Set up backend mTLS

This page provides instructions to set up backend mTLS by usingself-managed certificates.

The steps to configure backend mTLS are similar tobackend authenticatedTLS, except that you alsoneed to create a certificate for the load balancer. This certificate, also knownas theclient certificate, is attached to thebackend authentication configresource. The load balancer uses this client certificate to authenticate itselfto the backends.

To configurebackend mTLS, you need to do the following. These steps aredescribed in the following sections of this document.

  1. Create a trust config resource that consists ofroot and intermediate certificates.
  2. Create a client certificate and upload it to Certificate Manager.
  3. Create a backend authentication config resource that referencesboth the trust config and the client certificate.
  4. Attach the backend authentication config resource to the backend serviceof the load balancer.

Before you begin

Permissions

This section lists the permissions required to configure backend mTLS.
OperationPermission
Create a trust configcertificatemanager.trustconfigs.create on the target Google Cloud project
Create a client certificatecertificatemanager.certs.create on the target Google Cloud project
Create a backend authentication config resource
  • certificatemanager.certs.use on the target certificate
  • certificatemanager.trustconfigs.use on the target trust config
  • networksecurity.backendauthenticationconfigs.create on the target Google Cloud project
    • Attach the backend authentication config resource to the backend service of the load balancer
  • compute.backendservice.update on the target backend service
  • networksecurity.backendauthenticationconfigs.use on the target backend authentication config resource

    • Setup overview

    The sections that follow describe the steps to configure backend mTLSbased on the architecture shown in the following diagram.

    Components of backend mTLS.
    Backend mTLS components (click to enlarge).

    Create the root and intermediate certificates

    Note:

    If you already have certificates to upload to the trust store, you can skipthis step and jump toFormat the certificates.

    This section uses theOpenSSL library to createthe root certificate (trust anchor) and the intermediate certificate.

    A root certificate is at the topof the certificate chain. An intermediate certificate is a part of the chainof trust back to the root certificate. The intermediate certificate iscryptographically signed by the root certificate. When the load balancerreceives a server certificate, the load balancer validates it by establishing achain of trust from the server certificate back to the configured trust anchor.

    Use the following commands to create the root and intermediate certificates.

    1. Create anOpenSSL configurationfile.

      In the following example, the configuration file (example.cnf) containsthe[ca_exts] section, which specifies X.509 extensions that mark thecertificate as suitable for a CA. To learn more about the requirements forroot and intermediate certificates, seeCertificaterequirements.

      cat >example.cnf <<EOF[req]distinguished_name=empty_distinguished_name[empty_distinguished_name]# Kept empty to allow setting via -subj command-line argument.[ca_exts]basicConstraints=critical,CA:TRUEkeyUsage=keyCertSignextendedKeyUsage=serverAuthEOF

    2. Create a self-signed X.509 root certificate (root.cert). The rootcertificate is self-signed with its own private key (root.key).

      opensslreq-x509\-new-sha256-newkeyrsa:2048-nodes\-days3650-subj'/CN=root'\-configexample.cnf\-extensionsca_exts\-keyoutroot.key-outroot.cert

    3. Create the certificate signing request (CSR)int.req for the intermediatecertificate.

      opensslreq-new\-sha256-newkeyrsa:2048-nodes\-subj'/CN=int'\-configexample.cnf\-extensionsca_exts\-keyoutint.key-outint.req

    4. Sign the CSR to create the X.509 intermediate certificate (int.cert). TheCSR is signed using the root certificate.

      opensslx509-req\-CAkeyroot.key-CAroot.cert\-set_serial1\-days3650\-extfileexample.cnf\-extensionsca_exts\-inint.req-outint.cert

    Format the certificates

    To include new or existing certificates in a trust store, format thecertificates into a single line and store them in environment variablesso that they can be referenced by the trust config YAML file.

    exportROOT_CERT=$(catroot.cert|sed's/^[ ]*//g'|tr'\n'$|sed's/\$/\\n/g')
    exportINTERMEDIATE_CERT=$(catint.cert|sed's/^[ ]*//g'|tr'\n'$|sed's/\$/\\n/g')

    Create a trust config

    A trust config is a resource that represents yourpublic key infrastructure (PKI) configuration inCertificate Manager.

