Stay organized with collections
Save and categorize content based on your preferences.
Request a certificate using Public CA and an ACME client
This tutorial walks you through requesting a TLS certificate with
Public Certificate Authority by using the Google Cloud CLI. For information about the root and
intermediate CAs used by Public Certificate Authority, see
Google Trust Services. There is no charge
for requesting certificates from Public CA.
Before you begin
Install the Google Cloud CLI.
After installation,
initialize the Google Cloud CLI by running the following command:
To get started using Public CA, you must install an
ACME client. The
following instructions use
Certbot
as the ACME client. You can use any other ACME client if the client supports external account binding (EAB).
Make sure to point your client to the Public CA server. The first
time the ACME client interacts with Public CA, the client generates
a new key pair and sends the public key to Public CA.
Request an EAB key ID and HMAC
After you install an ACME client, you must register your ACME account
with Public CA to request certificates from Public CA.
An EAB secret can help you register your ACME account with
Public CA. An EAB secret consists of a key ID and a hash-based
message authentication code (HMAC).
To request an EAB key ID and HMAC, run the following command:
gcloud publicca external-account-keys create
This command returns an EAB secret that is valid on the production
environment of Public CA. In the response body, the keyId
field contains the EAB key ID, and the b64MacKey field contains the EAB HMAC.
You must use an EAB secret within 7 days of obtaining it. The EAB secret is
invalidated if you don't use it within 7 days. The ACME account registered
by using an EAB secret has no expiration.
Register an ACME account
This section explains how to register an ACME account with
Public CA by providing the EAB secret that you just obtained.
Use a regular ACME client to register an ACME account, and provide the
EAB key ID and HMAC while registering.
To register an ACME account with Public CA and bind the ACME
account to the Google Cloud project that you used to request the EAB secret, run the
following command:
SERVER: the ACME directory URL for the
production or staging environment
EAB_KID: the EAB key ID
EAB_HMAC_KEY: the EAB HMAC key
The following table provides the description and the ACME directory URL for the
production and staging environment:
Environment
Description
ACME directory URL
Production
The production environment lets you obtain publicly trusted certificates.
https://dv.acme-v02.api.pki.goog/directory
Staging
The staging environment returns certificates that are not publicly trusted.
The staging environment performs the same validation checks as the production
environment. You can use the staging environment for integration or any other
kind of testing.
https://dv.acme-v02.test-api.pki.goog/directory
You can only register one ACME account with an EAB secret. After you have
registered an ACME account by using an EAB secret, the EAB secret becomes invalid
and you can't reuse it. If you want to register multiple ACME accounts, you must
request a unique EAB secret for each of the accounts.
Request certificates
After Public CA validates your control of the certificate target
and acknowledges that your ACME client works as expected to perform
certificate management operations, you can use the regular ACME workflows to
request, renew, and revoke certificates. You can perform these operations by using
your ACME client. To request and renew a certificate, you must complete
an ACME challenge,
such as the manual DNS challenge.
To use the manual DNS challenge to request a certificate, run the following
command:
SERVER: the ACME directory URL for the production or staging
environment
DOMAINS: a comma-separated list of domains for which you are
requesting certificates
Clean up
If you no longer need certificates for your domains,
delete the project that you created.
Staging
You can use the staging environment of Public CA to request
certificates for testing purposes. The certificates issued by the staging
environment chain up to a test root CA.
