Stay organized with collections
Save and categorize content based on your preferences.
Certificate Manager simplifies the acquisition, deployment, and
management of Transport Layer Security (TLS) certificates.
Certificate Manager supports deployment of global and regional
certificates on Google Cloud load balancers, regional certificates on
Secure Web Proxy proxies, and global certificates
on Media CDN.
Supported load balancers
Google Cloud load balancers that refer to a target HTTPS proxy or a target
SSL proxy (TargetSslProxy) use TLS certificates to encrypt information sent
over the network.
To use Certificate Manager, your load balancer must be compatible
with the corresponding Network Service Tier. For
a comprehensive breakdown of load balancer types and their respective network
service tier support, see Summary of Google Cloud load
balancers.
Certificate Manager supports the following load balancer
resources:
Target HTTPS proxies used by Application Load Balancers
Target SSL proxies used by proxy Network Load Balancers
Global external Application Load Balancer
Classic Application Load Balancer
Regional external Application Load Balancer
Regional internal Application Load Balancer
Cross-region internal Application Load Balancer
Global external proxy Network Load Balancer
Classic proxy Network Load Balancer
For more information about the differences between target HTTPS and target SSL
proxy types, see Target proxies.
Supported TLS certificates
Certificate Manager supports the following types of TLS
certificates:
Google-managed certificates: certificates that Google Cloud
obtains and manages for you. Using Certificate Manager, you
can automatically issue and renew Google-managed certificates. If you want
to use your own trust chain rather than rely on public
certificate authorities (CAs) to issue your certificates, you can configure
Certificate Manager to use a CA
pool from the
Certificate Authority Service as the certificate issuer instead.
Self-managed certificates: certificates that you obtain, provision, and
renew yourself. You manually upload the certificates to
Certificate Manager and manage them. You can use certificates
issued by third-party CAs, or CAs you trust, or your own self-signed
certificates.
For more information about the supported certificates, see
Certificates.
Benefits
Certificate Manager offers the following benefits:
Automation
Automatically issue, renew, and manage Google-managed certificates.
Provision Google-managed certificates in advance to enable seamless,
zero-downtime migrations to Google Cloud.
Security
Securely store and deploy millions of certificates.
Secure your configurations with Google-managed certificates,
eliminating the need to manage certificate private keys.
Implement mutual TLS (mTLS) authentication on your load balancer for
enhanced security. For more information, see Mutual TLS
overview in the Cloud Load Balancing
documentation.
Flexibility
Verify ownership of domains using either DNS-based or load
balancer-based authorization methods.
Choose between Google-managed certificates (automatically handled by
Google) or self-managed certificates (obtained and managed
independently).
Use the ACME protocol to get publicly trusted certificates for endpoints
you manage from the Public Certificate Authority. For more information, see
Public CA.
Manage all certificates in a unified manner using the Google Cloud console,
Google Cloud CLI, or the Certificate Manager API.
Control certificate assignment and selection based on domain names. This
lets you manage and serve larger numbers of certificates than with
Compute Engine SSL certificates.
Control the assignment and selection of certificates based on hostnames
at a granular level.
Limitations
Certificate Manager has the following limitations:
Certificate Manager only supports the Public Certificate Authority and
the Let's Encrypt CA for issuing publicly trusted Google-managed
certificates.
Certificate Manager only supports Certificate Authority Service for
issuing privately trusted Google-managed certificates.
The number of domains allowed in the Subject Alternative Names (SANs) field
for Google-managed certificates is limited to a maximum of 100 when using
DNS authorization and to a maximum of five when using load balancer
authorization.
Certificates with the ALL_REGIONS scope don't support load balancer
authorization.
