Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
Introduction to Certificate Manager
How Certificate Manager works 
Deployment overview
Managing Certificates 
Google-managed certificates
Self-managed certificates 
Certificate maps
Certificate map entries
Domain authorizations
SSL certificates overview 
Self-managed and Google-managed SSL certificates
External HTTP(S) Load Balancing overview 
Modes of operation
Limitations of Certificate Manager
Frequently Asked Questions
What use do SSL/TLS certificates serve?
What does an external load balancer do?
What does Google use SSL or TLS?
Are Google Managed Certificates Free?
For what does SSL stand?
Last Updated: Mar 27, 2024

Certificate Manager

Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @

Introduction to Certificate Manager

Certificate Manager securely stores and deploys certificates to your chosen proxies, letting you provision certificates in advance and help ensure zero downtime during migrations.

Certificate Manager

You can acquire and manage Transport Layer Security (TLS) (SSL) certificates through Certificate Manager for use with the following  load balancers in the Google Cloud:

  • Target HTTPS proxies and target SSL proxies are supported by the external HTTP(S) load balancer (Classic).
  • Only target HTTPS proxies are supported by the global external HTTP(S) load balancer.

How Certificate Manager works 

When a certificate is issued, the certificate authority (CA) publishes information about the associated domain to Certificate Transparency logs, which are accessible to all. This is a part of the standard certificate issuance procedure used by all publicly trusted CAs, and it applies for both self-managed and Google-managed certificates.

How Certificate Manager works

For each hostname in your environment, Certificate Manager offers a flexible mapping mechanism that gives you good control over the certificates you can assign and the way they are served. The following entities are included in the mechanism:

  • Certificates
  • Certificate maps
  • Certificate map entries
  • Domain authorizations

Now let’s look into the overview of deploying a certificate.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Deployment overview

Deployment overview

You must complete the following steps to deploy a certificate:

  1. Optional:Configure a DNS authorization for this certificate if you want to use a Google-managed certificate with it.
  2. Upload a self-managed certificate or Create a Google-managed certificate.
  3. Make a certificate map configuration.
  4. Verify that the certificate is active and that the corresponding certificate map entry is as well. When you finish the following step and the certificate has completed provisioning, the certificate becomes active if you are using a Google-managed certificate with load balancer authorization.
  5. In the load balancer configuration, affix the certificate map to the desired target proxy.


Managing Certificates 

The following certificate types are supported by Certificate Manager:

Google-managed certificates

For this type of Certification, Google Cloud will obtain and manage these certificates for you.

Your Google-managed TLS (SSL) certificates can be issued and renewed with the help of Certificate Manager. Either load balancer-based authorization or DNS-based authorization can be used to verify relevant domain ownership. Google-managed RSA certificates are supported by Certificate Manager.

Google-managed certificates

The Google CA by default is the issuer of certificates managed by Google. Certificate Manager switches to the Let's Encrypt CA if you are unable to get a certificate from the Google CA for a particular domain. For instance, your CA Authorization record may explicitly prohibit the Google CA from issuing certificates for that domain, or the Google CA may decline to issue a certificate for the domain.

 Let us now understand what are the objectives of google-managed certificate-

  • Using Certificate Manager, create a Google-managed certificate with load balancer authorization.
  • Utilising a target HTTPS proxy, deploy the certificate to a classical external HTTP(S) load balancer.

Self-managed certificates 

These certifications are ones that you obtain, provision, and renew by yourself.

If your business's requirements prevent you from using Google-managed certificates, you can upload certificates issued from external CAs together with the keys associated with them. Self-managed certificates must be manually issued and renewed by you.

 Let us now  understand the main goal of a self-managed certificate

  • To Certificate Manager, upload a self-managed certificate.
  • Utilising a target HTTPS proxy, deploy the certificate to a classic external HTTP(S) load balancer.

Certificate maps

A certificate map refers to one or more entries in a certificate map that pair specific certificates with specific hostnames. Additionally, certificate map entries specify the selection logic that the load balancers use to establish client connections. A certificate map can be associated with multiple target proxies and used with multiple load balancers.

The load balancer serves the certificates mapped to a hostname when a client requests a hostname that is specified in a certificate map. If not, the primary certificate is served by the load balancer. See Certificate selection logic for more information.

Certificate map entries

The certificates that have been served for a specific hostname are listed in a certificate map entry. Different sets of certificates can be defined for different hostnames, such as domains or subdomains. You could upload both an RSA and an ECDSA certificate and map them to the same hostname, for example. The load balancer negotiates which kind of certificate to serve the client during the handshake when a client connects to that hostname.

Domain authorizations

As shown in the following table, Certificate Manager enables you to prove ownership of domains for which you want to issue Google-managed certificates:


Load balancer authorization

DNS authorization

Setup complexity It doesn't require additional configuration steps or changes in your DNS configuration. It requires you to create a DNS authorization and then add its corresponding CNAME and record to your DNS configuration.
Network security On port 443, the load balancer must be completely accessible from the Internet, including the DNS configurations for each domain that the certificate serves. Not applicable to other configurations. works with high complex configurations that include CDN layers in front of the target proxy and ports other than 443.
Provisioning speed Only once the load balancer has been fully set up and is serving network traffic can certificates be provisioned. Before the target proxy is ready to serve network traffic, certificates can be provisioned in advance.