    To create a trust config resource, complete the following steps:

    Console

    1. In the Google Cloud console, go to theCertificate Manager page.

      Go to Certificate Manager

    2. On theTrust Configs tab, clickAdd Trust Config.

    3. Enter a name for the configuration.

    4. ForLocation, selectGlobal orRegional.

      The location denotes where the trustconfig resource is stored. For global external Application Load Balancers,create aglobal trust config resource.For regional external Application Load Balancers and regional internal Application Load Balancers,create aregional trust config resource.

    5. In theTrust store section, clickAdd trust anchor and upload thePEM-encoded certificate file, or copy the contents of the certificate.

    6. ClickAdd.

    7. In theTrust store section, clickAdd intermediate CA andupload the PEM-encoded certificate file, or copy the contentsof the certificate. This step lets you add another level of trust betweenthe root certificate and your server certificate.

    8. ClickAdd to add the intermediary CA.

    9. To add the certificate that you added to the allowlist, clickAdd.

    10. ClickCreate.

    Verify that the new trust config resource appears in the list ofconfigurations.

    gcloud

    1. Create a trust config YAML file (trust_config.yaml)that specifies thetrust config parameters. This example trust configresource contains a trust store with a trust anchor and an intermediatecertificate. This example trust config resource reads thecertificate content from the environment variables created in thepreviousFormat the certificates step.

      cat << EOF > trust_config.yamltrustStores:-trustAnchors:-pemCertificate:"${ROOT_CERT}"intermediateCas:-pemCertificate:"${INTERMEDIATE_CERT}"EOF

      To create a trust store with additional trust anchors or intermediatecertificates, addpemCertificate rows in the appropriate section.

    2. To import the trust config YAML file,use thegcloud certificate-manager trust-configs import command.

      global

      For global external Application Load Balancers, specifyglobal as the location wherethe trust config resource is stored.

      gcloud certificate-manager trust-configs importTRUST_CONFIG_NAME  \    --source=trust_config.yaml \    --location=global

      ReplaceTRUST_CONFIG_NAME with the name of thetrust config.

      regional

      For regional external Application Load Balancers and regional internal Application Load Balancers,specify the region where the trust config resource is stored.

      gcloud certificate-manager trust-configs importTRUST_CONFIG_NAME \    --source=trust_config.yaml \    --location=REGION

      Replace the following:

      • TRUST_CONFIG_NAME: the name of the trustconfig resource
      • REGION: the region where the trust configresource is stored

    Create a client certificate

    Important: You cannot attach the client certificate to the backendauthentication config resource after the backend authenticationconfig resource has been created. To enablebackend mTLS, you must create a client certificate before you configure thebackend authentication config resource.

    In backend mTLS, the load balancer acts as the client and the backend acts asthe server.

    To enable backend mTLs, the load balancer needs to prove its identity to thebackend. This authentication is carried out using a client certificate that theload balancer presents to the backend. The backend server needs to validate theclient certificate using its own trust chain.

    When connecting to a backend server, the load balancer sets the Server NameIndication (SNI) to the hostname specified in the TLS configuration. The backendserver selects the appropriate SSL/TLS certificate based on this SNI value. Theload balancer expects the SNI value to match a Subject Alternative Name (SAN)listed in the backend server's certificate.

    Client certificates can be managed certificates from a Private CA throughCertificate Authority Service orself-managed private PKI certificates. In this example, the client certificateis issued using self-managed certificates. This section uses theOpenSSL library to create the root CAcertificate and the client certificate.

