Certificate Manager overview

Certificate Manager lets you acquire and manage Transport Layer Security (TLS) certificates for use with the following Google Cloud load balancers:

  • Global external Application Load Balancer (target HTTPS proxies)
  • Classic Application Load Balancer (target HTTPS proxies)
  • Regional external Application Load Balancer (target HTTPS proxies) (Preview)
  • Regional internal Application Load Balancer (target HTTPS proxies) (Preview)
  • Cross-region internal Application Load Balancer (target HTTPS proxies) (Preview)
  • External proxy Network Load Balancer (target SSL proxies)

For more information about load balancer types, see Modes of operation.

Certificate Manager also lets you deploy regional self-managed and regional Google-managed certificates on Secure Web Proxy proxies.

To use Certificate Manager, your load balancer needs to be compatible with the corresponding Network Service Tier. For a comprehensive breakdown of load balancer types and their respective network service tier support, see Summary of Google Cloud load balancers.

You can automatically issue and renew Google-managed certificates by using Certificate Manager. If you want to use your own trust chain rather than rely on Google-approved public certificate authorities (CAs) to issue your certificates, you can configure Certificate Manager to use a CA pool from the Certificate Authority Service as the certificate issuer instead.

You can also manually upload the following types of certificates:

  • Certificates issued by third-party CAs of your choice
  • Certificates issued by CAs under your control
  • Self-signed certificates, as described in Create a private key and certificate

Certificate Manager securely stores and deploys certificates to your selected proxies, which lets you provision certificates in advance and helps ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a million certificates per load balancer. For information about default quotas and how to increase them, see Quotas and limits.

Certificate Manager's flexible mapping mechanism lets you finely control the assignment of certificates to domain names in your Google Cloud environment at scale. You can manage and serve larger numbers of certificates than with Cloud Load Balancing.

Certificate Manager can also act as a public CA to provide and deploy widely-trusted X.509 certificates after validating that the certificate requester controls the domains. Certificate Manager lets you directly and programmatically request publicly-trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic. For more information, see Public CA.

You have the option to use mutual TLS authentication (mTLS) on your load balancer. For more information, see Mutual TLS authentication in the Cloud Load Balancing documentation.

When to use Certificate Manager

Certificate Manager has the following advantages over directly assigning TLS (SSL) certificates to your load balancer. Certificate Manager lets you do the following:

  • Control the assignment and selection of certificates based on hostnames at a highly granular level that's not available when using Cloud Load Balancing.
  • Manage all of your certificates in a unified way by using the Google Cloud CLI or the Certificate Manager API.
  • Assign more than 15 certificates per target proxy. Certificate Manager supports up to a million certificates per load balancer.
  • Automatically acquire and renew Google-managed certificates within Google Cloud.
  • Use a CA pool from the CA Service as the certificate issuer for Google-managed certificates instead of the Google or Let's Encrypt CAs.
  • Use DNS-based domain ownership verification for Google-managed certificates in addition to the load balancer-based method supported by Cloud Load Balancing.
  • Use Google-managed certificates with DNS authorization for wildcard domain names—for example, *.myorg.example.com. Google-managed certificates with load balancer authorization don't support wildcard domain names.
  • Provision Google-managed certificates in advance, enabling zero-downtime migration from another vendor to Google Cloud.
  • Use Cloud Monitoring to monitor certificate propagation and expiration.

Limitations

Certificate Manager has the following limitations:

  • For issuing publicly trusted Google-managed certificates, Certificate Manager only supports the Google CA and the Let's Encrypt CA.
  • For issuing privately trusted Google-managed certificates, Certificate Manager only supports the Certificate Authority Service.
  • The number of domains (Subject Alternative Names) for Google-managed certificates is limited to a maximum of 100 when using DNS authorization and to a maximum of five when using load balancer authorization.
  • You can associate a maximum of four certificates with a single certificate map entry.
  • For Google-managed certificates, there are limitations on the length of domain names that they can support. For more information about the length limitations of domain names, see Domain name length limitations for Google-managed certificates.
  • Certificates with the ALL_REGIONS scope don't support load balancer authorization.
  • The following limitations apply to trust config resources:
    • A trust config resource can hold a single trust store.
    • A trust store can hold up to 100 trust anchors.
    • A trust store can hold up to 100 intermediate CA certificates.

What's next