Certificate Manager overview

Stay organized with collections Save and categorize content based on your preferences.

Certificate Manager lets you acquire and manage Transport Layer Security (TLS) (SSL) certificates for use with the following load balancer types in Google Cloud:

  • External HTTP(S) load balancer (Classic) supports target HTTPS proxies and target SSL proxies.
  • Global external HTTP(S) load balancer only supports target HTTPS proxies.

For more information on load balancer types, see Modes of operation.

To use Certificate Manager your load balancer must be on the Premium Network Service Tier. See Network Service Tiers for more information.

You can automatically issue and renew Google-managed certificates using Certificate Manager. You can also upload the following types of certificates:

  • Certificates generated by third-party certificate authorities (CAs) of your choice
  • Certificates generated by certificate authorities under your control
  • Self-signed certificates, as described in Create a private key and certificate

Certificate Manager securely stores and deploys certificates to your selected proxies, letting you provision certificates in advance and help ensure zero downtime during migrations.

With Certificate Manager, you can deploy up to a million certificates per load balancer. See the Quotas and limits page for information on default quotas and how to increase them.

Certificate Manager's flexible mapping mechanism lets you finely control the assignment of certificates to hostnames in your Google Cloud environment at scale. You can manage and serve larger numbers of certificates than with Cloud Load Balancing.

Certificate Manager can also act as a public Certificate Authority (CA) to provide and deploy widely-trusted X.509 certificates after validating that the certificate requester controls the domains. Certificate Manager lets you directly and programmatically request publicly-trusted TLS certificates that are already in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic. See Certificate Manager Public CA for more information.

When to use Certificate Manager

For simple use cases that meet the following criteria, you can directly assign TLS (SSL) certificates to your load balancers using Cloud Load Balancing instead of Certificate Manager:

  • You require 15 or fewer certificates per load balancer.
  • Your migration from a third-party solution can incur downtime.
  • You do not use wildcard domains.

For instructions, see SSL certificates overview in the Cloud Load Balancing documentation.

For more complex use cases, you can take advantage of Certificate Manager to do the following:

  • Control the assignment and selection of certificates based on hostnames at a highly granular level that's not available when using Cloud Load Balancing.
  • Manage all of your certificates in a unified way using the gcloud tool or through the Certificate Manager API.
  • Manage certificates beyond the Cloud Load Balancing's limit of 15 certificates per load balancer. Certificate Manager supports up to a million certificates per load balancer.
  • Automatically acquire and renew Google-managed certificates within Google Cloud.
  • Use DNS-based domain ownership verification for Google-managed certificates in addition to the load balancer-based method supported by Cloud Load Balancing.
  • Use Google-managed certificates for wildcard hostnames—for example, *.example.com.
  • Provision Google-managed certificates in advance, enabling zero-downtime migration from another vendor to Google Cloud.
  • Use Cloud Monitoring to monitor certificate propagation and expiration.


Certificate Manager has the following limitations:

  • Certificate Manager supports the following load balancer types in Google Cloud:

    • External HTTP(S) load balancer (Classic) with target HTTPS proxies and target SSL proxies.
    • Global external HTTP(S) load balancer (Preview) with target HTTPS proxies.

    Certificate Manager does not support any other types of load balancers.

  • Only certificates from publicly trusted CAs can be Google-managed. In other words, you can only issue Google-managed certificates for publicly accessible domains.

  • Certificate Manager only supports the Google CA and the Let's Encrypt CA for issuing Google-managed certificates.

  • The number of domains (Subject Alternative Names) for Google-managed certificates is limited to a maximum of 100 when using DNS authorization and to a maximum of 5 when using load balancer authorization.

  • The primary domain specified for a Google-managed certificate must have a name shorter than 64 characters. If you need a Google-managed certificate for a domain that exceeds this limit, create a certificate with multiple domains (SANs) and specify the longer domain names after the primary domain.

What's next