    To create a client certificate, complete the following steps:

    1. Create anOpenSSL configuration file.

      In the following example, the configuration file (example.cnf) contains the[ca_exts] section, which specifies X.509 extensions that mark the certificate as suitable for a certificate authority (CA). TheextendedKeyUsage attribute is set toclientAuth To learn more about the requirements for root and intermediate certificates, seeCertificate requirements.

      cat >example.cnf <<EOF[req]distinguished_name=empty_distinguished_name[empty_distinguished_name]# Kept empty to allow setting via -subj command-line argument.[ca_exts]basicConstraints=critical,CA:TRUEkeyUsage=keyCertSignextendedKeyUsage=clientAuthEOF

    2. Create a self-signed X.509 root CA certificate (root.cert). The root certificate is self-signed with its own private key (root.key).

      opensslreq-x509\-new-sha256-newkeyrsa:2048-nodes\-days3650-subj'/CN=root'\-configexample.cnf\-extensionsca_exts\-keyoutroot.key-outroot.cert

    3. Create a configuration file to generate the CSR for the client certificate.

      The following configuration file (client.config) contains the[extension_requirements] section, which specifies the X.509 extensions to include in the CSR. To learn more about the requirements for client certificates, seeCertificate requirements.

      cat >client.config <<EOF[req]default_bits=2048req_extensions=extension_requirementsdistinguished_name=dn_requirementsprompt=no[extension_requirements]basicConstraints=critical,CA:FALSEkeyUsage=critical,nonRepudiation,digitalSignature,keyEnciphermentextendedKeyUsage=clientAuth[dn_requirements]countryName=USstateOrProvinceName=CalifornialocalityName=SanFrancisco0.organizationName=exampleorganizationalUnitName=testcommonName=test.example.comemailAddress=test@example.comEOF

    4. Create the CSR (client.csr) for the client certificate.

      opensslreq-new\-configclient.config\-keyoutclient.key-outclient.csr

    5. Create the client certificate (client.cert) from the CSR. The CSR is signed by the root CA certificate to issue the X.509 client certificate.

      opensslx509-req\-CAkeyroot.key-CAroot.cert\-days365\-extfileclient.config\-extensionsextension_requirements\-inclient.csr-outclient.cert

    Upload the client certificate to Certificate Manager

    To upload the client certificate to Certificate Manager, complete the following steps:

    Console

    1. In the Google Cloud console, go to theCertificate Manager page.

      Go to Certificate Manager

    2. On theCertificates tab, clickAdd Certificate.

    3. Enter a name for the certificate.

      This name must be unique for the project.

    4. Optional: Enter a description for the certificate. Thedescription helps you identify a specific certificate later.

    5. ForLocation, selectGlobal orRegional.

      The location denotes where the trustconfig resource is stored. For global external Application Load Balancers,create aglobal trust config resource. For regional external Application Load Balancersand regional internal Application Load Balancers, create aregional trust configresource.

    6. ForScope, selectClient Authentication.

    7. ForCertificate type, chooseCreate Self-managed certificate.

    8. For theCertificate field, upload a PEM-encoded certificate file, orcopy and paste the contents of a PEM-encoded certificate.

    9. For thePrivate key certificate field, upload a PEM-encoded privatekey that isn't protected with a passphrase, or copy and paste thecontents of the PEM-encoded private key.

    10. Specify a label to associate to the certificate. You can addmore than one label, if needed. To add a label, click theAdd label button,and specify akey and avalue for your label.

