Introduction
Recently, Google has opened up its GTS CA (Google Trust Services) to the public. As a major global company, Google’s offering is certainly worth taking advantage of! The service has now entered the Public Review phase, which means you no longer need to apply for beta access. Moreover, it supports fast certificate issuance using acme.sh, making it a perfect time to utilize this service.
Overview of GTS SSL Certificates
GTS SSL certificates come with several key features:
- Support for IP Address Certificates: Ideal for IP address block holders.
- Root CA: GTS uses GlobalSign as its root CA, which offers better compatibility and support compared to Let’s Encrypt.
- ECC Certificates: GTS supports ECC certificates, which offer enhanced security and performance.
- Multi-Domain and Wildcard Certificates: You can apply for multi-domain and wildcard certificates (e.g.,
*.cestlavie.moe). - Validity Period: Certificates are valid for 90 days.
- ACME Validation Methods: Supports TLS-ALPN-01, HTTP-01, and DNS-01 validation methods.
- Limitations: Email validation is not supported, and internationalized domain names (IDNs) cannot be used.
Steps to Apply for GTS Certificates Using acme.sh
1. Obtain a Registration Key
First, open your Google Cloud Shell at shell.cloud.google.com and enter the following command to create credentials:
$ gcloud beta publicca external-account-keys create
You will be prompted to enable the publicca.googleapis.com API if it is not already enabled:
API [publicca.googleapis.com] not enabled on project [<projectid>]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y
After enabling the API, the following information will be returned:
Created an external account key
[b64MacKey: <hmac_key>
keyId: <keyid>]
Make sure to save the <hmac_key> and <keyid> as you will need them in the next steps.
2. Install acme.sh
If you haven’t already installed acme.sh, you can do so with the following command:
curl https://get.acme.sh | sh -s
You should see “Install success!” once the installation is complete.
3. Register Using Your Credentials
Next, switch the default CA to Google:
acme.sh --set-default-ca --server google
Then, register your account with the credentials obtained earlier:
acme.sh --server https://dv.acme-v02.api.pki.goog/directory \
--register-account --accountemail <Your_Email> --eab-kid <keyid> --eab-hmac-key <hmac_key>
4. Issue Certificates
Manual DNS Verification
To issue a certificate using manual DNS verification, run the following command:
acme.sh --issue --dns -d yourdomain.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
The command will output the TXT record you need to add to your DNS settings:
Add the following TXT record:
Domain: '_acme-challenge.yourdomain.com'
TXT value: '<TXT_value>'
After setting the DNS record, finalize the process with:
acme.sh --renew -d yourdomain.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
Once you see “Cert success”, your certificate has been successfully issued. The certificate files will be located in ~/.acme.sh/yourdomain.com/.
Automatic DNS Verification via Cloudflare API
To automate the DNS verification process using Cloudflare, first, obtain your Global API Key from the Cloudflare dashboard. Then, export the necessary environment variables:
export CF_Key='<YourGlobalAPIKey>'
export CF_Email="<YourEmail>"
Now, you can issue a certificate with the following commands:
- For a single domain:
acme.sh --issue --dns dns_cf -d yourdomain.com
- For a wildcard domain:
acme.sh --issue --dns dns_cf -d *.yourdomain.com
- For multiple domains:
acme.sh --issue --dns dns_cf -d sub1.yourdomain.com -d sub2.yourdomain.com
- For an ECC certificate:
acme.sh --issue --dns dns_cf -d yourdomain.com --ecc
After the process completes successfully (“Cert success”), the certificate files will be available in ~/.acme.sh/yourdomain.com/. The Cloudflare credentials will be stored in ~/.acme.sh/account.conf for automatic renewal.
