Request a certificate using Public CA and an ACME client

This tutorial walks you through requesting a TLS certificate with Public Certificate Authority by using the Google Cloud CLI. For information about the root and intermediate CAs used by Public Certificate Authority, see Google Trust Services. There is no charge for requesting certificates from Public CA.

Before you begin

  • Install the Google Cloud CLI, then initialize it by running the following command:

    gcloud init

  • Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  • Make sure that you have either the Owner (roles/owner) or the Public CA External Account Key Creator (publicca.externalAccountKeyCreator) IAM role.

    To grant the Public CA External Account Key Creator (publicca.externalAccountKeyCreator) IAM role, run the following command:

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member=user:USER \
      --role=roles/publicca.externalAccountKeyCreator
    

    Replace the following:

    • PROJECT_ID: the ID of your Google Cloud project
    • USER: the unique identifier of the user to whom you want to assign the IAM role

    For information about granting an IAM role, see Manage access to projects, folders, and organizations.

  • Enable the Public CA API:

    gcloud services enable publicca.googleapis.com

Install a client

To get started using Public CA, you must install an ACME client. The following instructions use Certbot as the ACME client. You can use any other ACME client if the client supports external account binding (EAB).

To install Certbot, see the Certbot instructions.

Make sure to point your client to the Public CA server. The first time the ACME client interacts with Public CA, the client generates a new key pair and sends the public key to Public CA.

Request an EAB key ID and HMAC

After you install an ACME client, you must register your ACME account with Public CA to request certificates from Public CA. An EAB secret can help you register your ACME account with Public CA. An EAB secret consists of a key ID and a hash-based message authentication code (HMAC).

You can use the Public CA API or the Google Cloud CLI to request an EAB secret.

To request an EAB key ID and HMAC, run the following command:

gcloud publicca external-account-keys create

This command returns an EAB secret that is valid on the production environment of Public CA. In the response body, the keyId field contains the EAB key ID, and the b64MacKey field contains the EAB HMAC.

You must use an EAB secret within 7 days of obtaining it. The EAB secret is invalidated if you don't use it within 7 days. The ACME account registered by using an EAB secret has no expiration.

Register an ACME account

This section explains how to register an ACME account with Public CA by providing the EAB secret that you just obtained.

Use a regular ACME client to register an ACME account, and provide the EAB key ID and HMAC while registering.

To register an ACME account with Public CA and bind the ACME account to the Google Cloud project that you used to request the EAB secret, run the following command:

certbot register \
    --email "EMAIL_ADDRESS" \
    --no-eff-email \
    --server "SERVER" \
    --eab-kid "EAB_KID" \
    --eab-hmac-key "EAB_HMAC_KEY"

Replace the following:

  • EMAIL_ADDRESS: your email address
  • SERVER: the ACME directory URL for the production or staging environment
  • EAB_KID: the EAB key ID
  • EAB_HMAC_KEY: the EAB HMAC key

The following table provides the description and the ACME directory URL for the production and staging environment:

Environment Description ACME directory URL
Production The production environment lets you obtain publicly trusted certificates. https://dv.acme-v02.api.pki.goog/directory
Staging The staging environment returns certificates that are not publicly trusted. The staging environment performs the same validation checks as the production environment. You can use the staging environment for integration or any other kind of testing. https://dv.acme-v02.test-api.pki.goog/directory

You can only register one ACME account with an EAB secret. After you have registered an ACME account by using an EAB secret, the EAB secret becomes invalid and you can't reuse it. If you want to register multiple ACME accounts, you must request a unique EAB secret for each of the accounts.

Request certificates

After Public CA validates your control of the certificate target and acknowledges that your ACME client works as expected to perform certificate management operations, you can use the regular ACME workflows to request, renew, and revoke certificates. You can perform these operations by using your ACME client. To request and renew a certificate, you must complete an ACME challenge, such as the manual DNS challenge.

To use the manual DNS challenge to request a certificate, run the following command:

certbot certonly \
    --manual \
    --preferred-challenges "dns-01" \
    --server "SERVER" \
    --domains "DOMAINS"

Replace the following:

  • SERVER: the ACME directory URL for the production or staging environment
  • DOMAINS: a comma-separated list of domains for which you are requesting certificates

Clean up

If you no longer need certificates for your domains, delete the project that you created.

Staging

You can use the staging environment of Public CA to request certificates for testing purposes. The certificates issued by the staging environment chain up to a test root CA. Certificates from the staging environment will not be trusted by Browsers or other clients that have not been configured to trust the staging root certificate. To obtain an EAB secret that is valid on the staging environment, override the API endpoint to use the endpoint for the staging environment:

gcloud config set api_endpoint_overrides/publicca https://preprod-publicca.googleapis.com/
Then run the account key creation command to create a staging key:
gcloud publicca external-account-keys create
To revert to the endpoint for the production environment, run the following command:
gcloud config unset api_endpoint_overrides/publicca

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

What's next