This page describes the steps for deploying a certificate with Certificate Manager. For more information about the Certificate Manager entities mentioned on this page, see How Certificate Manager works.
Certificate Manager supports the following certificate types:
Google-managed certificates are certificates that Google Cloud obtains and manages for you. You can create the following types of Google-managed certificates with Certificate Manager:
- Global certificates
- Regional certificates
Self-managed certificates are certificates that you obtain, provision, and renew yourself.
The following table shows which Google Cloud load balancers support Certificate Manager self-managed or Google-managed certificates or both.
| Load balancer | Google-managed certificate | Self-managed certificate | ||
|---|---|---|---|---|
| DNS authorization | Load balancer authorization | Certificate Authority Service (CA Service) | ||
| Global external Application Load Balancer | info |
info |
info |
info |
| Classic Application Load Balancer | info |
info |
info |
info |
| Global external proxy Network Load Balancer | info |
info |
info |
info |
| Cross-region internal Application Load Balancer | info |
info |
info |
|
| Regional external Application Load Balancer | info |
info |
info |
|
| Regional internal Application Load Balancer | info |
info |
info |
|
Deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer
To deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer, use any of the following methods:
- (Recommended) Deploy a Google-managed certificate.
- Deploy a self-managed certificate.
Deploy a Google-managed certificate
To deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer using a Google-managed certificate, complete the following steps:
- Create a Google-managed certificate, with any of the following configurations:
- Configure a certificate map for this certificate:
- Create a certificate map.
- Add the certificate map entries for hostnames that require this certificate.
- Optional: Add a certificate map entry for the primary certificate to use when the load balancer cannot find a certificate specific to the requested hostname in this certificate map.
- Verify that the certificate and its corresponding certificate map entry are active. If you are using a Google-managed certificate with load balancer authorization, the certificate only becomes active after you complete the following step and the certificate completes provisioning.
- Attach the certificate map to the target proxy in your load balancer configuration.
Deploy a self-managed certificate
To deploy a self-managed certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer, complete the following steps:
- Upload a self-managed certificate.
- Configure a certificate map for this certificate:
- Create a certificate map.
- Add the certificate map entries for hostnames that require this certificate.
- Optional: Add a certificate map entry for the primary certificate to use when the load balancer cannot find a certificate specific to the requested hostname in this certificate map.
- Verify that the certificate and its corresponding certificate map entry are active. If you are using a Google-managed certificate with load balancer authorization, the certificate only becomes active after you complete the following step and the certificate completes provisioning.
- Attach the certificate map to the target proxy in your load balancer configuration.
Deploy a certificate to a cross-region internal Application Load Balancer
To deploy a certificate to a cross-region internal Application Load Balancer, use any of the following methods:
- (Recommended) Deploy a Google-managed certificate.
- Deploy a self-managed certificate.
Deploy a Google-managed certificate
To deploy a Google-managed certificate to a cross-region internal Application Load Balancer, complete the following steps:
- Create a Google-managed certificate, with any of the following configurations:
- Attach the certificate directly to the target proxy.
Deploy a self-managed certificate
To deploy a self-managed certificate to a cross-region internal Application Load Balancer, complete the following steps:
Deploy a self-managed certificate to a regional external Application Load Balancer or regional internal Application Load Balancer
To deploy a self-managed certificate to a regional external Application Load Balancer or regional internal Application Load Balancer, complete the following steps:
- Upload a self-managed certificate.
- Attach the certificate to the target proxy in your load balancer configuration.
Migrate an existing certificate
If you want to migrate an existing certificate from your load balancer to Certificate Manager, follow the instructions in Migrate a certificate to Certificate Manager.
If you want to use mutual TLS authentication (mTLS), see Mutual TLS authentication in the Cloud Load Balancing documentation.
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a global self-managed certificate (tutorial)
- Deploy a regional self-managed certificate (tutorial)