    11. ClickCreate. Verify that the new certificate appears in the list ofcertificates.

    gcloud

    1. To upload the client certificate to Certificate Manager,use thegcloud certificate-manager certificates create command.The scope of this certificate isclient-auth, which indicates thatthis certificate is used as a client certificate in backend mTLS.

      global

      For global external Application Load Balancers, create aglobal Certificate Manager certificate.

      gcloud certificate-manager certificates createCLIENT_ CERTIFICATE_NAME \    --certificate-file=client.cert \    --private-key-file=client.key \    --scope=client-auth \    --location=global

      ReplaceCLIENT_CERTIFICATE_NAME withthe name of the client certificate resource.This client certificate with the scopeclient-auth is used by the backend authentication config resource.

      regional

      For regional external Application Load Balancers and regional internal Application Load Balancers,create a regional Certificate Manager certificate.

      gcloud certificate-manager certificates createCLIENT_ CERTIFICATE_NAME \    --certificate-file=client.cert \    --private-key-file=client.key \    --scope=client-auth \    --location=REGION

      Replace the following:

      • CLIENT_CERTIFICATE_NAME: the name of the clientcertificate resource. This client certificate with the scopeclient-auth is used by the backend authentication configresource.
      • REGION: the regionwhere the certificate is to be created.

    Create a backend authentication config resource

    To create a backend authentication config (BackendAuthenticationConfig) resource, complete the following steps.

    Console

    1. In the Google Cloud console, go to theAuthentication Configuration page.

      Go to Authentication Configuration

    2. On theBackend Authentication tab, clickCreate.
    3. Enter a name for the backend authentication config resource.
    4. ForLocation, selectGlobal orRegional.
    5. Select the client certificate resource that you created earlier.
    6. Optional: Select the public roots of trust.
    7. Select the trust config resource that you created earlier.
    8. Optional: ClickEquivalent code to view the Terraform configuration for this resource.
    9. ClickCreate.

    Verify that the backend authentication config resource is displayed.

    gcloud

    1. Create a YAML file that declaratively specifies the different attributesof the backend authentication config resource.

      global

      Attach the client certificate to the backend authenticationconfig resource to enable backend mTLS.

      cat<< EOF >BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yamlname: projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAMEtrustConfig: projects/PROJECT_ID/locations/global/trustConfigs/TRUST_CONFIG_NAMEclientCertificate: projects/PROJECT_ID/locations/global/certificates/CLIENT_ CERTIFICATE_NAMEwellKnownRoots: PUBLIC_ROOTSEOF

      Replace the following:

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME: the name of the YAML file where the backend authentication config resource is defined
      • PROJECT_ID: the ID of your Google Cloud project
      • BACKEND_AUTH_CONFIG_NAME: the name of the backend authentication config resource
      • TRUST_CONFIG_NAME: the name of the trust config resource that you created earlier
      • CLIENT_CERTIFICATE_NAME: the name of the client certificate resource that you created earlier

      regional

      Attach the client certificate to the backend authenticationconfig resource to enable backend mTLS.

      cat<< EOF >BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yamlname: projects/PROJECT_ID/locations/REGION/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAMEtrustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAMEclientCertificate: projects/PROJECT_ID/locations/REGION/certificates/CLIENT_ CERTIFICATE_NAMEwellKnownRoots: PUBLIC_ROOTSEOF

      Replace the following:

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME: the name of the YAML file where the backend authentication config resource is defined
      • PROJECT_ID: the ID of your Google Cloud project
      • REGION: the name of the region
      • BACKEND_AUTH_CONFIG_NAME: the name of the backend authentication config resource
      • TRUST_CONFIG_NAME: the name of the trust config resource that you created earlier
      • CLIENT_CERTIFICATE_NAME: the name of the client certificate resource that you created earlier

    2. To import the backend authentication config, use thegcloud network-security backend-authentication-configs importcommand.

      global

      gcloud network-security backend-authentication-configs importBACKEND_AUTH_CONFIG_NAME \    --source=BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml \    --location=global

      Replace the following:

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME:the name of the YAML file where the backend authenticationconfig resource is defined

      regional

      gcloud network-security backend-authentication-configs importBACKEND_AUTH_CONFIG_NAME \    --source=BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml \    --location=REGION

      Replace the following:

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME:the name of the YAML file where the backend authenticationconfig resource is defined

      • REGION: the name of the region

    Attach the backend authentication config resource to the backend service of the load balancer

    To attach the backend authentication config(BackendAuthenticationConfig resource)to the backend service of the load balancer, complete the following steps.

