Media CDN has first-class support for serving TLS-encrypted (HTTPS) traffic from your own domain name, as well as support for signed requests. Media CDN is served from your own domain (Bring-Your-Own or BYO domain), and does not need to be served from a Google-hosted domain.
- There are no additional charges associated with serving SSL (TLS) traffic or obtaining Google-managed certificates: protecting end-user traffic should not be at a premium.
- Media CDN supports both Google-managed certificates, allowing Google to manage rotation, keys and secure distribution to thousands of edge nodes, as well as self-managed (uploaded) certificates.
- Each Service can support up to 5 SSL certificates.
- Each managed certificate can have up to 100 names (Subject Alternative Names).
We recommend serving your Edge Cache service from dedicated hostnames (subdomains) and using separate managed certificates for your media domains as a good security practice.
Create and issue certificates
To validate, issue, and attach a managed SSL (TLS) certificate to a Media CDN service, see configuring SSL certificates.
Certificate types
Media CDN supports two types of certificates:
- Managed certificates, which Google can provision on your behalf for domain names you own. You do not need secure keys, and certificates are automatically renewed.
- Self-managed certificates, which you upload to Certificate Manager directly. You are responsible for uploading a valid, publicly trusted certificate, as well as replacing the certificate prior to expiry.
Because managed certificates can be authorized and issued prior to directing traffic at Media CDN, you can provision certificates before cutting over your production traffic and avoid downtime.
In some cases, such as where you require key-pinning in mobile applications, or support for legacy devices with outdated trust stores, you might need to use self-managed certificates. You can also use both managed and self-managed certificates on the same service if you have specific domain names (hosts) that require self-managed certificates.
Authorizing certificate issuance
If you want your Google-managed certificates to be ready for use before your
production environment is fully set up, such as before starting a migration from
another vendor to Google Cloud, you can provision them with DNS
authorizations. In this scenario, Certificate Manager uses
DNS-based validation. Each DNS authorization stores information about the DNS
record that you need to set up and covers a single domain plus its wildcard—for
example, myorg.example.com and *.myorg.example.com.
When creating a Google-managed certificate, you can specify one or more DNS authorizations to use for provisioning and renewal of that certificate. If you are using multiple certificates for a single domain, you can specify the same DNS authorization in each of those certificates. Your DNS authorizations must cover all domains specified in the certificate; otherwise, certificate creation and renewals fail.
You can manage certificates for each project separately by using per-project DNS authorization. This means that Certificate Manager can issue and manage certificates for each project independently within Google Cloud. DNS authorizations and certificates that you use within a project are self-contained and don't interact with those in other projects.
Setting up a DNS authorization requires you to add a CNAME record for a
validation sub-domain nested under your target domain to your DNS configuration.
This CNAME record points to a special Google Cloud domain that
Certificate Manager uses to verify domain ownership.
Certificate Manager returns the CNAME record when you create a
DNS authorization for the target domain.
The CNAME record also grants to Certificate Manager the
permissions for provisioning and renewal of certificates for that domain within
the target Google Cloud project. To revoke these permissions, remove the CNAME
record from your DNS configuration.
To enable per-project DNS authorization, select the PER_PROJECT_RECORD during
the DNS authorization creation process. Upon selection, you receive a unique
CNAME record that includes both subdomain and target and that is tailored to
the specific project.
Add the CNAME record to the DNS zone of the relevant domain.
Multiple domains per certificate
Certificates issued by Certificate Manager allow you to specify multiple domain names (hostnames) on the same certificate as Subject Alternative Names.
You can add multiple domains to a certificate by specifying a list of domains when creating a certificate, as well as any matching authorizations required.
Each authorization only covers the exact domain (for example,
video.example.com) and the wildcard (*.example.com). It does not cover any
explicit subdomains. If you want a certificate for eu.video.example.com, for
example, you must set up another DNS authorization for the
eu.video.example.com domain.
The following examples show how to attach an authorization for
video.example.com and eu.video.example.com:
gcloud
Use the gcloud certificate-manager certificates command:
gcloud certificate-manager certificates create video-example-com \
--domains="video.example.com,eu.video.example.com" \
--dns-authorizations="video-example-com-auth,eu-video-example-com-auth" \
--scope=EDGE_CACHE
This creates a certificate with the DNS authorization in theAUTHORIZING
state and the certificate in the PROVISIONING state:
managed: authorizationAttemptInfo: - domain: video.example.com state: AUTHORIZED dnsAuthorizations: - projects/123456/locations/global/dnsAuthorizations/video-example-com-auth - projects/123456/locations/global/dnsAuthorizations/eu-video-example-com-auth domains: - video.example.com state: PROVISIONING scope: EDGE_CACHE subjectAlternativeNames: - video.example.com
Domains can't share a DNS authorization. You must specify multiple domains and authorizations. Certificate Manager determines which domains require which authorizations.
To learn how certificates are issued and activated, see Configure SSL (TLS) certificates.
Certificate renewal
Managed certificates are automatically renewed by Certificate Manager. Renewed certificates are automatically pushed to Google's global edge for each active service you have configured.
EDGE_CACHEcertificates have a short validity period (30 days) to improve security and compliance, compared to the current industry standard of 90 days (with a 60-day renewal interval).- Certificate renewal is typically initiated when the certificate is 10 days from expiring.
- You do not need to take action when a certificate is renewed; the new certificate automatically replaces the existing certificate before the expiration date, with zero impact to your live traffic.
Because the issuance pipeline revalidates domain control before renewal, ensure that you do not delete the DNS records configured for DNS authorization. Deleting the record used to demonstrate DCV (Domain Control Validation) results in the inability to renew your certificates and prevents clients from connecting over HTTPS (TLS) when the certificate expires.
CAA records and roots
To check compatibility with client devices, including older smart TVs, smartphones and streaming boxes, you can find the full set of root CAs that Google uses at pki.goog.
To allow Certificate Manager and Media CDN to
issue certificates for a domain with existing CAA records, add the pki.goog
CAA record:
DOMAIN_NAME. CAA 0 issue "pki.goog"
Domains that do not have existing CAA records do not need to add this record, but we recommend it as a best practice.
Read more about CAA records.
Certificate limits
You can issue up to 1,000 managed certificates and 1,000 DNS authorizations per project. For other related limits and quotas, see the Quotas and limits documentation .
Supported TLS versions
Media CDN supports the following TLS versions:
| TLS Version | Supported | Included Ciphers |
|---|---|---|
| SSL 3.0 | No | N/A (not supported) |
| TLS 1.0 | No | N/A (not supported) |
| TLS 1.1 | No | N/A (not supported) |
| TLS 1.2 | ✔ | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS 1.3 | ✔ | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 |
Additionally:
- Devices that don't support modern versions of TLS (such as TLS 1.3) automatically negotiate a supported TLS version.
- TLS 1.2 is the minimum supported TLS version for Media CDN.
- Media CDN does not support attaching SSL policies to a service.
Troubleshoot certificate issuance
If you face any errors with certificate issuance, see how to troubleshoot certificate issuance issues.
What's next
- Read Configure SSL certificates.
- Understand client connectivity and protocol support.
- Review how SSL (TLS) connections are made to your origins.