Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of how to use Certificate Manager to
provision Google-managed and self-managed certificates for
Application Load Balancers and proxy Network Load Balancers.
Before reading this page, ensure that you're familiar with the SSL certificates
overview in the Cloud Load Balancing
documentation.
Certificate Manager configuration methods
Certificate Manager offers two certificate configuration methods
for Application Load Balancers using target HTTPS proxies and proxy Network Load Balancers
using target SSL proxies. These are two of three possible certificate
configuration methods for Cloud Load Balancing. For more information about
Certificate Manager and Cloud Load Balancing, see
Certificate configuration
methods in the load
balancing documentation.
Load balancer's target proxy references a Certificate Manager
certificate map: the load balancer's target proxy references a single
certificate map. The certificate map
supports thousands of entries by default, and can scale to millions of
entries. This method is used by external Application Load Balancers and external proxy Network Load Balancers that
are powered by Google Front Ends (GFEs):
Global external Application Load Balancers
Classic Application Load Balancers
Global external proxy Network Load Balancers
Classic proxy Network Load Balancers
Load balancer's target proxy references Certificate Manager
certificates directly: the load balancer's target proxy can reference up to
100 Certificate Manager
certificates. This method is used by
the following Application Load Balancers that are powered by managed
open-source Envoy proxy software:
Regional external Application Load Balancers
Regional internal Application Load Balancers
Cross-region internal Application Load Balancers
Certificate Manager also supports the following products, which
reference Certificate Manager certificates as part of their
configuration:
Secure Web Proxy gateway references Certificate Manager
certificates: before you can configure a Secure Web Proxy gateway, you
create one or more Certificate Manager certificates for the
gateway to use. For more information, see Deploy an SSL
certificate
and Deploy a Secure Web Proxy
instance.
Media CDN edge cache service references
Certificate Manager certificates: a Media CDN
edge cache service supports up to five Certificate Manager
certificates. For more information, see SSL (TLS)
Certificates and Configure SSL (TLS)
certificates.
Certificate types
Certificate Manager supports both Google-managed and
self-managed certificates. All Application Load Balancers using target HTTPS
proxies and all proxy Network Load Balancers that support target SSL proxies can use
either Google-managed or self-managed Certificate Manager
certificates.
Google-managed Certificate Manager certificates:
certificates that Google Cloud obtains and manages for you. Depending
on the load balancer and its Certificate Manager configuration
method, Google-managed Certificate Manager certificates can be
provisioned by using load balancer authorization, DNS authorization, or by
using Certificate Authority Service (CA Service).
Self-managed Certificate Manager certificates:
certificates that you obtain, provision, and renew yourself.
Product support
The following table summarizes the support for Google-managed and self-managed
Certificate Manager certificates by product.
Product
Google-managed certificates
Self-managed certificates
Load balancer authorization
DNS authorization
Certificate Authority Service (CA Service)
Global external Application Load Balancers and proxy Network Load Balancers
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page details how to deploy certificates using Certificate Manager, which supports both Google-managed and self-managed certificates.\u003c/p\u003e\n"],["\u003cp\u003eGoogle-managed certificates can be configured with DNS authorization, load balancer authorization, or through the Certificate Authority Service (CA Service), and can be global or regional.\u003c/p\u003e\n"],["\u003cp\u003eDeployment methods vary based on the load balancer type, such as global external, classic, or cross-region internal, with different steps for Google-managed and self-managed certificates.\u003c/p\u003e\n"],["\u003cp\u003eTo deploy a certificate to a global external Application Load Balancer, classic Application Load Balancer, or a global external proxy Network Load Balancer you can either deploy a Google-managed certificate, or deploy a self-managed certificate.\u003c/p\u003e\n"],["\u003cp\u003eIf migrating an existing certificate to Certificate Manager is required, there is a dedicated guide available, and mutual TLS authentication (mTLS) is supported and documented in the Cloud Load Balancing documentation.