Stay organized with collections
Save and categorize content based on your preferences.
Certificate Manager uses a flexible mapping mechanism that provides you
with granular control over which certificates you can assign and how to serve
them for each domain name in your environment.
The following diagram shows the relationships between
Certificate Manager components for a typical target proxy specified in
a load balancer forwarding rule:
Certificate Manager entities (click to enlarge).
To learn more about the components of Certificate Manager, see Core
components.
Certificate selection logic
At a high level, the load balancer selects a certificate as follows:
A client initiates a handshake, which is a connection request to the
service behind the load balancer.
During the handshake, the client provides the load balancer a list of
cryptographic algorithms that the client uses to complete the
handshake, and, optionally, the hostname it is trying to reach. This
hostname is also called Server Name Indication (SNI).
On receiving the request, the load balancer selects a certificate to
complete the secure handshake.
Exact hostname match: if the client's provided hostname exactly
matches a hostname entry in the provisioned certificate map, the load
balancer selects the corresponding certificate.
Wildcard hostname match: if the client's hostname doesn't match any
one of the hostname entries in the provisioned certificate map, but
does match a wildcard hostname in a certificate map entry, the load
balancer selects the corresponding certificate.
For example, a wildcard entry configured as *.myorg.example.com covers
first-level subdomains in the myorg.example.com domain. The wildcard
entry doesn't cover deeper level subdomains, such as
sub.subdomain.myorg.example.com.
No exact or wildcard hostname match: if the client's hostname
doesn't match any one of the hostname entries in the provisioned
certificate map, the load balancer selects the primary certificate map
entry.
Handshake failure: if the client didn't provide a hostname and the
primary certificate map entry isn't configured, the handshake fails.
Certificate priority
When selecting a certificate, the load balancer prioritizes them based on the
following factors:
Certificate type. If the client supports the ECDSA certificates, the
load balancer prioritizes them over RSA certificates. If the client doesn't
support ECDSA certificates, the load balancer serves an RSA
certificate instead.
Certificate size. Because smaller certificates take less bandwidth, the
load balancer prioritizes smaller certificates over larger ones.
Wildcard domain names
The following rules apply to wildcard domain names:
Only Google-managed certificates with DNS authorization and Google-managed
certificates with CA Service support wildcard domain names.
Google-managed certificates with load balancer authorization don't support
wildcard domain names.
An exact match takes precedence over a wildcard when both are defined in the
entry. For example, if you configured certificate map entries for
www.myorg.example.com and *.myorg.example.com, a connection request
against www.myorg.example.com always selects the entry for
www.myorg.example.com even if an entry for *.myorg.example.comalso
exists.
Wildcard domain names only match the first level of subdomains. For example,
a connection request for host1.myorg.example.com selects a certificate map
entry for *.myorg.example.com but not one for
host1.hosts.myorg.example.com.
Certificate renewal
Google-managed certificates are renewed automatically. You must renew
self-managed certificates manually. If necessary, you can configure
Cloud Logging alerts for certificates before they expire. For more
information, see Configure log
alerts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eCertificate Manager provides granular control over certificate assignment and serving for each domain name.\u003c/p\u003e\n"],["\u003cp\u003eThe load balancer selects certificates based on exact hostname match, wildcard hostname match, or the primary certificate map entry if no matches are found.\u003c/p\u003e\n"],["\u003cp\u003eThe load balancer prioritizes certificates based on type (ECDSA over RSA) and size (smaller certificates are preferred).\u003c/p\u003e\n"],["\u003cp\u003eWildcard domain names in Google-managed certificates with DNS or CA Service authorization only match the first level of subdomains, and exact matches take precedence over wildcards.\u003c/p\u003e\n"],["\u003cp\u003eGoogle-managed certificates are renewed automatically, while self-managed certificates require manual renewal.\u003c/p\u003e\n"]]],[],null,["# How Certificate Manager works\n\nCertificate Manager uses a flexible mapping mechanism that provides you\nwith granular control over which certificates you can assign and how to serve\nthem for each domain name in your environment.\n\nThe following diagram shows the relationships between\nCertificate Manager components for a typical target proxy specified in\na load balancer forwarding rule:\n[](/static/certificate-manager/images/cm-entities.svg) Certificate Manager entities (click to enlarge).\n\nTo learn more about the components of Certificate Manager, see [Core\ncomponents](/certificate-manager/docs/how-it-works).\n\nCertificate selection logic\n---------------------------\n\nAt a high level, the load balancer selects a certificate as follows:\n\n1. A client initiates a handshake, which is a connection request to the\n service behind the load balancer.\n\n During the handshake, the client provides the load balancer a list of\n cryptographic algorithms that the client uses to complete the\n handshake, and, optionally, the hostname it is trying to reach. This\n hostname is also called Server Name Indication (SNI).\n2. On receiving the request, the load balancer selects a certificate to\n complete the secure handshake.\n\n - **Exact hostname match**: if the client's provided hostname exactly\n matches a hostname entry in the provisioned certificate map, the load\n balancer selects the corresponding certificate.\n\n - **Wildcard hostname match**: if the client's hostname doesn't match any\n one of the hostname entries in the provisioned certificate map, but\n does match a wildcard hostname in a certificate map entry, the load\n balancer selects the corresponding certificate.\n\n For example, a wildcard entry configured as `*.myorg.example.com` covers\n first-level subdomains in the `myorg.example.com` domain. The wildcard\n entry doesn't cover deeper level subdomains, such as\n `sub.subdomain.myorg.example.com`.\n - **No exact or wildcard hostname match**: if the client's hostname\n doesn't match any one of the hostname entries in the provisioned\n certificate map, the load balancer selects the primary certificate map\n entry.\n\n - **Handshake failure**: if the client didn't provide a hostname and the\n primary certificate map entry isn't configured, the handshake fails.\n\n| **Note:** A Google-managed certificate must complete provisioning before the load balancer can serve the certificate.\n\n### Certificate priority\n\nWhen selecting a certificate, the load balancer prioritizes them based on the\nfollowing factors:\n\n- **Certificate type**. If the client supports the ECDSA certificates, the load balancer prioritizes them over RSA certificates. If the client doesn't support ECDSA certificates, the load balancer serves an RSA certificate instead.\n- **Certificate size**. Because smaller certificates take less bandwidth, the load balancer prioritizes smaller certificates over larger ones.\n\n### Wildcard domain names\n\nThe following rules apply to wildcard domain names:\n\n- Only Google-managed certificates with DNS authorization and Google-managed certificates with CA Service support wildcard domain names. Google-managed certificates with load balancer authorization don't support wildcard domain names.\n- An exact match takes precedence over a wildcard when both are defined in the entry. For example, if you configured certificate map entries for `www.myorg.example.com` and `*.myorg.example.com`, a connection request against `www.myorg.example.com` always selects the entry for `www.myorg.example.com` even if an entry for `*.myorg.example.com`also exists.\n- Wildcard domain names only match the first level of subdomains. For example, a connection request for `host1.myorg.example.com` selects a certificate map entry for `*.myorg.example.com` but not one for `host1.hosts.myorg.example.com`.\n\nCertificate renewal\n-------------------\n\nGoogle-managed certificates are renewed automatically. You must renew\nself-managed certificates manually. If necessary, you can configure\nCloud Logging alerts for certificates before they expire. For more\ninformation, see [Configure log\nalerts](/certificate-manager/docs/logs-metrics#configure_log_alerts).\n\nWhat's next\n-----------\n\n- [Domain authorization types for Google-managed certificates](/certificate-manager/docs/domain-authorization)"]]
