Set up backend authenticated TLS

This page provides instructions to set up backend authenticated TLS, also knownas backend authentication, by using self-managed certificates.

To configurebackend authenticated TLS, you need to do the following.These steps are described in the following sections of this document.

  • Create a trust config resource that consists of root and intermediatecertificates.
  • Create a backend authentication config resourcethat references the trust config.
  • Attach the backend authentication config resourceto the backend service of the load balancer.

Before you begin

Permissions

This section lists the permissions required to configure backend authenticatedTLS.
OperationPermission
Create a trust configcertificatemanager.trustconfigs.create on the target Google Cloud project
Create a backend authentication config resource
  • certificatemanager.certs.use on the target certificate
  • certificatemanager.trustconfigs.use on the target trust config
  • networksecurity.backendauthenticationconfigs.create on the target Google Cloud project
    • Attach the backend authentication config resource to the backend service of the load balancer
  • compute.backendservice.update on the target backend service
  • networksecurity.backendauthenticationconfigs.use on the target backend authentication config resource

    • Setup overview

    The sections that follow describe the steps to configure backend authenticatedTLS based on the architecture shown in the following diagram.

    Components of backend authenticated TLS.
    Backend authenticated TLS components (click to enlarge).

    Create the root and intermediate certificates

    Note:

    If you already have certificates to upload to the trust store, you can skipthis step and jump toFormat the certificates.

    This section uses theOpenSSL library to createthe root certificate (trust anchor) and the intermediate certificate.

    A root certificate is at the topof the certificate chain. An intermediate certificate is a part of the chainof trust back to the root certificate. The intermediate certificate iscryptographically signed by the root certificate. When the load balancerreceives a server certificate, the load balancer validates it by establishing achain of trust from the server certificate back to the configured trust anchor.

    Use the following commands to create the root and intermediate certificates.

    1. Create anOpenSSL configurationfile.

      In the following example, the configuration file (example.cnf) containsthe[ca_exts] section, which specifies X.509 extensions that mark thecertificate as suitable for a CA. To learn more about the requirements forroot and intermediate certificates, seeCertificaterequirements.

      cat >example.cnf <<EOF[req]distinguished_name=empty_distinguished_name[empty_distinguished_name]# Kept empty to allow setting via -subj command-line argument.[ca_exts]basicConstraints=critical,CA:TRUEkeyUsage=keyCertSignextendedKeyUsage=serverAuthEOF

    2. Create a self-signed X.509 root certificate (root.cert). The rootcertificate is self-signed with its own private key (root.key).

      opensslreq-x509\-new-sha256-newkeyrsa:2048-nodes\-days3650-subj'/CN=root'\-configexample.cnf\-extensionsca_exts\-keyoutroot.key-outroot.cert

    3. Create the certificate signing request (CSR)int.req for the intermediatecertificate.

      opensslreq-new\-sha256-newkeyrsa:2048-nodes\-subj'/CN=int'\-configexample.cnf\-extensionsca_exts\-keyoutint.key-outint.req

    4. Sign the CSR to create the X.509 intermediate certificate (int.cert). TheCSR is signed using the root certificate.

      opensslx509-req\-CAkeyroot.key-CAroot.cert\-set_serial1\-days3650\-extfileexample.cnf\-extensionsca_exts\-inint.req-outint.cert

    Format the certificates

    To include new or existing certificates in a trust store, format thecertificates into a single line and store them in environment variablesso that they can be referenced by the trust config YAML file.

    exportROOT_CERT=$(catroot.cert|sed's/^[ ]*//g'|tr'\n'$|sed's/\$/\\n/g')
    exportINTERMEDIATE_CERT=$(catint.cert|sed's/^[ ]*//g'|tr'\n'$|sed's/\$/\\n/g')

    Create a trust config

    A trust config is a resource that represents yourpublic key infrastructure (PKI) configuration inCertificate Manager.

