SSL certificates overview

Transport Layer Security (TLS) is an encryption protocol used in SSL certificates to protect network communications.

Google Cloud uses SSL certificates to provide privacy and security from a client to a load balancer. To achieve this, the load balancer must have an SSL certificate and the certificate's corresponding private key. Communication between the client and the load balancer remains private—illegible to any third party that doesn't have this private key.

Self-managed and Google-managed SSL certificates

You can obtain your own self-managed certificates or you can use Google-managed certificates, which Google obtains and manages for you.

• Self-managed SSL certificates are certificates that you obtain, provision, and renew yourself. This type can be any of:

  • Domain Validation (DV)
  • Organization Validation (OV)
  • Extended Validation (EV) certificates

  For more information, see Public key certificate.

• Google-managed SSL certificates are certificates that Google Cloud obtains and manages for your domains, renewing them automatically. Google-managed certificates are Domain Validation (DV) certificates. They don't demonstrate the identity of an organization or individual associated with the certificate, and they don't support wildcard common names.

The following table summarizes the types of Google Cloud load balancers that require SSL certificates and supported certificate types.

For information about configuring SSL certificates for your load balancers, see the following guides:

• Self-managed certificates
• Google-managed certificates

Multiple SSL certificates

You can configure up to the maximum number of SSL certificates per target HTTPS or target SSL proxy. Use multiple SSL certificates when you are serving from multiple domains using the same load balancer IP address and port, and you want to use a different SSL certificate for each domain.

When you specify more than one SSL certificate, the first certificate in the list of SSL certificates is considered the primary SSL certificate associated with the target proxy.

When a client sends a request, the load balancer uses the SNI hostname specified by the client to select the certificate to use in negotiating the SSL connection.

Whenever possible, the load balancer selects a certificate whose common name (CN) or subject alternative name (SAN) matches the SNI hostname that is specified by the client. RSA and ECDSA are types of digital signatures, and the client software must be able to use them.

When the SNI hostname matches CNs or SANs in more than one certificate, the certificate selection is based on client-specific and internal factors that cannot be predicted. One of the certificates matching the SNI is returned. The load balancer can also serve the expired certificate if the expired certificate is still associated with the target proxy.

If none of the available certificates can be selected, or if the client doesn't specify an SNI hostname, the load balancer negotiates SSL using the primary certificate (the first certificate in the list).

Encryption from the load balancer to the backends

For information about this topic, see Encryption to the backends.

Load balancers, SSL certificates, and target proxies

A Google Cloud SSL certificate resource contains both a private key and the SSL certificate itself.

Target proxies represent the logical connection between a load balancer's frontend and its backend service (for SSL proxy load balancers) or URL map (for HTTPS load balancers).

The following diagram shows how the target proxy and its associated SSL certificates fit into the load balancing architecture.

SSL certificate scope

Google Cloud has two scopes for SSL certificate resources, regional and global.

For the global external HTTP(S) load balancer (classic) and SSL proxy load balancer, global SSL certificate resources are required in both Standard and Premium Tier. This means that in Standard Tier, a regional forwarding rule points to a global target proxy.

Target proxies

SSL certificates are associated with the following types of target proxies:

Pricing

You may incur networking charges when you use Google Cloud load balancers. For more information, see All networking pricing. There are no additional charges for using self-managed and Google-managed SSL certificates.

Limitations

• A limited number of SSL certificates is supported for each target proxy. For more information, see the limit for SSL certificates per target HTTPS or target SSL proxy.

• A limited number of domains is supported for each Google-managed certificate. For more information, see the limit for domains per Google-managed SSL certificate.

• When you use Google-managed certificates with SSL Proxy Load Balancing, the load balancer's forwarding rule must use TCP port 443 for the Google-managed certificate to be renewed automatically.

• Google Cloud load balancers don't support client certificate-based authentication (mutual TLS, mTLS).

• Google-managed SSL certificates don't support using wildcards.

What's next

• To use SSL certificates with Kubernetes Engine, see HTTP(S) Load Balancing with Ingress.
• To learn about the supported key lengths for private keys, see the load balancing quotas page.
• To learn how Google encrypts user traffic, see the Encryption in Transit in Google Cloud white paper.
• To learn how to troubleshoot issues with Google-managed and self-managed certificates, see Troubleshooting SSL certificates.