1 Google Trust Services CA
वेणु गोपाल edited this page 2023-04-07 17:37:48 -04:00

Google just announced its free ACME server: https://cloud.google.com/blog/products/identity-security/automate-public-certificate-lifecycle-management-via--acme-client-api

It supports multiple domains and wildcard domains. The lifetime of the cert is 90 days, too.

  1. Follow this guide to create your EAB key and EAB id:

    https://cloud.google.com/public-certificate-authority/docs/quickstart

  2. OK, Done. You can register an ACME and issue certs now:

    acme.sh  --register-account  -m  myemail@example.com --server google \
        --eab-kid xxxxxxx \
        --eab-hmac-key xxxxxxx
    
    acme.sh --issue  --server google \
       -d example.com  --dns dns_googledomains
    
    

Here is an example cert:

-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgIRAIQeIGxefiDpDgAAAAADL4YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjIwMzMwMTMzNDM1WhcNMjIwNjI4
MTMzNDM0WjAbMRkwFwYDVQQDExBnY2EubmVpbHBhbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogb9TZAG+wfJ9VA/hcf3NfW/BM8bx+hXfdq
BtLAlMhxNRzhI+TBj1y2mFuYPuq7C+cmJVmmcG+zuMka33nEX7RFCn2AMcp2Dh7m
frw2jfqhruBqYiaCt74FLHz//O+WNY68LPdYgEuKdh1W0UE5tgcn7sIUGv3ClQVG
u5kit7EYViAXD9ey+kImLgdqFeD1n2v79F+nYmu/nAJ8lPXHk1ADmjATxP7tNWmQ
XopH/1ThWeiMzb+nCb+y6fs7Fw89Q8ECP3Q+HbBzyWh3x8zptZbb1bh6SrJ7Uz3c
yz/M5hcn+EbX5ZNWsoNnYu5O8GPwC5MbLnKEgVQyjUJ0Q34bJQIDAQABo4ICjDCC
AogwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFErTzUpCbi/cp3bNK7i1cc+AF+J0MB8GA1UdIwQYMBaA
FNX8ng3fHsrdCJeXbivFX8Ur9ey4MHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcw
AYYpaHR0cDovL29jc3AucGtpLmdvb2cvcy9ndHMxcDUvRXZZZFdCRVNaY1kwMQYI
KwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFwNS5kZXIw
LwYDVR0RBCgwJoIQZ2NhLm5laWxwYW5nLmNvbYISKi5nY2EubmVpbHBhbmcuY29t
MCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1L2h0QUlJRUV0WGNZLmNy
bDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEHIyrHfIkZKEMahOglCh15OMYsb
A+vrS8do8JBilgb2AAABf9s/9SMAAAQDAEcwRQIhAJXQxese0g6ilHanInWFe9wP
yZp5jTbIKRZ8T/0DJrmAAiBQcQ4U5bOcvuwHq63IdDTQ3JVLXibT+RMujzCZl1lW
jQB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf9s/9HoAAAQD
AEgwRgIhAPN4hN8H84vkDbz6FQk8/VfypAfnj0J+F9kCwsndMtSBAiEAprEIgKtM
i0totuQ8YQK69oATZ9ancTPAE4w9iGBwGDswDQYJKoZIhvcNAQELBQADggEBAIE4
tkICIps1tXncYwnERecZDPeyk7BaeiS4D2gcFnP5zRJI9s6hpwlDLumcAcNMF4DV
xT1Xm/GDkvv3c+tAgcYyoKRjeLZcgzZb1TVnG/yWT3Q+vcyNvYy/UuZQuF019plC
oCvo5zyV0qeArps3WtyJOQ5QGuEmp8Vr3nQcG0MJpXNgMV1wE9S0TWn7AJ+x2csr
G8iQjR+0nJBVqnVCuRDArh2qYFQd/W5zFj46n/Edzx0jrc38RiBorx4IT0Pfm23o
+XvkdKDqdDquzq7FdYa5wDXlwQJOuf4BRPBo7a5f4fJpRcL3QSDwewSSHhDKQXFH
74yQYKaw0gRoE71IEmk=
-----END CERTIFICATE-----

The full chain:

-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgIRAIQeIGxefiDpDgAAAAADL4YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjIwMzMwMTMzNDM1WhcNMjIwNjI4
MTMzNDM0WjAbMRkwFwYDVQQDExBnY2EubmVpbHBhbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogb9TZAG+wfJ9VA/hcf3NfW/BM8bx+hXfdq
BtLAlMhxNRzhI+TBj1y2mFuYPuq7C+cmJVmmcG+zuMka33nEX7RFCn2AMcp2Dh7m
frw2jfqhruBqYiaCt74FLHz//O+WNY68LPdYgEuKdh1W0UE5tgcn7sIUGv3ClQVG
u5kit7EYViAXD9ey+kImLgdqFeD1n2v79F+nYmu/nAJ8lPXHk1ADmjATxP7tNWmQ
XopH/1ThWeiMzb+nCb+y6fs7Fw89Q8ECP3Q+HbBzyWh3x8zptZbb1bh6SrJ7Uz3c
yz/M5hcn+EbX5ZNWsoNnYu5O8GPwC5MbLnKEgVQyjUJ0Q34bJQIDAQABo4ICjDCC
AogwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFErTzUpCbi/cp3bNK7i1cc+AF+J0MB8GA1UdIwQYMBaA
FNX8ng3fHsrdCJeXbivFX8Ur9ey4MHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcw
AYYpaHR0cDovL29jc3AucGtpLmdvb2cvcy9ndHMxcDUvRXZZZFdCRVNaY1kwMQYI
KwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFwNS5kZXIw
LwYDVR0RBCgwJoIQZ2NhLm5laWxwYW5nLmNvbYISKi5nY2EubmVpbHBhbmcuY29t
MCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1L2h0QUlJRUV0WGNZLmNy
bDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEHIyrHfIkZKEMahOglCh15OMYsb
A+vrS8do8JBilgb2AAABf9s/9SMAAAQDAEcwRQIhAJXQxese0g6ilHanInWFe9wP
yZp5jTbIKRZ8T/0DJrmAAiBQcQ4U5bOcvuwHq63IdDTQ3JVLXibT+RMujzCZl1lW
jQB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf9s/9HoAAAQD
AEgwRgIhAPN4hN8H84vkDbz6FQk8/VfypAfnj0J+F9kCwsndMtSBAiEAprEIgKtM
i0totuQ8YQK69oATZ9ancTPAE4w9iGBwGDswDQYJKoZIhvcNAQELBQADggEBAIE4
tkICIps1tXncYwnERecZDPeyk7BaeiS4D2gcFnP5zRJI9s6hpwlDLumcAcNMF4DV
xT1Xm/GDkvv3c+tAgcYyoKRjeLZcgzZb1TVnG/yWT3Q+vcyNvYy/UuZQuF019plC
oCvo5zyV0qeArps3WtyJOQ5QGuEmp8Vr3nQcG0MJpXNgMV1wE9S0TWn7AJ+x2csr
G8iQjR+0nJBVqnVCuRDArh2qYFQd/W5zFj46n/Edzx0jrc38RiBorx4IT0Pfm23o
+XvkdKDqdDquzq7FdYa5wDXlwQJOuf4BRPBo7a5f4fJpRcL3QSDwewSSHhDKQXFH
74yQYKaw0gRoE71IEmk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjDCCA3SgAwIBAgINAgO8UKMnU/CRgCLt8TANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFQNTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALOC8CSMvy2Hr7LZp676yrpE1ls+/rL3smUW3N4Q6E8tEFha
KIaHoe5qs6DZdU9/oVIBi1WoSlsGSMg2EiWrifnyI1+dYGX5XNq+OuhcbX2c0IQY
hTDNTpvsPNiz4ZbU88ULZduPsHTL9h7zePGslcXdc8MxiIGvdKpv/QzjBZXwxRBP
ZWP6oK/GGD3Fod+XedcFibMwsHSuPZIQa4wVd90LBFf7gQPd6iI01eVWsvDEjUGx
wwLbYuyA0P921IbkBBq2tgwrYnF92a/Z8V76wB7KoBlcVfCA0SoMB4aQnzXjKCtb
7yPIox2kozru/oPcgkwlsE3FUa2em9NbhMIaWukCAwEAAaOCAXYwggFyMA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU1fyeDd8eyt0Il5duK8VfxSv17LgwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsME0G
A1UdIARGMEQwOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAgEA
bGMn7iPf5VJoTYFmkYXffWXlWzcxCCayB12avrHKAbmtv5139lEd15jFC0mhe6HX
02jlRA+LujbdQoJ30o3d9T/768gHmJPuWtC1Pd5LHC2MTex+jHv+TkD98LSzWQIQ
UVzjwCv9twZIUX4JXj8P3Kf+l+d5xQ5EiXjFaVkpoJo6SDYpppSTVS24R7XplrWf
B82mqz4yisCGg8XBQcifLzWODcAHeuGsyWW1y4qn3XHYYWU5hKwyPvd6NvFWn1ep
QW1akKfbOup1gAxjC2l0bwdMFfM3KKUZpG719iDNY7J+xCsJdYna0Twuck82GqGe
RNDNm6YjCD+XoaeeWqX3CZStXXZdKFbRGmZRUQd73j2wyO8weiQtvrizhvZL9/C1
T//Oxvn2PyonCA8JPiNax+NCLXo25D2YlmA5mOrR22Mq63gJsU4hs463zj6S8ZVc
pDnQwCvIUxX10i+CzQZ0Z5mQdzcKly3FHB700FvpFePqAgnIE9cTcGW/+4ibWiW+
dwnhp2pOEXW5Hk3xABtqZnmOw27YbaIiom0F+yzy8VDloNHYnzV9/HCrWSoC8b6w
0/H4zRK5aiWQW+OFIOb12stAHBk0IANhd7p/SA9JCynr52Fkx2PRR+sc4e6URu85
c8zuTyuN3PtYp7NlIJmVuftVb9eWbpQ99HqSjmMd320=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----