    To create a trust config resource, complete the following steps:

    Console

    1. In the Google Cloud console, go to theCertificate Manager page.

      Go to Certificate Manager

    2. On theTrust Configs tab, clickAdd Trust Config.

    3. Enter a name for the configuration.

    4. ForLocation, selectGlobal orRegional.

      The location denotes where the trustconfig resource is stored. For global external Application Load Balancers,create aglobal trust config resource.For regional external Application Load Balancers and regional internal Application Load Balancers,create aregional trust config resource.

    5. In theTrust store section, clickAdd trust anchor and upload thePEM-encoded certificate file, or copy the contents of the certificate.

    6. ClickAdd.

    7. In theTrust store section, clickAdd intermediate CA andupload the PEM-encoded certificate file, or copy the contentsof the certificate. This step lets you add another level of trust betweenthe root certificate and your server certificate.

    8. ClickAdd to add the intermediary CA.

    9. To add the certificate that you added to the allowlist, clickAdd.

    10. ClickCreate.

    Verify that the new trust config resource appears in the list ofconfigurations.

    gcloud

    1. Create a trust config YAML file (trust_config.yaml)that specifies thetrust config parameters. This example trust configresource contains a trust store with a trust anchor and an intermediatecertificate. This example trust config resource reads thecertificate content from the environment variables created in thepreviousFormat the certificates step.

      cat << EOF > trust_config.yamltrustStores:-trustAnchors:-pemCertificate:"${ROOT_CERT}"intermediateCas:-pemCertificate:"${INTERMEDIATE_CERT}"EOF

      To create a trust store with additional trust anchors or intermediatecertificates, addpemCertificate rows in the appropriate section.

    2. To import the trust config YAML file,use thegcloud certificate-manager trust-configs import command.

      global

      For global external Application Load Balancers, specifyglobal as the location wherethe trust config resource is stored.

      gcloud certificate-manager trust-configs importTRUST_CONFIG_NAME  \    --source=trust_config.yaml \    --location=global

      ReplaceTRUST_CONFIG_NAME with the name of thetrust config.

      regional

      For regional external Application Load Balancers and regional internal Application Load Balancers,specify the region where the trust config resource is stored.

      gcloud certificate-manager trust-configs importTRUST_CONFIG_NAME \    --source=trust_config.yaml \    --location=REGION

      Replace the following:

      • TRUST_CONFIG_NAME: the name of the trustconfig resource
      • REGION: the region where the trust configresource is stored

    Create a backend authentication config resource

    To create a backend authentication config (BackendAuthenticationConfig) resource, complete the following steps.

    Console

    1. In the Google Cloud console, go to theAuthentication Configuration page.

      Go to Authentication Configuration

    2. On theBackend Authentication tab, clickCreate.
    3. Enter a name for the backend authentication config resource.
    4. ForLocation, selectGlobal orRegional.
    5. Optional: Select the public roots of trust.
    6. Select the trust config resource that you created earlier.
    7. ClickCreate.

    Verify that the backend authentication config resource is displayed.

    gcloud

    1. Create a YAML file that declaratively specifies the different attributesof the backend authentication config resource.

      global

      cat<< EOF >BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yamlname: projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAMEtrustConfig: projects/PROJECT_ID/locations/global/trustConfigs/TRUST_CONFIG_NAMEwellKnownRoots: PUBLIC_ROOTSEOF

      Replace the following:

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME: the name of the YAML file where the backend authentication config resource is defined
      • PROJECT_ID: the ID of your Google Cloud project
      • BACKEND_AUTH_CONFIG_NAME: the name of the backend authentication config resource
      • TRUST_CONFIG_NAME: the name of the trust config resource that you created earlier

      regional

      cat<< EOF >BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yamlname: projects/PROJECT_ID/locations/REGION/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAMEtrustConfig: projects/PROJECT_ID/locations/REGION/trustConfigs/TRUST_CONFIG_NAMEwellKnownRoots: PUBLIC_ROOTSEOF

      Replace the following:

