I've been really happy over the years to see more CAs start to offer certificates via ACME and that those CAs have some kind of free certificate offering. Let's Encrypt is awesome and I've used them since the beginning, but for something as important as certificates, you always need a backup.

Google Trust Services

You can now use Google Trust Services to issue free certificates via ACME just like all of the other CAs I've listed previously! Google have a blog on how to automate cetrificates using ACME, but I'll be going over the setup in my environment here too.

Create an External Account Binding

I created a new project in my Google Cloud Console just to demo this and we need to setup an EAB to link your certificate requests against the ACME API to your Google Cloud account.

$ gcloud config set project <Your project ID>
Updated property [core/project].

$ gcloud projects add-iam-policy-binding project-foo \
  --member=user:<Your user email address> \
Updated IAM policy for project [<Your project ID>].
- members:
  - user:<Your user email address>
  role: roles/owner
- members:
  - user:<Your user email address>
  role: roles/publicca.externalAccountKeyCreator
etag: BwXnDgDdYss=
version: 1

$ gcloud alpha publicca external-account-keys create
API [publicca.googleapis.com] not enabled on project [<Your project ID>]. Would you like to enable and retry (this will take
a few minutes)? (y/N)?  y

Enabling service [publicca.googleapis.com] on project [<Your project ID>]...
Operation "operations/acat.p2-<Your project ID>-a546cb16-3d71-457e-9609-4bb977c1953d" finished successfully.
Created an external account key
[b64MacKey: <Your EAB HMAC key>
keyId: <Your EAB key ID>]

From the final lines of output above, you can get your EAB HMAC key and your EAB key ID, which you will need in the next step.

Register an account

I'm using the acme.sh client, so your command will differ slightly if you're using a different client, but the process is the same. You will need your account email address and both the EAB HMAC key and the EAB key ID from above.

acme.sh  --register-account  -m  <Your user email address> --server google \
>  --eab-kid <Your EAB key ID> \
>  --eab-hmac-key <Your EAB HMAC key>
[Thu 25 Aug 10:18:08 UTC 2022] Create account key ok.
[Thu 25 Aug 10:18:09 UTC 2022] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Thu 25 Aug 10:18:11 UTC 2022] Registered
[Thu 25 Aug 10:18:11 UTC 2022] ACCOUNT_THUMBPRINT='<Your account thumbprint>

That's it, you're all set and ready to start issuing certificates!!

Issuing your first Google certificate

If you want to issue your first certificate from Google, you simply run your normal issuance command but specify the Google API endpoint to be used for issuance. With acme.sh, that's as simple as this.

$ acme.sh --issue --dns dns_cf -d goog-test.scotthelme.co.uk --force --keylength ec-256 --server google

I'm using the DNS01 challenge with my Cloudflare DNS integration and using the Google API endpoint for issuance, and a few moments later... 🎉


More randomisation for my CA

As I've mentioned before, I have multiple servers and services at home that use certificates and when it comes time to renew, I randomly select the CA I'm going to use. If we look at part of the renewal script for one of my servers I run at home, I now have this.

set -e
SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom" "google")
/home/scott/acme.sh/acme.sh --issue --dns dns_cf -d home.scotthelme.co.uk --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")
# commands to deploy certificate

Looking at the acme.sh command to issue, you can see it will randomly select one of the SERVERS to use for issuance and now, I have a nice selection of 5 to choose from!

To try and make it easier to keep track of the free CAs that you can use for certificates via ACME, I've created a new tag and added it to all of the blog posts listing them. You can find them all here: https://scotthelme.co.uk/tag/free-acme-ca/

Update: Here is the crt.sh link for my new cert! https://crt.sh/?id=7405924314

Update: The CAA value for this CA is pki.goog.