Certificate Manager overview

Stay organized with collections Save and categorize content based on your preferences.

Certificate Manager lets you acquire and manage Transport Layer Security (TLS) certificates for use with the following Google Cloud load balancers:

  • Global external HTTP(S) load balancer (target HTTPS proxies)
  • Global external HTTP(S) load balancer (classic) (target HTTPS proxies)
  • External SSL proxy load balancer (target SSL proxies)

For more information about load balancer types, see Modes of operation.

To use Certificate Manager, your load balancer must be on the Premium Network Service Tier. For more information, see Network Service Tiers.

You can automatically issue and renew Google-managed certificates by using Certificate Manager. If you want to use your own trust chain rather than rely on Google-approved public CAs to issue your certificates, you can configure Certificate Manager to use a CA pool from the Certificate Authority Service as the certificate issuer instead.

You can also manually upload the following types of certificates:

  • Certificates issued by third-party certificate authorities (CAs) of your choice
  • Certificates issued by CAs under your control
  • Self-signed certificates, as described in Create a private key and certificate

Certificate Manager securely stores and deploys certificates to your selected proxies, which lets you provision certificates in advance and helps ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a million certificates per load balancer. For information about default quotas and how to increase them, see Quotas and limits.

Certificate Manager's flexible mapping mechanism lets you finely control the assignment of certificates to hostnames in your Google Cloud environment at scale. You can manage and serve larger numbers of certificates than with Cloud Load Balancing.

Certificate Manager can also act as a public CA to provide and deploy widely-trusted X.509 certificates after validating that the certificate requester controls the domains. Certificate Manager lets you directly and programmatically request publicly-trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic. For more information, see Certificate Manager Public CA.

When to use Certificate Manager

Certificate Manager has the following advantages over directly assigning TLS (SSL) certificates to your load balancer. Certificate Manager lets you do the following:

  • Control the assignment and selection of certificates based on hostnames at a highly granular level that's not available when using Cloud Load Balancing.
  • Manage all of your certificates in a unified way by using the Google Cloud CLI or the Certificate Manager API.
  • Assign more than 15 certificates per target proxy. Certificate Manager supports up to a million certificates per load balancer.
  • Automatically acquire and renew Google-managed certificates within Google Cloud.
  • Use a CA pool from the CA Service as the certificate issuer for Google-managed certificates instead of the Google or Let's Encrypt CAs.
  • Use DNS-based domain ownership verification for Google-managed certificates in addition to the load balancer-based method supported by Cloud Load Balancing.
  • Use Google-managed certificates for wildcard hostnames—for example, *.example.com.
  • Provision Google-managed certificates in advance, enabling zero-downtime migration from another vendor to Google Cloud.
  • Use Cloud Monitoring to monitor certificate propagation and expiration.

Limitations

Certificate Manager has the following limitations:

  • Only certificates from publicly trusted CAs can be Google-managed. In other words, you can only issue Google-managed certificates for publicly accessible domains.
  • Certificate Manager only supports the Google CA and the Let's Encrypt CA for issuing Google-managed certificates.
  • The number of domains (Subject Alternative Names) for Google-managed certificates is limited to a maximum of 100 when using DNS authorization and to a maximum of 5 when using load balancer authorization.
  • The primary domain specified for a Google-managed certificate must have a name shorter than 64 characters. If you need a Google-managed certificate for a domain that exceeds this limit, create a certificate with multiple domains (SANs) and specify the longer domain names after the primary domain.

What's next