When using either a global external Application Load Balancer or an SSL-based
global external proxy Network Load Balancer, you might experience higher TLS handshake
latencies in some locations with Certificate Manager compared with
using Compute Engine SSL certificates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCertificate Manager facilitates the acquisition and management of TLS certificates for various load balancer resources, including Application Load Balancers and proxy Network Load Balancers, as well as regional Secure Web Proxy proxies.\u003c/p\u003e\n"],["\u003cp\u003eIt allows for the use of Google-managed certificates, which can be automatically issued and renewed, or self-managed certificates, including those issued by third-party CAs or self-signed certificates.\u003c/p\u003e\n"],["\u003cp\u003eCertificate Manager offers enhanced control over certificate assignment based on hostnames, supporting up to a million certificates per load balancer, significantly more than Cloud Load Balancing's limitations.\u003c/p\u003e\n"],["\u003cp\u003eCertificate Manager offers the ability to manage certificates in a centralized way using the Google Cloud CLI or the API, allowing for advanced control and management.\u003c/p\u003e\n"],["\u003cp\u003eGoogle-managed certificates can be requested directly through Certificate Manager, providing publicly trusted TLS certificates for encrypting internet traffic, and can use DNS authorization.\u003c/p\u003e\n"]]],[],null,["# Certificate Manager overview\n\nCertificate Manager simplifies the acquisition, deployment, and\nmanagement of Transport Layer Security (TLS) certificates.\nCertificate Manager supports deployment of global and regional\ncertificates on Google Cloud load balancers, regional certificates on [Secure Web Proxy](/secure-web-proxy/docs/overview) proxies, and global certificates\non [Media CDN](/media-cdn/docs/overview).\n\nSupported load balancers\n------------------------\n\nGoogle Cloud load balancers that refer to a target HTTPS proxy or a target\nSSL proxy (`TargetSslProxy`) use TLS certificates to encrypt information sent\nover the network.\n\nTo use Certificate Manager, your load balancer must be compatible\nwith the corresponding [Network Service Tier](/network-tiers/docs/overview). For\na comprehensive breakdown of load balancer types and their respective network\nservice tier support, see [Summary of Google Cloud load\nbalancers](/load-balancing/docs/choosing-load-balancer#summary-gclb).\n\nCertificate Manager supports the following load balancer\nresources:\n\nFor more information about the differences between target HTTPS and target SSL\nproxy types, see [Target proxies](/load-balancing/docs/target-proxies).\n\nSupported TLS certificates\n--------------------------\n\nCertificate Manager supports the following types of TLS\ncertificates:\n\n- **Google-managed certificates** : certificates that Google Cloud\n obtains and manages for you. Using Certificate Manager, you\n can automatically issue and renew Google-managed certificates. If you want\n to use your own trust chain rather than rely on public\n certificate authorities (CAs) to issue your certificates, you can configure\n Certificate Manager to [use a CA\n pool](/certificate-authority-service/docs/creating-ca-pool) from the\n Certificate Authority Service as the certificate issuer instead.\n\n- **Self-managed certificates** : certificates that you obtain, provision, and\n renew yourself. You manually upload the certificates to\n Certificate Manager and manage them. You can use certificates\n issued by third-party CAs, or CAs you trust, or your own [self-signed\n certificates](/load-balancing/docs/ssl-certificates/self-managed-certs#create-key-and-cert).\n\nFor more information about the supported certificates, see\n[Certificates](/certificate-manager/docs/how-it-works#certificates).\n\nBenefits\n--------\n\nCertificate Manager offers the following benefits:\n\n**Automation**\n\n- Automatically issue, renew, and manage Google-managed certificates.\n- Provision Google-managed certificates in advance to enable seamless, zero-downtime migrations to Google Cloud.\n\n**Security**\n\n- Securely store and deploy millions of certificates.\n- Secure your configurations with Google-managed certificates, eliminating the need to manage certificate private keys.\n- Implement mutual TLS (mTLS) authentication on your load balancer for enhanced security. For more information, see [Mutual TLS\n overview](/load-balancing/docs/mtls) in the Cloud Load Balancing documentation.\n\n**Flexibility**\n\n- Verify ownership of domains using either DNS-based or load balancer-based authorization methods.\n- Choose between Google-managed certificates (automatically handled by Google) or self-managed certificates (obtained and managed independently).\n- Use the ACME protocol to get publicly trusted certificates for endpoints you manage from the Public Certificate Authority. For more information, see [Public CA](/certificate-manager/docs/public-ca).\n- Manage all certificates in a unified manner using the Google Cloud console, Google Cloud CLI, or the Certificate Manager API.\n- Control certificate assignment and selection based on domain names. This lets you manage and serve larger numbers of certificates than with [Compute Engine SSL certificates](/load-balancing/docs/ssl-certificates#config-tech).\n- Control the assignment and selection of certificates based on hostnames at a granular level.\n\nLimitations\n-----------\n\nCertificate Manager has the following limitations:\n\n- Certificate Manager only supports the Public Certificate Authority and the Let's Encrypt CA for issuing publicly trusted Google-managed certificates.\n- Certificate Manager only supports Certificate Authority Service for issuing privately trusted Google-managed certificates.\n- The number of domains allowed in the Subject Alternative Names (SANs) field for Google-managed certificates is limited to a maximum of 100 when using DNS authorization and to a maximum of five when using load balancer authorization.\n- Google-managed certificates have limitations on the length of supported domain names. For more information, see [Domain name length limitations for\n Google-managed\n certificates](/certificate-manager/docs/quotas#domain_name_length_limitations_for_google-managed_certificates).\n- Certificates with the `ALL_REGIONS` scope don't support load balancer authorization.\n\nWhat's next\n-----------\n\n- [Core components of Certificate Manager](/certificate-manager/docs/core-components)\n- [How Certificate Manager works](/certificate-manager/docs/certificate-selection-logic)"]]