See Domain authorizations for Google-managed certificates to understand how Certificate Manager verifies domain ownership using each method.Now let's take an overview of SSL certificates.

SSL certificates overview 

SSL certificates use the encryption protocol known as Transport Layer Security (TLS) to protect network communications.

SSL certificates overview

To provide privacy and security from a client to a load balancer, Google Cloud uses SSL certificates. The load balancer has to have an SSL certificate and the corresponding private key in order to accomplish this. Any third party without access to this private key cannot have the communications between the client and the load balancer, which remain private.

Self-managed and Google-managed SSL certificates

You can either use Google-managed certificates, which Google obtains and manages for you, or you can obtain your own self-managed certificates.

  • Self-managed SSL certificates are those that you obtain, provision, and renew on your own. These include the following:
    • Domain Validation (DV)
    • Organisation Validation (OV)
    • Extended Validation (EV) certificates
  • See Public key certificate for more information.
  • Google Cloud obtains and manages Google-managed SSL certificates for your domains, renewing them on itself. Domain Validation (DV) certificates are the Google managed certificates. They don't support wildcard common names and they don't demonstrate the identification of an organisation or individual associated with the certificate.

External HTTP(S) Load Balancing overview 

The concepts you need to understand in order to configure Google Cloud external HTTP(S) Load Balancing are introduced in this document.

External HTTP(S) Load Balancing overview

With the help of the proxy-based Layer 7 load balancer known as External HTTP(S) Load Balancing, you can run and scale your services behind a single external IP address. External HTTP(S) Load Balancing distributes HTTP and HTTPS traffic to external backends connected over the internet or via hybrid connectivity, as well as external backends hosted on a variety of Google Cloud platforms (such as Compute Engine, Google Kubernetes Engine (GKE), Cloud Storage, and so forth). For details, see Use cases.

Modes of operation

The following modes are available for configuring external HTTP(S) load balancing::

  • Global external HTTP(S) load balancer. This is a global load balancer thatGoogle Front Ends (GFEs) has implemented as a managed service. It supports advanced traffic management features including traffic mirroring, weight-based traffic splitting, request/response-based header transformations, and more using the open-source Envoy proxy.
  • Global external HTTP(S) load balancer (classic). This is the classical external HTTP(S) load balancer, which can be set up to be regional in Standard Tier but is global in Premium Tier. Implementing this load balancer on Google Front Ends (GFEs). Using Google's global network and control plane, GFEs are distributed all across the world and operate together.
  • Regional external HTTP(S) load balancer.  On the open-source Envoy proxy, this regional load balancer is implemented as a managed service. It has advanced traffic management features like request/response-based header transformations, traffic mirroring, weight-based traffic splitting, and more.

Limitations of Certificate Manager

Limitations of Certificate Manager

Following are the limitations of Certificate Manager:

  • The following load balancer types are supported by Certificate Manager in Google Cloud:
    • With target HTTPS proxies and target SSL proxies, an external HTTP(S) load balancer (classic) is used.
    • Target HTTPS proxies are included in a global external HTTP(S) load balancer (preview).
  • There are no other load balancer types that Certificate Manager supports.
  • Google can only manage certificates that come from publicly trustworthy CAs. In other words, only publicly accessible domains are eligible for Google-managed certificates.
  • For issuing Google-managed certificates, Certificate Manager only supports the Google CA and the Let's Encrypt CA.
  • When using DNS authorisation, the number of domains (Subject Alternative Names) for Google-managed certificates is limited at 100, and when using load balancer authorization, it is restricted at 5.
  • A Google-managed certificate must specify a primary domain with a name no longer than 64 characters. Create a certificate with multiple domains (SANs) and specify the longer domain names after the primary domain if you require a Google-managed certificate for a domain that is longer than this limitation.

Frequently Asked Questions

What use do SSL/TLS certificates serve?

When websites use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol, SSL/TLS certificates enable web browsers to identify and establish encrypted network connections to those websites.

What does an external load balancer do?

To route external HTTP traffic into the cluster the external load balancer is used. For internal service discovery and load balancing within the cluster, the internal load balancer is used.

What does Google use SSL or TLS?

Email that is being transmitted over internet connections is protected from unauthorised access by TLS. Previously using Secure Sockets Layer (SSL) to encrypt email, Google Workspace now uses Transport Layer Security (TLS).

Are Google Managed Certificates Free?

Use of self-managed and Google-managed SSL certificates is free of additional charges.

For what does SSL stand?

Secure Sockets Layer is referred to as SSL. Data sent over the Internet can be authenticated, encrypted, and decrypted using a protocol for web browsers and servers.


In this article, we have discussed the Certificate Manager along with its management, mapping, working and limitations. We have also covered the Domain authorizations, SSL certificates overview  and External HTTP(S) Load Balancing overview.

Find out more by checking out more blogs on this topic, please follow these blogs especially curated for readers like you- Cloud Computing, Cloud Computing Technologies, Cloud Server, and Cloud Computing Infrastructure.

Thank you coding ninjas

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enrol in our courses and refer to the mock test and problems available, Take a look at the interview experiences and interview bundle for placement preparations.

Do upvote our blog to help other ninjas grow.

Happy Learning!

Previous article
Binary Authorization
Next article
Cloud Asset Inventory
Live masterclass