This page describes how domain authorization works with Google-managed certificates. It compares load balancer authorization to DNS authorization and explains how Certificate Manager verifies domain ownership using each method.
Domain authorization does not apply to Google-managed certificates issued by Certificate Authority Service. For more information on such certificates, see Deploying a Google-managed certificate with Certificate Authority Service.
Certificate Manager lets you prove ownership of domains for which you want to issue Google-managed certificates in one of the following ways:
- Load balancer authorization is faster to configure but does not support wildcard certificates. It can also only provision certificates after the load balancer has been fully set up and is serving network traffic.
- DNS authorization requires you to configure additional dedicated DNS records for proof of domain ownership, but can provision certificates in advance, before the target proxy is ready to serve network traffic. This allows you to perform a zero-downtime migration from a third-party solution to Google Cloud.
Load balancer authorization
The simplest way to issue a Google-managed certificate is with load balancer authorization. This method minimizes changes to your DNS configuration but only provisions the TLS (SSL) certificate after all configuration steps have been completed. Therefore, this method works best for setting up an environment from scratch with no production traffic flowing until setup is complete.
To create Google-managed certificates with load balancer authorization, your deployment must meet the following requirements:
- The Google-managed certificate must be accessible on port 443 from all IP addresses serving the target domain; otherwise, provisioning fails. For example, if you have separate load balancers for IPv4 and IPv6, you must assign the same Google-managed certificate to each of them.
- You must explicitly specify the IP addresses of your load balancers in your DNS configuration. Intermediate layers, such as CDN, can cause unpredictable behavior.
- The target domain must be openly resolvable from the Internet. Split-horizon or DNS firewall environments can interfere with certificate provisioning.
DNS authorization
If you want your Google-managed certificates to be ready for use before your
production environment is fully set up, such as before starting a migration from
another vendor to Google Cloud, you can provision them with DNS
authorizations. In this scenario, Certificate Manager uses
DNS-based validation. Each DNS authorization stores information about the DNS
record that you need to set up and covers a single domain plus its wildcard—for
example, myorg.example.com and *.myorg.example.com.
When creating a Google-managed certificate, you can specify one or more DNS authorizations to use for provisioning and renewal of that certificate. If you are using multiple certificates for a single domain, you can specify the same DNS authorization in each of those certificates. Your DNS authorizations must cover all domains specified in the certificate; otherwise, certificate creation and renewals fail.
You can manage certificates for each project separately by using per-project DNS authorization (Preview). This means that Certificate Manager can issue and manage certificates for each project independently within Google Cloud. DNS authorizations and certificates that you use within a project are self-contained and don't interact with those in other projects.
Setting up a DNS authorization requires you to add a CNAME record for a
validation sub-domain nested under your target domain to your DNS configuration.
This CNAME record points to a special Google Cloud domain that
Certificate Manager uses to verify domain ownership.
Certificate Manager returns the CNAME record when you create a
DNS authorization for the target domain.
At the validation sub-domain, Certificate Manager exposes a TXT
record generated from the one-time challenge received from the CA. The CA must
be able to access this TXT record to complete domain ownership verification.
When you create the DNS authorization for the target domain,
Certificate Manager returns the corresponding CNAME record.
The CNAME record also grants to Certificate Manager the
permissions for provisioning and renewal of certificates for that domain within
the target Google Cloud project. To revoke these permissions, remove the CNAME
record from your DNS configuration.
To enable per-project DNS authorization, select the PER_PROJECT_RECORD during
the DNS authorization creation process. Upon selection, you receive a unique
CNAME record that includes both subdomain and target and that is tailored to
the specific project.
Add the CNAME record to the DNS zone of the relevant domain.
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a self-managed certificate (tutorial)
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations
- Manage certificate issuance configs