Google has just released the public beta of their Public (ACME) Certificate Authority service. This means that you can now issue certificates using Google’s ACME server. But setting it up is not as easy as you may think, as it requires some terminal and ACME knowledge. However, here I will explain a bit about the Google Public CA beta, and then I will show you how to obtain an SSL certificate from Google Trust Services (GTS) via ACME.
1. What is Google Public Certificate Authority?
First of all, let’s quickly explain what are we talking about here.
On January 26 2017, Google made public their certificate authority called Google Trust Services. They created their four root CAs (GTS Root R1, R2, R3 and R4), and purchased two from GlobalSign (GS Root R2 [expired] and GS ECC Root R4). Google’s roots began globally trusted in a few years, but until a few months ago, it was only for Google’s internal use and a very limited number of Google Cloud (GCP) services (like App Engine).
On March 29 2022, Google posted in his Google Cloud blog this post, announcing the private preview release of their Public Certificate Authority via ACME. ACME is a protocol that automates the certificate issuance, renewal and revocation process. Please note that I obtained access to this service on June 7 2022.
With Google Public ACME CA, you can obtain certificates via ACME from Google Trust Services. The certificates you obtain will be issued only by GTS CA 1P5 → GTS Root R1 → GlobalSign Root CA (cross-sign until 2028). You can obtain RSA and ECDSA certificates from Google, but both will be issued by an RSA certificate chain. Certificates last for 90 days, just like Let’s Encrypt. Also, Google’s ACME certificates are completely free, but you’ll require a Google account to obtain them.
On August 24 2022, Google announced here that the Public Certificate Authority service has been rolled out to the public.
2. How can I obtain an SSL certificate from Google Trust Services via ACME?
Let’s get into the important part. Setting this up is not as easy as you may think, since it requires to get EAB credentials from Google Cloud. Even though I will try to explain this as easy as possible, I would suggest that if you are a first-time user requesting ACME certificates, then you should try Let’s encrypt before.
To set this up, you’ll need:
- A Google account
- Some terminal knowledge
- Time
The first step is to download gcloud (cli). Note that if you’re using Windows, you’ll need to check the Beta commands option in the instalation wizard. Also, you can type:
<code>gcloud components install beta</code>
Code language: Basic (basic)
to install them. On Linux, they should be installed by default.
Then, you need to inizialite gcloud. To do so, open a terminal, type:
<code>gcloud init</code>
Code language: Bash (bash)
and then follow the initialization instructions (you’ll be required to login to your Google account). It may also ask to select a project or create one if you don’t have any.
If you are not the owner of the Google Cloud project (or the roles/owner
role), you may have problems creating the EAB credentials. You may need to run:
gcloud projects add-iam-policy-binding <var>PROJECT_ID_HERE</var> --member=user:<var>USER_HERE</var> --role=roles/publicca.externalAccountKeyCreator
Code language: Bash (bash)
to grant all the necessary permissions. Don’t forget to replace PROJECT_ID_HERE
with your Google Cloud project ID, and USER_HERE
with the unique identifier of the user to whom you want to create ACME EAB credentials (usually the email address). If you get any errors, please post them on the comment section below.
Now, you’ll need to run:
gcloud services enable publicca.googleapis.com
Code language: Bash (bash)
to enable the Public Certificate Authority API. This is required to create the EAB credentials in the next step.
Lastly, run:
gcloud beta publicca external-account-keys create
to create your ACME EAB credentials. You’ll receive an output like this:
Created an external account key
[b64MacKey: vj4T0e(...)2xCoDc9w
keyId: f729(...)26c6]
to finally obtain the ACME EAB credentials. The keyId is the eab-kid and the b64MacKey is the eab-hmac-key.
Now you’ve obtained the necessary credentials to start using Google’s Public ACME CA. But you’re far from being ready. You’ll now need to setup and configure an ACME client to be able to issue certificates from GTS. Certbot will work fine, but I would suggest that you use acme.sh.
In your server, run:
curl https://get.acme.sh | bash
source ~/.acme.sh/acme.sh.env
Code language: Bash (bash)
to install the latest version of acme.sh. If you get any errors while installing, try:
curl https://get.acme.sh -o install
bash install force
source ~/.acme.sh/acme.sh.env
Code language: Bash (bash)
You’ll probably won’t be able to auto-renew your SSL certificates (you’ll need to renew them each 90 days), but it’ll be enough to at least obtain and manage them.
After installing acme.sh, run:
acme.sh --set-default-ca --server google
Code language: Bash (bash)
to use Google’s Public CA as the default one. Also, you can run:
acme.sh --set-default-ca --server https://dv.acme-v02.api.pki.goog/directory
Code language: Bash (bash)
to get the same results. Then, run:
acme.sh --register-account -ak 4096 -m EMAIL_ADDRESS_HERE --eab-kid GOOGLE_EAB_KID --eab-hmac-key GOOGLE_EAB_HMAC_KEY
Code language: Bash (bash)
to register your ACME account the ACME EAB credentials you previously obtained. Remember to replace EMAIL_ADDRESS_HERE
with the email address that you may want to receive important security notifications, GOOGLE_EAB_KID
with your eab-kid and GOOGLE_EAB_HMAC_KEY
with your eab-hmac-key. The command should say that the account has been properly created.
Last but not least, remember to add the necessary CAA records to your domains, so that they can obtain certificates from Google Trust Services. If you don’t have any, you may not need to add them.
0 issue pki.goog; cansignhttpexchanges=yes
0 issuewild pki.goog; cansignhttpexchanges=yes
And now you are ready to issue certificates from Google Trust Services! Please refer to this guide to know how to use acme.sh to request certificates.
And that’s all! If you find this tutorial useful, please share it to the people you know and that may find it interesting, and leave a comment below. Since I don’t track real website visits using tools like Google Analytics, those are great indicators to know how many people use my services.
Thanks a lot for visiting my website!