Certificates from the staging environment will not be trusted by Browsers or other
clients that have not been configured to trust the staging root certificate. To obtain an EAB secret that is valid on the staging environment,
override the API endpoint to use the endpoint for the staging environment:
gcloud config set api_endpoint_overrides/publicca https://preprod-publicca.googleapis.com/
Then run the account key creation command to create a staging key:
gcloud publicca external-account-keys create
To revert to the endpoint for the production environment, run the following
command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide demonstrates how to request a TLS certificate from a Public Certificate Authority (CA) using the Google Cloud CLI and an ACME client like Certbot, with no cost for certificate requests.\u003c/p\u003e\n"],["\u003cp\u003eBefore proceeding, you'll need to install and initialize the Google Cloud CLI, create or select a Google Cloud project, and have either the Owner or Public CA External Account Key Creator IAM role.\u003c/p\u003e\n"],["\u003cp\u003eYou must install an ACME client and register an ACME account with Public CA using an External Account Binding (EAB) secret, which consists of a key ID and HMAC and is valid for 7 days.\u003c/p\u003e\n"],["\u003cp\u003eAfter registration, you can use standard ACME workflows with your client to request, renew, and revoke certificates, and to request a certificate, you will need to use an ACME challenge.\u003c/p\u003e\n"],["\u003cp\u003eThe guide also provides instructions for testing purposes using the staging environment of Public CA, which issues certificates that are not publicly trusted and details on how deleting a project invalidates linked ACME accounts and certificate renewal.\u003c/p\u003e\n"]]],[],null,["# Request a certificate using Public CA and an ACME client\n========================================================\n\nThis tutorial walks you through requesting a TLS certificate with\nPublic Certificate Authority by using the Google Cloud CLI. For information about the root and\nintermediate CAs used by Public Certificate Authority, see\n[Google Trust Services](https://pki.goog/). There is no charge\nfor requesting certificates from Public CA.\n\nBefore you begin\n----------------\n\n-\n\n\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** You can run the gcloud CLI in the Google Cloud console without installing the Google Cloud CLI. To run the gcloud CLI in the Google Cloud console, [use\n | Cloud Shell](https://console.cloud.google.com/?cloudshell=true).\n\n \u003cbr /\u003e\n\n-\n\n\n [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n- Make sure that you have the Public CA External Account Key\n Creator (`roles/publicca.externalAccountKeyCreator`) IAM role.\n\n To grant this role, run the following command: \n\n ```\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=user:USER \\\n --role=roles/publicca.externalAccountKeyCreator\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of your Google Cloud project\n - \u003cvar translate=\"no\"\u003eUSER\u003c/var\u003e: the unique identifier of the user to whom you want to assign the IAM role\n\n For information about granting an IAM role, see [Manage access\n to projects, folders, and\n organizations](/iam/docs/granting-changing-revoking-access).\n-\n\n\n Enable the Public CA API:\n\n\n ```bash\n gcloud services enable publicca.googleapis.com\n ```\n\n \u003cbr /\u003e\n\nInstall a client\n----------------\n\nTo get started using Public CA, you must install an\n[ACME client](https://acmeclients.com/). The\nfollowing instructions use\n[Certbot](https://certbot.eff.org/pages/about)\nas the ACME client. You can use any other ACME client if the client supports external account binding (EAB).\n\nTo install Certbot, see the [Certbot instructions](https://certbot.eff.org/instructions).\n\nMake sure to point your client to the Public CA server. The first\ntime the ACME client interacts with Public CA, the client generates\na new key pair and sends the public key to Public CA.\n\nRequest an EAB key ID and HMAC\n------------------------------\n\nAfter you install an ACME client, you must register your ACME account\nwith Public CA to request certificates from Public CA.\nAn EAB secret can help you register your ACME account with\nPublic CA. An EAB secret consists of a key ID and a hash-based\nmessage authentication code (HMAC).\n\nYou can use the [Public CA API](/certificate-manager/docs/reference/public-ca/rest) or the [Google Cloud CLI](/sdk/gcloud/reference/publicca) to request an EAB secret.\n\nTo request an EAB key ID and HMAC, run the following command: \n\n```\ngcloud publicca external-account-keys create\n```\n\nThis command returns an EAB secret that is valid on the production\nenvironment of Public CA. In the response body, the `keyId`\nfield contains the EAB key ID, and the `b64MacKey` field contains the EAB HMAC.