    Console

    1. In the Google Cloud console, go to theLoad balancing page.

      Go to Load balancing

    2. On theBackends tab, select the backend service for which you needto enable backend authenticated TLS and backend mTLS.

    3. ClickEdit.

    4. Expand theAdvanced configurations section.

    5. In theBackend authentication section,select theEnable checkbox.

    6. Optional: Specify the SNI hostname and accepted SANs tovalidate the backend certificate.

    7. To attach the backend authentication config resource to the backendservice, in theBackend authentication config list, select thebackend authentication config resource.

    8. ClickContinue.

    9. To update the backend service settings, clickUpdate.

    gcloud

    1. To list all the backend service resources in your project, use thegcloud compute backend-services list command.

      gcloud compute backend-services list

      Note the name of the backend service to attach theBackendAuthenticationConfig resource to.This name is referred to asBACKEND_SERVICE_NAMEin the following steps.

    2. To export the backend service configuration to a file, use thegcloud compute backend-services export command.

      global

      gcloud compute backend-services exportBACKEND_SERVICE_NAME \    --destination=BACKEND_SERVICE_FILENAME.yaml \    --global

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name and pathto a YAML file where the backend service configuration is exported

      regional

      gcloud compute backend-services exportBACKEND_SERVICE_NAME \    --destination=BACKEND_SERVICE_FILENAME.yaml \    --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name and pathto a YAML file where the backend service configuration is exported
      • REGION: the name of theGoogle Cloud region where the backend service is located

    3. Update thetlsSettings attribute of the backend service, pointing itto the backend authentication config resource. In addition, you canconfigure the SNI hostname and accepted SANs on the backend service tovalidate the backend certificate.

      global

      Attach the global backend authentication config resource tothe backend service.

      The SNI and SAN values in the following YAML declaration areintended as examples only. You can substitute them with real-worldvalues that are relevant to your setup.

        cat << EOF >>BACKEND_SERVICE_FILENAME.yaml  tlsSettings:    authenticationConfig: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME    sni: examplepetstore.com    subjectAltNames:    - dnsName: examplepetstore.com    - dnsName: api.examplepetstore.com  EOF

      Replace the following:

      • BACKEND_SERVICE_FILENAME: the name of theYAML file where the backend service configuration is exported

      • PROJECT_ID: the ID of your Google Cloud project

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      regional

      Attach the regional backend authentication config resource tothe backend service.

      The SNI and SAN values in the following YAML declaration areintended as examples only. You can substitute them with real-worldvalues that are relevant to your setup.

        cat << EOF >>BACKEND_SERVICE_FILENAME.yaml  tlsSettings:    authenticationConfig: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME    sni: examplepetstore.com    subjectAltNames:    - dnsName: examplepetstore.com    - dnsName: api.examplepetstore.com  EOF

      Replace the following:

      • BACKEND_SERVICE_FILENAME: the name of theYAML file where the backend service configuration is exported

      • PROJECT_ID: the ID of your Google Cloud project

      • REGION: the name of theGoogle Cloud region where the backend authenticationconfig is created

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

    4. To import the updated backend service configuration from a file,use thegcloud compute backend-services import command.

      global

        gcloud compute backend-services importBACKEND_SERVICE_NAME \      --source=BACKEND_SERVICE_FILENAME.yaml \      --global

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name of thebackend service configuration YAML file

      regional

        gcloud compute backend-services importBACKEND_SERVICE_NAME \      --source=BACKEND_SERVICE_FILENAME.yaml \      --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name of thebackend service configuration YAML file
      • REGION: the name of theGoogle Cloud region where the backend service is located

    Create a backend server certificate

    This section provides an additional configuration option to create a server(leaf) certificate that is signed by the intermediate certificate, which is apart of the trust config. This ensures that a chain of trustcan be established from the server certificate back to the trust anchor.