Human readable format:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            84:1e:20:6c:5e:7e:20:e9:0e:00:00:00:00:03:2f:86
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
        Validity
            Not Before: Mar 30 13:34:35 2022 GMT
            Not After : Jun 28 13:34:34 2022 GMT
        Subject: CN=gca.neilpang.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:88:1b:f5:36:40:1b:ec:1f:27:d5:40:fe:17:
                    1f:dc:d7:d6:fc:13:3c:6f:1f:a1:5d:f7:6a:06:d2:
                    c0:94:c8:71:35:1c:e1:23:e4:c1:8f:5c:b6:98:5b:
                    98:3e:ea:bb:0b:e7:26:25:59:a6:70:6f:b3:b8:c9:
                    1a:df:79:c4:5f:b4:45:0a:7d:80:31:ca:76:0e:1e:
                    e6:7e:bc:36:8d:fa:a1:ae:e0:6a:62:26:82:b7:be:
                    05:2c:7c:ff:fc:ef:96:35:8e:bc:2c:f7:58:80:4b:
                    8a:76:1d:56:d1:41:39:b6:07:27:ee:c2:14:1a:fd:
                    c2:95:05:46:bb:99:22:b7:b1:18:56:20:17:0f:d7:
                    b2:fa:42:26:2e:07:6a:15:e0:f5:9f:6b:fb:f4:5f:
                    a7:62:6b:bf:9c:02:7c:94:f5:c7:93:50:03:9a:30:
                    13:c4:fe:ed:35:69:90:5e:8a:47:ff:54:e1:59:e8:
                    8c:cd:bf:a7:09:bf:b2:e9:fb:3b:17:0f:3d:43:c1:
                    02:3f:74:3e:1d:b0:73:c9:68:77:c7:cc:e9:b5:96:
                    db:d5:b8:7a:4a:b2:7b:53:3d:dc:cb:3f:cc:e6:17:
                    27:f8:46:d7:e5:93:56:b2:83:67:62:ee:4e:f0:63:
                    f0:0b:93:1b:2e:72:84:81:54:32:8d:42:74:43:7e:
                    1b:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                4A:D3:CD:4A:42:6E:2F:DC:A7:76:CD:2B:B8:B5:71:CF:80:17:E2:74
            X509v3 Authority Key Identifier:
                keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8

            Authority Information Access:
                OCSP - URI:http://ocsp.pki.goog/s/gts1p5/EvYdWBESZcY
                CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der

            X509v3 Subject Alternative Name:
                DNS:gca.neilpang.com, DNS:*.gca.neilpang.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.11129.2.5.3

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crls.pki.goog/gts1p5/htAIIEEtXcY.crl

            1.3.6.1.4.1.11129.2.4.2:
                ......v.A...."FJ...:.B.^N1.....K.h..b........?.#.....G0E.!..........v."u.{....y.6.).|O..&... Pq...........t4...K^&.....0..YV..w.)y...99!.Vs.c.w..W}.`
....<.W.....B~......2...!......L.Kh..<a.....g..q3...=.`p.;
    Signature Algorithm: sha256WithRSAEncryption
         81:38:b6:42:02:22:9b:35:b5:79:dc:63:09:c4:45:e7:19:0c:
         f7:b2:93:b0:5a:7a:24:b8:0f:68:1c:16:73:f9:cd:12:48:f6:
         ce:a1:a7:09:43:2e:e9:9c:01:c3:4c:17:80:d5:c5:3d:57:9b:
         f1:83:92:fb:f7:73:eb:40:81:c6:32:a0:a4:63:78:b6:5c:83:
         36:5b:d5:35:67:1b:fc:96:4f:74:3e:bd:cc:8d:bd:8c:bf:52:
         e6:50:b8:5d:35:f6:99:42:a0:2b:e8:e7:3c:95:d2:a7:80:ae:
         9b:37:5a:dc:89:39:0e:50:1a:e1:26:a7:c5:6b:de:74:1c:1b:
         43:09:a5:73:60:31:5d:70:13:d4:b4:4d:69:fb:00:9f:b1:d9:
         cb:2b:1b:c8:90:8d:1f:b4:9c:90:55:aa:75:42:b9:10:c0:ae:
         1d:aa:60:54:1d:fd:6e:73:16:3e:3a:9f:f1:1d:cf:1d:23:ad:
         cd:fc:46:20:68:af:1e:08:4f:43:df:9b:6d:e8:f9:7b:e4:74:
         a0:ea:74:3a:ae:ce:ae:c5:75:86:b9:c0:35:e5:c1:02:4e:b9:
         fe:01:44:f0:68:ed:ae:5f:e1:f2:69:45:c2:f7:41:20:f0:7b:
         04:92:1e:10:ca:41:71:47:ef:8c:90:60:a6:b0:d2:04:68:13:
         bd:48:12:69