SSL certificates overview

The Transport Layer Security (TLS) protocol provides privacy and security for data in transit over a network, such as the internet, from a client to a server or from a client to a load balancer. To achieve this, the server or load balancer must be configured with a certificate and the certificate's corresponding private key.

When TLS secures a connection between a client and a load balancer, communication between the client and the load balancer remains private—illegible by a third party unless the third party also has the private key.

This document discusses SSL certificates for three Google Cloud load balancers:

  • External HTTPS Load Balancing
  • Internal HTTPS Load Balancing
  • SSL Proxy Load Balancing

Load balancers, SSL certificates, and target proxies

Load balancers use TLS/SSL certificates to secure communications and to authenticate servers to clients.

A Google Cloud SSL certificate resource contains both a private key and the SSL certificate itself, and is associated with the load balancer's target HTTPS proxy or target SSL proxy.

Target proxies represent the logical connection between a load balancer's frontend and its backend service (for SSL proxy load balancers) or URL map (for HTTPS load balancers).

The following diagram shows how the target proxy and its associated SSL certificates fit into the load balancing architecture.

Target proxy, SSL certificate, and other load balancer components (click to enlarge)
Target proxy, SSL certificate, and other load balancer components (click to enlarge)

Load balancers

The following table summarizes the types of Google Cloud load balancers that require SSL certificates.

Load balancer type Protocol from the client to the load balancer
Internal HTTPS load balancers HTTPS or HTTP/2
External HTTPS load balancers HTTPS or HTTP/2
SSL proxy load balancers SSL (TLS)

SSL certificate scope

Google Cloud has two scopes for SSL certificate resources, regional and global.

Load balancer type Scope of SSL certificate resource gcloud reference API reference
Internal HTTPS load balancers Regional gcloud compute ssl-certificates --region regionSslCertificates
External HTTPS load balancers Global gcloud compute ssl-certificates --global sslCertificates
SSL proxy load balancers Global gcloud compute ssl-certificates --global sslCertificates

Target proxies

SSL certificates are associated with the following types of target proxies:

Load balancer type Type of target proxy gcloud reference API reference
Internal HTTPS load balancers Regional gcloud compute target-https-proxies --region regionTargetHttpsProxies
External HTTPS load balancers Global gcloud compute target-https-proxies --global targetHttpsProxies
SSL proxy load balancers Global gcloud compute target-ssl-proxies --global targetSslProxies

Self-managed and Google-managed SSL certificates

You can obtain your own self-managed certificates, or you can use certificates that Google obtains and manages for you (Google-managed certificates).

For external HTTP(S) load balancer and SSL proxy load balancer, you can reference either Google-managed, self-managed, or a combination of both types of SSL certificates on one target proxy. The certificates can be referenced in any order. For internal HTTP(S) load balancer, you must use self-managed certificates.

  • Self-managed SSL certificates are certificates that you obtain, provision, and renew yourself. This type can be any of:

    • Domain Validation (DV)
    • Organization Validation (OV)
    • Extended Validation (EV) certificates

    For more information, see Public key certificate.

  • Google-managed SSL certificates are certificates that Google Cloud obtains and manages for your domains, renewing them automatically. Google-managed certificates are Domain Validation (DV) certificates. They don't demonstrate the identity of an organization or individual associated with the certificate, and they don't support wildcard common names.

Multiple SSL certificates

You can configure the target proxy with up to the maximum number of SSL certificates per target HTTPS or target SSL proxy. Use multiple SSL certificates when you are serving from multiple domains using the same load balancer IP address and port, and you want to use a different SSL certificate for each domain.

When you specify more than one SSL certificate, the first certificate in the list of SSL certificates is considered the primary SSL certificate associated with the target proxy.

When a client sends a request, the load balancer uses the SNI hostname specified by the client to select the certificate to use in negotiating the SSL connection.

Whenever possible, the load balancer selects a certificate whose common name (CN) or subject alternative name (SAN) matches the SNI hostname that is specified by the client. The client software must be able to use RSA or ECDSA for digital signatures.

If none of the available certificates can be selected, or if the client doesn't specify an SNI hostname, the load balancer negotiates SSL using the primary certificate (the first certificate in the list).

Multiple SSL certificates (click to enlarge)
Multiple SSL certificates (click to enlarge)

Encryption from the load balancer to the backends

If you require an auditable, encrypted connection from the load balancer to the backend VMs or endpoints:

  • Configure your load balancer's backend service(s) to use the SSL (TLS), HTTPS, or HTTP2 protocols.
  • Configure software running on backend VMs or endpoints such that it serves traffic using the same protocol as the backend service.
  • Install SSL certificates on your backend VMs or endpoints. These certificates do not have to match the load balancer's SSL certificate.

Limitations

  • A limited number of SSL certificates is supported for each target proxy. For more information, see the limit for SSL certificates per target HTTPS or target SSL proxy.

  • A limited number of domains is supported for each Google-managed certificate. For more information, see the limit for domains per Google-managed SSL certificate.

  • When you use Google-managed certificates with SSL Proxy Load Balancing, the load balancer's forwarding rule must use TCP port 443 for the Google-managed certificate to be renewed automatically.

  • Google Cloud load balancers don't support client certificate-based authentication (mutual TLS, mTLS).

  • Google-managed SSL certificates don't support using wildcards.

What's next