    If you have alreadycreated a trust config resourcethat contains an intermediate certificate, do the following:

    1. Create a configuration file to generate the CSR for the server certificate.

      The following configuration file (server.config) containsthe[extension_requirements] section, which specifies the X.509 extensions to include in the CSR. To learn more about the requirements for server certificates, seeCertificate requirements.

      cat >server.config <<EOF[req]default_bits=2048req_extensions=extension_requirementsdistinguished_name=dn_requirementsprompt=no[extension_requirements]basicConstraints=critical,CA:FALSEkeyUsage=critical,nonRepudiation,digitalSignature,keyEnciphermentextendedKeyUsage=serverAuthsubjectAltName=@alt_names[alt_names]DNS.1=examplepetstore.comDNS.2=api.examplepetstore.com[dn_requirements]countryName=USstateOrProvinceName=CalifornialocalityName=SanFrancisco0.organizationName=exampleorganizationalUnitName=testcommonName=examplepetstore.comemailAddress=test@examplepetstore.comEOF

    2. Create the CSR (server.csr) for the server certificate.

      opensslreq-new\-sha256-newkeyrsa:2048-nodes\-configserver.config\-keyoutserver.key-outserver.csr

    3. Sign the CSR to issue the X.509 server certificate (server.cert). The CSRis signed by the intermediate certificate.

      opensslx509-req\-CAkeyint.key-CAint.cert\-days365\-extfileserver.config\-extensionsextension_requirements\-inserver.csr-outserver.cert

      When the load balancer connects to the backend server, the backend serverpresents its certificate (server.cert) to authenticate itself to the loadbalancer, completing the backend authentication process.

    Additional SSL configuration options on an Apache web server

    This optional section walks you through the process to update the SSLconfiguration options on an Apache server based on the client and servercertificates that you created earlier.

    1. Copy the server private key (server.key) and server certificate (server.cert) over to the Apache web server.

          cat > server.key<< EOF    -----BEGIN PRIVATE KEY-----    [...]    -----END PRIVATE KEY-----    EOF    sudo cp ./server.key /etc/ssl/private/server.key

      Replace[...] with the PEM-encoded server private key that you created earlier.

          cat > server.cert<< EOF    -----BEGIN CERTIFICATE-----    [...]    -----END CERTIFICATE-----    EOF    sudo cp ./server.cert /etc/ssl/certs/server.cert

      Replace[...] with the PEM-encoded server certificate that you created earlier.

    2. Upload the client certificate to the server's trust config in order to validate the client certificate.

            cat > client.cert<< EOF      -----BEGIN CERTIFICATE-----      [...]      -----END CERTIFICATE-----      EOF      sudo cp ./client.cert /etc/ssl/certs/client.cert

      Replace[...] with the PEM-encoded client certificate that you created earlier.

    3. Update the SSL configuration of the Apache web server.

      Update Apache's SSL configuration to enable HTTPS traffic using the specified SSL certificate and private key.

          sudo vi /etc/apache2/sites-available/default-ssl.conf    ----    SSLCertificateFile      /etc/ssl/certs/server.cert    SSLCertificateKeyFile /etc/ssl/private/server.key    ----

      Update Apache's SSL configuration to require client certificate authentication and specify the CA certificate for validation.

          sudo vi /etc/apache2/sites-available/default-ssl.conf    ----    SSLVerifyClient require    SSLVerifyDepth 5    SSLCACertificateFile /etc/ssl/certs/client.cert    ----

    4. Rehash the CA certificates.

          sudo c_rehash /etc/ssl/certs/

    5. Restart the Apache web server to apply the changes.

          sudo systemctl restart apache2.service

    What's next

    Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

    Last updated 2026-02-18 UTC.