloud (2024)

• Home
• Certificate Manager
• Documentation
• Guides

Certificate Manager lets you acquire and manage Transport LayerSecurity (TLS) certificates for use with the following load balancer resources:

• Target HTTPS proxies used by Application Load Balancers:

  See Also

  How to Become a ManagerWhen Do You Need Certificate Management?Certified Manager Certification | Start Your Journey TodayCertificate resource
  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Regional external Application Load Balancer
  • Regional internal Application Load Balancer
  • Cross-region internal Application Load Balancer

• Target SSL proxies used by proxy Network Load Balancers:

  • Global external proxy Network Load Balancer
  • Classic proxy Network Load Balancer

Certificate Manager also lets you deploy regional self-managedand regional Google-managed certificates onSecure Web Proxy proxies.

To use Certificate Manager, your load balancer needs to becompatible with the corresponding Network Service Tier.For a comprehensive breakdown of load balancer types and their respective networkservice tier support, see Summary of Google Cloud load balancers.

You can automatically issue and renew Google-managed certificates by usingCertificate Manager. If you want to use your own trust chain ratherthan rely on Google-approved public certificate authorities (CAs) to issueyour certificates, you canconfigure Certificate Manager to use a CA pool from theCertificate Authority Serviceas the certificate issuer instead.

You can also manually upload the following types of certificates:

• Certificates issued by third-party CAs of your choice
• Certificates issued by CAs under your control
• Self-signed certificates, as described inCreate a private key and certificate

Certificate Manager securely stores and deployscertificates to your selected proxies, which lets you provision certificates inadvance and helps ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a millioncertificates per load balancer. For information about default quotas andhow to increase them, seeQuotas and limits.

Certificate Manager's flexible mapping mechanism lets you finelycontrol the assignment of certificates to domain names in your Google Cloudenvironment at scale. You can manage and serve larger numbers of certificatesthan with Cloud Load Balancing.

Certificate Manager can also act as a public CA toprovide and deploy widely trusted X.509 certificates after validatingthat the certificate requester controls the domains.Certificate Manager lets you directly and programmaticallyrequest publicly trusted TLS certificates that are already in the root oftrust stores used by major browsers, operating systems, and applications.You can use these TLS certificates to authenticate and encrypt internettraffic. For more information, seePublic CA.

You have the option to use mutual TLS authentication (mTLS) on your load balancer. For moreinformation, see Mutual TLS authentication in the Cloud Load Balancing documentation.

When to use Certificate Manager

Certificate Manager has the following advantages over directly assigningTLS (SSL) certificates to your load balancer. Certificate Managerlets you do the following:

• Control the assignment and selection of certificates based on hostnamesat a highly granular level that's not available when usingCloud Load Balancing.
• Manage all of your certificates in a unified way by using the Google Cloud CLIor the Certificate Manager API.
• Assign more than 15 certificates per target proxy.Certificate Manager supports up to a million certificates perload balancer.
• Automatically acquire and renew Google-managed certificates withinGoogle Cloud.
• Use a CA pool from the CA Service as the certificate issuerfor Google-managed certificates instead of the Google or Let's Encrypt CAs.
• Use DNS-based domain ownership verification for Google-managed certificates inaddition to the load balancer-based method supported by Cloud Load Balancing.
• Use Google-managed certificates with DNS authorization for wildcard domain names—for example,*.myorg.example.com. Google-managed certificates with load balancer authorization don't supportwildcard domain names.
• Provision Google-managed certificates in advance, enabling zero-downtimemigration from another vendor to Google Cloud.
• Use Cloud Monitoring to monitor certificate propagation and expiration.

Limitations

Certificate Manager has the following limitations:

• For issuing publicly trusted Google-managed certificates,Certificate Manager only supports the Google CA and the Let'sEncrypt CA.
• For issuing privately trusted Google-managed certificates,Certificate Manager only supports the Certificate Authority Service.
• The number of domains (Subject Alternative Names) for Google-managedcertificates is limited to a maximum of 100 when using DNS authorization andto a maximum of five when using load balancer authorization.
• You can associate a maximum of four certificates with a single certificatemap entry.
• For Google-managed certificates, there are limitations on the length ofdomain names that they can support. For more information about the lengthlimitations of domain names, see Domain name length limitations forGoogle-managedcertificates.
• Certificates with the ALL_REGIONS scope don't support load balancerauthorization.
• The following limitations apply to trust config resources:
  • A trust config resource can hold a single trust store.
  • A trust store can hold up to 100 trust anchors.
  • A trust store can hold up to 100 intermediate CA certificates.

What's next

• How Certificate Manager works