Certificate Manager overview

Certificate Manager lets you acquire and manage Transport Layer Security (TLS) certificates for use with the following Google Cloud load balancers:

  • Global external HTTP(S) load balancer (target HTTPS proxies)
  • Global external HTTP(S) load balancer (classic) (target HTTPS proxies)
  • External SSL proxy load balancer (target SSL proxies)

For more information about load balancer types, see Modes of operation.

Certificate Manager also lets you deploy regional self-managed certificates on Secure Web Proxy proxies.

To use Certificate Manager, your load balancer must be on the Premium Network Service Tier. For more information, see Network Service Tiers.

You can automatically issue and renew Google-managed certificates by using Certificate Manager. If you want to use your own trust chain rather than rely on Google-approved public certificate authorities (CAs) to issue your certificates, you can configure Certificate Manager to use a CA pool from the Certificate Authority Service as the certificate issuer instead.

You can also manually upload the following types of certificates:

  • Certificates issued by third-party CAs of your choice
  • Certificates issued by CAs under your control
  • Self-signed certificates, as described in Create a private key and certificate

Certificate Manager securely stores and deploys certificates to your selected proxies, which lets you provision certificates in advance and helps ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a million certificates per load balancer. For information about default quotas and how to increase them, see Quotas and limits.

Certificate Manager's flexible mapping mechanism lets you finely control the assignment of certificates to hostnames in your Google Cloud environment at scale. You can manage and serve larger numbers of certificates than with Cloud Load Balancing.

Certificate Manager can also act as a public CA to provide and deploy widely-trusted X.509 certificates after validating that the certificate requester controls the domains. Certificate Manager lets you directly and programmatically request publicly-trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic. For more information, see Public CA.

You have the option to use mutual TLS authentication (mTLS) on your load balancer. For more information, see Mutual TLS authentication in the Cloud Load Balancing documentation.

When to use Certificate Manager

Certificate Manager has the following advantages over directly assigning TLS (SSL) certificates to your load balancer. Certificate Manager lets you do the following:

  • Control the assignment and selection of certificates based on hostnames at a highly granular level that's not available when using Cloud Load Balancing.
  • Manage all of your certificates in a unified way by using the Google Cloud CLI or the Certificate Manager API.
  • Assign more than 15 certificates per target proxy. Certificate Manager supports up to a million certificates per load balancer.
  • Automatically acquire and renew Google-managed certificates within Google Cloud.
  • Use a CA pool from the CA Service as the certificate issuer for Google-managed certificates instead of the Google or Let's Encrypt CAs.
  • Use DNS-based domain ownership verification for Google-managed certificates in addition to the load balancer-based method supported by Cloud Load Balancing.
  • Use Google-managed certificates with DNS authorization for wildcard hostnames—for example, *.example.com. Google-managed certificates with load balancer authorization do not support wildcard hostnames.
  • Provision Google-managed certificates in advance, enabling zero-downtime migration from another vendor to Google Cloud.
  • Use Cloud Monitoring to monitor certificate propagation and expiration.


Certificate Manager has the following limitations:

  • For issuing publicly trusted Google-managed certificates, Certificate Manager only supports the Google CA and the Let's Encrypt CA.
  • For issuing privately trusted Google-managed certificates, Certificate Manager only supports the Certificate Authority Service.
  • The number of domains (Subject Alternative Names) for Google-managed certificates is limited to a maximum of 100 when using DNS authorization and to a maximum of five when using load balancer authorization.
  • You can associate a maximum of four certificates with a single certificate map entry.
  • The primary domain specified for a Google-managed certificate must have a name shorter than 64 characters. If you need a Google-managed certificate for a domain that exceeds this limit, create a certificate with multiple domains (SANs) and specify the longer domain names after the primary domain.
  • The following limitations apply to trust config resources:
    • A trust config resource can hold a single trust store.
    • A trust store can hold up to 10 trust anchors.
    • A trust store can hold up to 10 intermediate CA certificates.

What's next