\u003c/p\u003e\n"]]],[],null,["# Deployment overview\n\nThis page provides an overview of how to use Certificate Manager to\nprovision Google-managed and self-managed certificates for\nApplication Load Balancers and proxy Network Load Balancers.\n\nBefore reading this page, ensure that you're familiar with the [SSL certificates\noverview](/load-balancing/docs/ssl-certificates) in the Cloud Load Balancing\ndocumentation.\n\nCertificate Manager configuration methods\n-----------------------------------------\n\nCertificate Manager offers two certificate configuration methods\nfor Application Load Balancers using target HTTPS proxies and proxy Network Load Balancers\nusing target SSL proxies. These are two of three possible certificate\nconfiguration methods for Cloud Load Balancing. For more information about\nCertificate Manager and Cloud Load Balancing, see\n[Certificate configuration\nmethods](/load-balancing/docs/ssl-certificates#config-tech) in the load\nbalancing documentation.\n\n- **Load balancer's target proxy references a Certificate Manager\n certificate map** : the load balancer's target proxy references a single\n [certificate map](/certificate-manager/docs/maps). The certificate map\n supports thousands of entries by default, and can scale to millions of\n entries. This method is used by external Application Load Balancers and external proxy Network Load Balancers that\n are powered by Google Front Ends (GFEs):\n\n - Global external Application Load Balancers\n - Classic Application Load Balancers\n - Global external proxy Network Load Balancers\n - Classic proxy Network Load Balancers\n- **Load balancer's target proxy references Certificate Manager\n certificates directly** : the load balancer's target proxy can reference up to\n 100 [Certificate Manager\n certificates](/certificate-manager/docs/certificates). This method is used by\n the following Application Load Balancers that are powered by managed\n [open-source Envoy proxy](https://www.envoyproxy.io/) software:\n\n - Regional external Application Load Balancers\n - Regional internal Application Load Balancers\n - Cross-region internal Application Load Balancers\n\nCertificate Manager also supports the following products, which\nreference Certificate Manager certificates as part of their\nconfiguration:\n\n- **Secure Web Proxy gateway references Certificate Manager\n certificates** : before you can configure a Secure Web Proxy gateway, you\n create one or more Certificate Manager certificates for the\n gateway to use. For more information, see [Deploy an SSL\n certificate](/secure-web-proxy/docs/initial-setup-steps#create-upload-ssl-certificate)\n and [Deploy a Secure Web Proxy\n instance](/secure-web-proxy/docs/quickstart).\n\n- **Media CDN edge cache service references\n Certificate Manager certificates** : a Media CDN\n edge cache service supports up to five Certificate Manager\n certificates. For more information, see [SSL (TLS)\n Certificates](/media-cdn/docs/ssl-certificates) and [Configure SSL (TLS)\n certificates](/media-cdn/docs/configure-ssl-certificates).\n\nCertificate types\n-----------------\n\nCertificate Manager supports both Google-managed and\nself-managed certificates. All Application Load Balancers using target HTTPS\nproxies and all proxy Network Load Balancers that support target SSL proxies can use\neither Google-managed or self-managed Certificate Manager\ncertificates.\n\n- **Google-managed Certificate Manager certificates**:\n certificates that Google Cloud obtains and manages for you. Depending\n on the load balancer and its Certificate Manager configuration\n method, Google-managed Certificate Manager certificates can be\n provisioned by using load balancer authorization, DNS authorization, or by\n using Certificate Authority Service (CA Service).\n\n- **Self-managed Certificate Manager certificates**:\n certificates that you obtain, provision, and renew yourself.\n\nProduct support\n---------------\n\nThe following table summarizes the support for Google-managed and self-managed\nCertificate Manager certificates by product.\n\nWhat's next\n-----------\n\n- If you want to migrate an existing certificate from your load balancer to Certificate Manager, follow the instructions in [Migrate a\n certificate to Certificate Manager](/certificate-manager/docs/migrate).\n- For more information about Certificate Manager and GFE-based load balancers, see [How Certificate Manager\n works](/certificate-manager/docs/how-it-works).\n- If you want to use mutual TLS authentication (mTLS), see [Mutual TLS authentication](/load-balancing/docs/mtls) in the Cloud Load Balancing documentation."]]