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME: the name of the YAML file where the backend authentication config resource is defined
      • PROJECT_ID: the ID of your Google Cloud project
      • REGION: the name of the region
      • BACKEND_AUTH_CONFIG_NAME: the name of the backend authentication config resource
      • TRUST_CONFIG_NAME: the name of the trust config resource that you created earlier

    2. To import the backend authentication config, use thegcloud network-security backend-authentication-configs importcommand.

      global

      gcloud network-security backend-authentication-configs importBACKEND_AUTH_CONFIG_NAME \    --source=BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml \    --location=global

      Replace the following:

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME:the name of the YAML file where the backend authenticationconfig resource is defined

      regional

      gcloud network-security backend-authentication-configs importBACKEND_AUTH_CONFIG_NAME \    --source=BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml \    --location=REGION

      Replace the following:

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      • BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME:the name of the YAML file where the backend authenticationconfig resource is defined

      • REGION: the name of the region

    Attach the backend authentication config resource to the backend service of the load balancer

    To attach the backend authentication config(BackendAuthenticationConfig resource)to the backend service of the load balancer, complete the following steps.

    Console

    1. In the Google Cloud console, go to theLoad balancing page.

      Go to Load balancing

    2. On theBackends tab, select the backend service for which you needto enable backend authenticated TLS and backend mTLS.

    3. ClickEdit.

    4. Expand theAdvanced configurations section.

    5. In theBackend authentication section,select theEnable checkbox.

    6. Optional: Specify the SNI hostname and accepted SANs tovalidate the backend certificate.

    7. To attach the backend authentication config resource to the backendservice, in theBackend authentication config list, select thebackend authentication config resource.

    8. ClickContinue.

    9. To update the backend service settings, clickUpdate.

    gcloud

    1. To list all the backend service resources in your project, use thegcloud compute backend-services list command.

      gcloud compute backend-services list

      Note the name of the backend service to attach theBackendAuthenticationConfig resource to.This name is referred to asBACKEND_SERVICE_NAMEin the following steps.

    2. To export the backend service configuration to a file, use thegcloud compute backend-services export command.

      global

      gcloud compute backend-services exportBACKEND_SERVICE_NAME \    --destination=BACKEND_SERVICE_FILENAME.yaml \    --global

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name and pathto a YAML file where the backend service configuration is exported

      regional

      gcloud compute backend-services exportBACKEND_SERVICE_NAME \    --destination=BACKEND_SERVICE_FILENAME.yaml \    --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name and pathto a YAML file where the backend service configuration is exported
      • REGION: the name of theGoogle Cloud region where the backend service is located

    3. Update thetlsSettings attribute of the backend service, pointing itto the backend authentication config resource. In addition, you canconfigure the SNI hostname and accepted SANs on the backend service tovalidate the backend certificate.

      global

      Attach the global backend authentication config resource tothe backend service.

      The SNI and SAN values in the following YAML declaration areintended as examples only. You can substitute them with real-worldvalues that are relevant to your setup.

        cat << EOF >>BACKEND_SERVICE_FILENAME.yaml  tlsSettings:    authenticationConfig: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME    sni: examplepetstore.com    subjectAltNames:    - dnsName: examplepetstore.com    - dnsName: api.examplepetstore.com  EOF

      Replace the following:

      • BACKEND_SERVICE_FILENAME: the name of theYAML file where the backend service configuration is exported

      • PROJECT_ID: the ID of your Google Cloud project

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

      regional

      Attach the regional backend authentication config resource tothe backend service.

      The SNI and SAN values in the following YAML declaration areintended as examples only. You can substitute them with real-worldvalues that are relevant to your setup.

        cat << EOF >>BACKEND_SERVICE_FILENAME.yaml  tlsSettings:    authenticationConfig: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/REGION/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME    sni: examplepetstore.com    subjectAltNames:    - dnsName: examplepetstore.com    - dnsName: api.examplepetstore.com  EOF

      Replace the following:

      • BACKEND_SERVICE_FILENAME: the name of theYAML file where the backend service configuration is exported

      • PROJECT_ID: the ID of your Google Cloud project

      • REGION: the name of theGoogle Cloud region where the backend authenticationconfig is created

