Google Trust Services Certificates

2024-10-13 · 2min · Dmitry Scherbakov

Table of Contents

You would need some machine running Linux. I recommend using Docker containers, since they are portable are easy to use. Please note: you do NOT have to be Google cloud VPS user, you do NOT have to pay something for google, everything described here is completely free to use for everybody (NOTE: You might still run into issues when issuing certificates for su or ru or other TLDs). Certificates are issued for 3 month (same as Internet Security Research Group (ISRG) ones).

Steps

Install gcloud application to manage google projects and other required dependencies:

apt-get update && apt-get install -y apt-transport-https ca-certificates gnupg curl certbot
curl 'https://packages.cloud.google.com/apt/doc/apt-key.gpg' | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
apt-get update && apt-get install -y --no-install-recommends google-cloud-cli

Initialize gcloud application by running the following. You would be redirected to Google's login page (or you would need to manually paste given link in browser to continue login):
```
gcloud auth login --brief
```
After login, Google would offer you verification code, which looks like this:
```
4/0AVG7fiTjWIBro8KZPcJIoIr4KPsELh8mJ73PHPQuPbWE_R8xO9LAj5RH3wp4Blc08RT9Yw
```
Paste it into running gcloud auth login application to grant it your account access.
Create and select new project (I strongly recommend exactly creating new project, not using older one):
```
gcloud projects create '<PROJECT>' && gcloud config set project '<PROJECT>'
```
Enable the Google's Public CA API for the project:
```
gcloud services enable publicca.googleapis.com
```
Request EAB key ID and HMAC using Public CA API:
```
gcloud publicca external-account-keys create
```
This command seems to check standart input/output handles with isatty function, so redirecting input or output handles is not a good idea. Instead, you can use:
```
gcloud publicca external-account-keys create --key-output-file <FILE-TO-WRITE-KEYS>
```
If everything ends up being successfull, you would see the message like this:
```
Created an external account key
[b64MacKey: Vk_cbn1fROuZrRhRygYLiutN2BJlhCoEFK27-ix1XU9fYm8QYW5hJXPSoLLLMNB45NqCqMEpNeaDEn5C635fcA
keyId: 205f20c560012178a96ce7f168516a75]
```
Or, if you decided to write credentials to a file:
```
$ cat <FILE-TO-WRITE-KEYS>
b64MacKey: Vk_cbn1fROuZrRhRygYLiutN2BJlhCoEFK27-ix1XU9fYm8QYW5hJXPSoLLLMNB45NqCqMEpNeaDEn5C635fcA
keyId: 205f20c560012178a96ce7f168516a75
```
Where Vk_cb ... 35fcA is your HMAC key and 205f20c560012178a96ce7f168516a75 is your EAB key ID. These keys are valid for 7 days. Save these keys somewhere as we would need them soon. If you are getting permission denied error, you should retry this command a bunch of times and wait a few minutes (>=3) before each new attempt.

certbot register \
    --email '<YOUR EMAIL>' --no-eff-email \
    --server 'https://dv.acme-v02.api.pki.goog/directory' \
    --eab-kid '<EAB KEY ID FROM STEP 5>' \
    --eab-hmac-key '<HMAC FROM STEP 5>'

For me, this command would look as follows:

certbot register \
    --email 'admin@sthrmail.com' --no-eff-email \
    --server 'https://dv.acme-v02.api.pki.goog/directory' \
    --eab-kid '205f20c560012178a96ce7f168516a75' \
    --eab-hmac-key 'Vk_cbn1fROuZrRhRygYLiutN2BJlhCoEFK27-ix1XU9fYm8QYW5hJXPSoLLLMNB45NqCqMEpNeaDEn5C635fcA'

Request certificates:

certbot certonly \
    --manual --preferred-challenges dns \
    --server 'https://dv.acme-v02.api.pki.goog/directory' \
    --domains 'example.tld' --domains '*.example.tld'

Log in you google cloud console (in browser) and remove newly created project since Google actually has a limit of roughly 15 projects.

Useful links

Google API documentation.