\n\nYou must use an EAB secret within 7 days of obtaining it. The EAB secret is\ninvalidated if you don't use it within 7 days. The ACME account registered\nby using an EAB secret has no expiration.\n\nRegister an ACME account\n------------------------\n\nThis section explains how to register an ACME account with\nPublic CA by providing the EAB secret that you just obtained.\n\nUse a regular ACME client to register an ACME account, and provide the\nEAB key ID and HMAC while registering.\n| **Note:** If you are using the API, know that the HMAC is [base64\n| URL-encoded](https://datatracker.ietf.org/doc/html/rfc4648#section-5), which is slightly different from the regular base64 encoding.\n\nTo register an ACME account with Public CA and bind the ACME\naccount to the Google Cloud project that you used to request the EAB secret, run the\nfollowing command: \n\n```\ncertbot register \\\n --email \"EMAIL_ADDRESS\" \\\n --no-eff-email \\\n --server \"SERVER\" \\\n --eab-kid \"EAB_KID\" \\\n --eab-hmac-key \"EAB_HMAC_KEY\"\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e: your email address\n- \u003cvar translate=\"no\"\u003eSERVER\u003c/var\u003e: the ACME directory URL for the production or staging environment\n- \u003cvar translate=\"no\"\u003eEAB_KID\u003c/var\u003e: the EAB key ID\n- \u003cvar translate=\"no\"\u003eEAB_HMAC_KEY\u003c/var\u003e: the EAB HMAC key\n\nThe following table provides the description and the ACME directory URL for the\nproduction and staging environment:\n\nYou can only register one ACME account with an EAB secret. After you have\nregistered an ACME account by using an EAB secret, the EAB secret becomes invalid\nand you can't reuse it. If you want to register multiple ACME accounts, you must\nrequest a unique EAB secret for each of the accounts.\n\nRequest certificates\n--------------------\n\nAfter Public CA validates your control of the certificate target\nand acknowledges that your ACME client works as expected to perform\ncertificate management operations, you can use the regular ACME workflows to\nrequest, renew, and revoke certificates. You can perform these operations by using\nyour ACME client. To request and renew a certificate, you must complete\nan [ACME challenge](/certificate-manager/docs/public-ca#public-ca-challenges),\nsuch as the manual DNS challenge.\n\nTo use the manual DNS challenge to request a certificate, run the following\ncommand: \n\n```\ncertbot certonly \\\n --manual \\\n --preferred-challenges \"dns-01\" \\\n --server \"SERVER\" \\\n --domains \"DOMAINS\"\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSERVER\u003c/var\u003e: the ACME directory URL for the production or staging environment\n- \u003cvar translate=\"no\"\u003eDOMAINS\u003c/var\u003e: a comma-separated list of domains for which you are requesting certificates\n\nClean up\n--------\n\n| **Caution:** Deleting a Google Cloud project invalidates all the ACME accounts that you have linked to the project. After your Google Cloud project is deleted, you will not be able to renew or issue certificates.\n\nIf you no longer need certificates for your domains,\ndelete the project that you created.\n\nStaging\n-------\n\nYou can use the staging environment of Public CA to request\ncertificates for testing purposes. The certificates issued by the staging\nenvironment chain up to a [test root CA](https://pki.goog/test_roots.pem).\nCertificates from the staging environment will not be trusted by Browsers or other\nclients that have not been configured to trust the staging root certificate. To obtain an EAB secret that is valid on the staging environment,\noverride the API endpoint to use the endpoint for the staging environment: \n\n```\ngcloud config set api_endpoint_overrides/publicca https://preprod-publicca.googleapis.com/\n```\nThen run the account key creation command to create a staging key: \n\n```\ngcloud publicca external-account-keys create\n```\nTo revert to the endpoint for the production environment, run the following command: \n\n```\ngcloud config unset api_endpoint_overrides/publicca\n```\n| **Caution** : Deleting a project has the following effects:\n|\n| - **Everything in the project is deleted.** If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.\n| - **Custom project IDs are lost.** When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as an `appspot.com` URL, delete selected resources inside the project instead of deleting the whole project.\n|\n|\n| If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects\n| can help you avoid exceeding project quota limits.\n\nDelete a Google Cloud project: \n\n```\ngcloud projects delete PROJECT_ID\n```\n\nWhat's next\n-----------\n\n- [Public Certificate Authority](/certificate-manager/docs/public-ca)"]]