      • BACKEND_AUTH_CONFIG_NAME: the name of thebackend authentication config resource

    4. To import the updated backend service configuration from a file,use thegcloud compute backend-services import command.

      global

        gcloud compute backend-services importBACKEND_SERVICE_NAME \      --source=BACKEND_SERVICE_FILENAME.yaml \      --global

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name of thebackend service configuration YAML file

      regional

        gcloud compute backend-services importBACKEND_SERVICE_NAME \      --source=BACKEND_SERVICE_FILENAME.yaml \      --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of thebackend service
      • BACKEND_SERVICE_FILENAME: the name of thebackend service configuration YAML file
      • REGION: the name of theGoogle Cloud region where the backend service is located

    Create a backend server certificate

    This section provides an additional configuration option to create a server(leaf) certificate that is signed by the intermediate certificate, which is apart of the trust config. This ensures that a chain of trustcan be established from the server certificate back to the trust anchor.

    If you have alreadycreated a trust config resourcethat contains an intermediate certificate, do the following:

    1. Create a configuration file to generate the CSR for the server certificate.

      The following configuration file (server.config) containsthe[extension_requirements] section, which specifies the X.509 extensions to include in the CSR. To learn more about the requirements for server certificates, seeCertificate requirements.

      cat >server.config <<EOF[req]default_bits=2048req_extensions=extension_requirementsdistinguished_name=dn_requirementsprompt=no[extension_requirements]basicConstraints=critical,CA:FALSEkeyUsage=critical,nonRepudiation,digitalSignature,keyEnciphermentextendedKeyUsage=serverAuthsubjectAltName=@alt_names[alt_names]DNS.1=examplepetstore.comDNS.2=api.examplepetstore.com[dn_requirements]countryName=USstateOrProvinceName=CalifornialocalityName=SanFrancisco0.organizationName=exampleorganizationalUnitName=testcommonName=examplepetstore.comemailAddress=test@examplepetstore.comEOF

    2. Create the CSR (server.csr) for the server certificate.

      opensslreq-new\-sha256-newkeyrsa:2048-nodes\-configserver.config\-keyoutserver.key-outserver.csr

    3. Sign the CSR to issue the X.509 server certificate (server.cert). The CSRis signed by the intermediate certificate.

      opensslx509-req\-CAkeyint.key-CAint.cert\-days365\-extfileserver.config\-extensionsextension_requirements\-inserver.csr-outserver.cert

      When the load balancer connects to the backend server, the backend serverpresents its certificate (server.cert) to authenticate itself to the loadbalancer, completing the backend authentication process.

    Additional SSL configuration options on an Apache web server

    This optional section walks you through the process to update the SSLconfiguration options on an Apache server based on the server certificates thatyou created earlier.

    1. Copy the server private key (server.key) and server certificate (server.cert) over to the Apache web server.

          cat > server.key<< EOF    -----BEGIN PRIVATE KEY-----    [...]    -----END PRIVATE KEY-----    EOF    sudo cp ./server.key /etc/ssl/private/server.key

      Replace[...] with the PEM-encoded server private key that you created earlier.

          cat > server.cert<< EOF    -----BEGIN CERTIFICATE-----    [...]    -----END CERTIFICATE-----    EOF    sudo cp ./server.cert /etc/ssl/certs/server.cert

      Replace[...] with the PEM-encoded server certificate that you created earlier.

    2. Update the SSL configuration of the Apache web server.

      Update Apache's SSL configuration to enable HTTPS traffic using the specified SSL certificate and private key.

          sudo vi /etc/apache2/sites-available/default-ssl.conf    ----    SSLCertificateFile      /etc/ssl/certs/server.cert    SSLCertificateKeyFile /etc/ssl/private/server.key    ----

    3. Rehash the CA certificates.

          sudo c_rehash /etc/ssl/certs/

    4. Restart the Apache web server to apply the changes.

          sudo systemctl restart apache2.service

    What's next

    Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

    Last updated 2025-12-15 UTC.