Domain authorization for Google-managed certificates

This page describes how domain authorization works with Google-managed certificates. It compares load balancer authorization to DNS authorization and explains how Certificate Manager verifies domain ownership using each method.

Domain authorization does not apply to Google-managed certificates issued by Certificate Authority Service. For more information on such certificates, see Deploying a Google-managed certificate with Certificate Authority Service.

Certificate Manager lets you prove ownership of domains for which you want to issue Google-managed certificates in one of the following ways:

  • Load balancer authorization is faster to configure but does not support wildcard certificates. It can also only provision certificates after the load balancer has been fully set up and is serving network traffic.
  • DNS authorization requires you to configure additional dedicated DNS records for proof of domain ownership, but can provision certificates in advance, before the target proxy is ready to serve network traffic. This allows you to perform a zero-downtime migration from a third-party solution to Google Cloud.

Load balancer authorization

The simplest way to issue a Google-managed certificate is with load balancer authorization. This method minimizes changes to your DNS configuration but only provisions the TLS (SSL) certificate after all configuration steps have been completed. Therefore, this method works best for setting up an environment from scratch with no production traffic flowing until setup is complete.

To create Google-managed certificates with load balancer authorization, your deployment must meet the following requirements:

  • The Google-managed certificate must be accessible on port 443 from all IP addresses serving the target domain; otherwise, provisioning fails. For example, if you have separate load balancers for IPv4 and IPv6, you must assign the same Google-managed certificate to each of them.
  • You must explicitly specify the IP addresses of your load balancers in your DNS configuration. Intermediate layers, such as CDN, can cause unpredictable behavior.
  • The target domain must be openly resolvable from the Internet. Split-horizon or DNS firewall environments can interfere with certificate provisioning.

DNS authorization

If you want your Google-managed certificates to be ready for use before your production environment is fully set up, such as before starting a migration from another vendor to Google Cloud, you can provision them with DNS authorizations. In this scenario, Certificate Manager uses DNS-based validation. Each DNS authorization stores information about the DNS record that you need to set up and covers a single domain plus its wildcard—for example, myorg.example.com and *.myorg.example.com.

When creating a Google-managed certificate, you can specify one or more DNS authorizations to use for provisioning and renewal of that certificate. If you are using multiple certificates for a single domain, you can specify the same DNS authorization in each of those certificates. Your DNS authorizations must cover all domains specified in the certificate; otherwise, certificate creation and renewals fail.

You can manage certificates for each project separately by using per-project DNS authorization. This means that Certificate Manager can issue and manage certificates for each project independently within Google Cloud. DNS authorizations and certificates that you use within a project are self-contained and don't interact with those in other projects.

Setting up a DNS authorization requires you to add a CNAME record for a validation sub-domain nested under your target domain to your DNS configuration. This CNAME record points to a special Google Cloud domain that Certificate Manager uses to verify domain ownership. Certificate Manager returns the CNAME record when you create a DNS authorization for the target domain.

The CNAME record also grants to Certificate Manager the permissions for provisioning and renewal of certificates for that domain within the target Google Cloud project. To revoke these permissions, remove the CNAME record from your DNS configuration.

To enable per-project DNS authorization, select the PER_PROJECT_RECORD during the DNS authorization creation process. Upon selection, you receive a unique CNAME record that includes both subdomain and target and that is tailored to the specific project.

Add the CNAME record to the DNS zone of the relevant domain.

What's next