Stay organized with collections
Save and categorize content based on your preferences.
Client Side Push Provisioning uses HTTPS (TLS) for transport layer security.
Transport layer encryption with HTTPS
All API endpoints must be served using HTTPS with TLS 1.2 or higher. API
clients must have common name (CN) checking turned on and the server's CN or
wildcards must match the hostname.
We strongly recommend using a certificate issued under a root certificate
included in the
Mozilla CA certification program
to reduce the level of maintenance necessary to keep this connection healthy.
However, if necessary, we do allow partners to issue self-signed certificates
that we can trust.
Cipher suites
The server must support at least one of these cipher suites and should not
support cipher suites outside of the following set:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
All rights reserved. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-12-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-03 UTC."],[[["\u003cp\u003eClient Side Push Provisioning utilizes HTTPS (TLS) for secure transport layer encryption.\u003c/p\u003e\n"],["\u003cp\u003eAll API endpoints must use HTTPS with TLS 1.2 or higher and have common name (CN) checking enabled with matching server CN or wildcards.\u003c/p\u003e\n"],["\u003cp\u003eWhile certificates from the Mozilla CA certification program are strongly recommended, self-signed certificates can be used if necessary, but Google will require immediate replacement if revoked.\u003c/p\u003e\n"],["\u003cp\u003eServers must support at least one of the specified cipher suites (ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256) and should avoid using any others.\u003c/p\u003e\n"]]],["HTTPS with TLS 1.2 or higher is required for all API endpoints, with common name checking enabled. The server's certificate should ideally be from a Mozilla-approved root certificate, but self-signed certificates are permissible. Google will notify if certificates are revoked. The server must support at least one of the specified cipher suites and avoid any outside this set, ensuring secure transport layer encryption and connection health.\n"],null,["# Transport layer encryption\n\nClient Side Push Provisioning uses HTTPS (TLS) for transport layer security.\n\nTransport layer encryption with HTTPS\n-------------------------------------\n\nAll API endpoints must be served using HTTPS with TLS 1.2 or higher. API\nclients must have common name (CN) checking turned on and the server's CN or\nwildcards must match the hostname.\nWe strongly recommend using a certificate issued under a root certificate included in the [Mozilla CA certification program](https://www.mozilla.org/about/governance/policies/security-group/certs/policy/) to reduce the level of maintenance necessary to keep this connection healthy. However, if necessary, we do allow partners to issue self-signed certificates that we can trust. **Note:** If a server's certificate is revoked by the CA, Google will contact you to get a new cert immediately.\n\n### Cipher suites\n\nThe server must support at least one of these cipher suites and should not\nsupport cipher suites outside of the following set:\n\n- ECDHE-ECDSA-AES128-GCM-SHA256\n- ECDHE-RSA-AES128-GCM-SHA256\n- ECDHE-ECDSA-CHACHA20-POLY1305\n- ECDHE-RSA-CHACHA20-POLY1305\n- ECDHE-ECDSA-AES128-SHA256\n- ECDHE-RSA-AES128-SHA256"]]