I've been really happy over the years to see more CAs start to offer certificates via ACME and that those CAs have some kind of free certificate offering. Let's Encrypt is awesome and I've used them since the beginning, but for something as important as certificates, you always need a backup.

Google Trust Services

You can now use Google Trust Services to issue free certificates via ACME just like all of the other CAs I've listed previously! Google have a blog on how to automate cetrificates using ACME, but I'll be going over the setup in my environment here too.

Create an External Account Binding

I created a new project in my Google Cloud Console just to demo this and we need to setup an EAB to link your certificate requests against the ACME API to your Google Cloud account. 

$ gcloud config set project <Your project ID>
Updated property [core/project].

$ gcloud projects add-iam-policy-binding project-foo \
  --member=user:<Your user email address> \
  --role=roles/publicca.externalAccountKeyCreator
Updated IAM policy for project [<Your project ID>].
bindings:
- members:
  - user:<Your user email address>
  role: roles/owner
- members:
  - user:<Your user email address>
  role: roles/publicca.externalAccountKeyCreator
etag: BwXnDgDdYss=
version: 1

$ gcloud alpha publicca external-account-keys create
API [publicca.googleapis.com] not enabled on project [<Your project ID>]. Would you like to enable and retry (this will take
a few minutes)? (y/N)?  y

Enabling service [publicca.googleapis.com] on project [<Your project ID>]...
Operation "operations/acat.p2-<Your project ID>-a546cb16-3d71-457e-9609-4bb977c1953d" finished successfully.
Created an external account key
[b64MacKey: <Your EAB HMAC key>
keyId: <Your EAB key ID>]

From the final lines of output above, you can get your EAB HMAC key and your EAB key ID, which you will need in the next step.

Register an account

I'm using the acme.sh client, so your command will differ slightly if you're using a different client, but the process is the same. You will need your account email address and both the EAB HMAC key and the EAB key ID from above.

acme.sh  --register-account  -m  <Your user email address> --server google \
>  --eab-kid <Your EAB key ID> \
>  --eab-hmac-key <Your EAB HMAC key>
[Thu 25 Aug 10:18:08 UTC 2022] Create account key ok.
[Thu 25 Aug 10:18:09 UTC 2022] Registering account: https://dv.acme-v02.api.pki.goog/directory
[Thu 25 Aug 10:18:11 UTC 2022] Registered
[Thu 25 Aug 10:18:11 UTC 2022] ACCOUNT_THUMBPRINT='<Your account thumbprint>

That's it, you're all set and ready to start issuing certificates!!

Issuing your first Google certificate

If you want to issue your first certificate from Google, you simply run your normal issuance command but specify the Google API endpoint to be used for issuance. With acme.sh, that's as simple as this.

$ acme.sh --issue --dns dns_cf -d goog-test.scotthelme.co.uk --force --keylength ec-256 --server google

I'm using the DNS01 challenge with my Cloudflare DNS integration and using the Google API endpoint for issuance, and a few moments later... 🎉

-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQdr0GagxgnbARA2zFWjrFaTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFQNTAeFw0yMjA4MjUwOTE5NDNaFw0yMjExMjMw
OTE5NDJaMCUxIzAhBgNVBAMTGmdvb2ctdGVzdC5zY290dGhlbG1lLmNvLnVrMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmns1nGStdy1hSE94xKVTDpK74vGzHHJl
aqKt5hoZq/+XWTj9Teq21JN4Y6CzFziMi2e4PGF2Qz4GYy/+GaZMpKOCAoIwggJ+
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQPdpGRDl6KmUlPCHzvktMJDqJwFjAfBgNVHSMEGDAWgBTV
/J4N3x7K3QiXl24rxV/FK/XsuDB4BggrBgEFBQcBAQRsMGowNQYIKwYBBQUHMAGG
KWh0dHA6Ly9vY3NwLnBraS5nb29nL3MvZ3RzMXA1L0hTNGlKSVZFZnhrMDEGCCsG
AQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxcDUuZGVyMCUG
A1UdEQQeMByCGmdvb2ctdGVzdC5zY290dGhlbG1lLmNvLnVrMCEGA1UdIAQaMBgw
CAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDov
L2NybHMucGtpLmdvb2cvZ3RzMXA1L1dJZ0NLZEZ1UGhFLmNybDCCAQUGCisGAQQB
1nkCBAIEgfYEgfMA8QB3AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXl
AAABgtSDzXUAAAQDAEgwRgIhANg9npcG0Md57V2sRpQcWE2ja7matdqolQtiomi9
FIIsAiEAses/1B3AG3vV77rMOrcVtZygPN6HsRPRcG8efq7PVVIAdgApeb7wnjk5
IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAYLUg81qAAAEAwBHMEUCIGrMIRIJ
k48Bn6S/ooSdyUOErPIGXMjxw9YK/PhBdCNUAiEAiuhVtjj32g9N/U9nhfs0BUi/
fNDdMcRp43bb4SS5btQwDQYJKoZIhvcNAQELBQADggEBAA4+/085xU2HHADNak+f
p5bNcgA75lgxOX1TLgpuj6OLgLW8d+f5tYz20kyCOYmnX5ZLDpz3R6wjx3V32k3j
nGX+Twl0cIzwX4wM8JXL5DPjSlSlRkmuvvnqdUi/GPVKPFdOzWd8mEeP0bJCR9Uk
xypamaq28zKkspqpfrP1BaD1aKmPxf4zK6JfgWXl6+GrpeFZ7M5t7ZTWqdBgatdm
3DWyo3EaAAq4fBe0vB1cg7iJeg6oQZRdT1TTQ2/xcCvM93md82XJ53fyIhJ1wibu
KN9xSn2MDHcq2l5at8Ojyqd17Um82XvMAmf/Mr3QlsyHNvznO7kyGq1LBrPrsbuv
SE0=
-----END CERTIFICATE-----

More randomisation for my CA

As I've mentioned before, I have multiple servers and services at home that use certificates and when it comes time to renew, I randomly select the CA I'm going to use. If we look at part of the renewal script for one of my servers I run at home, I now have this.

#!/bin/bash
set -e
SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom" "google")
/home/scott/acme.sh/acme.sh --issue --dns dns_cf -d home.scotthelme.co.uk --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")
...
# commands to deploy certificate

Looking at the acme.sh command to issue, you can see it will randomly select one of the SERVERS to use for issuance and now, I have a nice selection of 5 to choose from!

To try and make it easier to keep track of the free CAs that you can use for certificates via ACME, I've created a new tag and added it to all of the blog posts listing them. You can find them all here: https://scotthelme.co.uk/tag/free-acme-ca/

Update: Here is the crt.sh link for my new cert! https://crt.sh/?id=7405924314

Update: The CAA value for this CA is pki.goog.