Deployment overview

This page describes the steps for deploying a certificate with Certificate Manager. For more information about the Certificate Manager entities mentioned on this page, see How Certificate Manager works.

Certificate Manager supports the following certificate types:

The following table shows which Google Cloud load balancers support Certificate Manager self-managed or Google-managed certificates or both.

Load balancer Google-managed certificate Self-managed certificate
DNS authorization Load balancer authorization Certificate Authority Service (CA Service)
Global external Application Load Balancer
info

info

info

info
Classic Application Load Balancer
info

info

info

info
Global external proxy Network Load Balancer
info

info

info

info
Cross-region internal Application Load Balancer
info

info

info
Regional external Application Load Balancer
info

info

info
Regional internal Application Load Balancer
info

info

info

Deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer

To deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer, use any of the following methods:

Deploy a Google-managed certificate

To deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer using a Google-managed certificate, complete the following steps:

  1. Create a Google-managed certificate, with any of the following configurations:
  2. Configure a certificate map for this certificate:
    1. Create a certificate map.
    2. Add the certificate map entries for hostnames that require this certificate.
    3. Optional: Add a certificate map entry for the primary certificate to use when the load balancer cannot find a certificate specific to the requested hostname in this certificate map.
  3. Verify that the certificate and its corresponding certificate map entry are active. If you are using a Google-managed certificate with load balancer authorization, the certificate only becomes active after you complete the following step and the certificate completes provisioning.
  4. Attach the certificate map to the target proxy in your load balancer configuration.

Deploy a self-managed certificate

To deploy a self-managed certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer, complete the following steps:

  1. Upload a self-managed certificate.
  2. Configure a certificate map for this certificate:
    1. Create a certificate map.
    2. Add the certificate map entries for hostnames that require this certificate.
    3. Optional: Add a certificate map entry for the primary certificate to use when the load balancer cannot find a certificate specific to the requested hostname in this certificate map.
  3. Verify that the certificate and its corresponding certificate map entry are active. If you are using a Google-managed certificate with load balancer authorization, the certificate only becomes active after you complete the following step and the certificate completes provisioning.
  4. Attach the certificate map to the target proxy in your load balancer configuration.

Deploy a certificate to a cross-region internal Application Load Balancer

To deploy a certificate to a cross-region internal Application Load Balancer, use any of the following methods:

Deploy a Google-managed certificate

To deploy a Google-managed certificate to a cross-region internal Application Load Balancer, complete the following steps:

  1. Create a Google-managed certificate, with any of the following configurations:
  2. Attach the certificate directly to the target proxy.

Deploy a self-managed certificate

To deploy a self-managed certificate to a cross-region internal Application Load Balancer, complete the following steps:

  1. Upload a self-managed certificate.
  2. Attach the certificate directly to the target proxy.

Deploy a self-managed certificate to a regional external Application Load Balancer or regional internal Application Load Balancer

To deploy a self-managed certificate to a regional external Application Load Balancer or regional internal Application Load Balancer, complete the following steps:

  1. Upload a self-managed certificate.
  2. Attach the certificate to the target proxy in your load balancer configuration.

Migrate an existing certificate

If you want to migrate an existing certificate from your load balancer to Certificate Manager, follow the instructions in Migrate a certificate to Certificate Manager.

If you want to use mutual TLS authentication (mTLS), see Mutual TLS authentication in the Cloud Load Balancing documentation.

What's next