aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Technology

Automate Public Certificates Lifecycle Management Via RFC 8555 (ACME)

  • aster.cloud
  • April 10, 2022
  • 5 minute read

We’re excited to announce an enhancement of our preview of Certificate Manager which allows Google Cloud customers to acquire public certificates for their workloads that terminate TLS directly or for their cross-cloud and on-premise workloads. This is accomplished via the Automatic Certificate Management Environment (ACME) protocol which is the same protocol used by Certificate Authorities  to enable seamless automatic lifecycle management of TLS certificates.

These certificates come from Google Trust Services, the same Certificate Authority (CA) we use by default when we manage certificates on your behalf with the Global External HTTPS Load Balancer. By using the same CA for managed certificates and unmanaged certificates you are assured that both scenarios work equally well across the entire spectrum of devices that use your services.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

This also enables Cloud Customers to get a more reliable TLS deployment. It does so by enabling one common certificate lifecycle management story based on ACME to be used without a single point of failure (relying just on one certificate authority). In other words, it is now possible to freely load balance or fail over to multiple ACME CAs with confidence.

How do I use it ?

To use this feature you will need an API key so you can use a feature in ACME called External Account Binding. This enables us to associate your certificate requests to your Google Cloud account and allows us to impose rate limits on a per customer basis. You may easily get an API key using the following commands:

 

$ gcloud config set project <project ID>
$ gcloud projects add-iam-policy-binding project-foo \
  --member=user:[email protected] \
  --role=roles/publicca.externalAccountKeyCreator
# Request a key:
$ gcloud alpha publicca external-account-keys create

 

Each ACME implementation differs slightly on how you specify this API key but as an example with the popular Certbot ACME client the configuration looks something like this, to register an account:

Read More  Google Cloud Next 2019 | Bringing The Power Of Google Search To Every Business

 

certbot register --email <CONTACT_EMAIL> --no-eff-email --server "https://dv.acme-v02.api.pki.goog/directory"  --eab-kid "<EAB_KEY_ID>" --eab-hmac-key "<EAB_HMAC_KEY>"

 

After the account is created, you can issue certificates by running:

 

certbot certonly -d <domain.com> --server "https://dv.acme-v02.api.pki.goog/directory" --standalone

 

It is that simple. Just schedule this task to run periodically and you will now be automatically acquiring and maintaining the TLS certificates for the associated workload.

For Kubernetes based workloads

If you are using Kubernetes, thanks to cert-manager (another ACME client), it is just as easy. Simply specify the ACME url and External Account Binding details in your configuration. Your ACME client will ensure you always have an up to date certificate for your Kubernetes deployment.

Announcing the Private Preview

We have heard loud and clear that our customers want to use a unified solution for managing their HTTPS certificates which is why we have launched this offering today.

Using this service and Google Trust Services means you will get the same industry leading device compatibility we use for services like YouTube and Google search for your own products and services.

FAQ

We know you might have some questions about this release so here are our answers to the most frequent questions we hear:

How can I get access?
You can request access to this Private Preview using this sign up form.

How long are the certificates you issue good for?
By default all certificates issued by Google Trust Services are good for up to 90 days; however, ACME allows for clients to request certificates with different validity periods. Using this capability we allow the requestor to get certificates that are good for as little as 1 day, though we would not recommend using anything less than 3 days due to concerns over clock skew and certificate validity overlap.

Read More  MLB Uses Google Cloud Smart Analytics Platform To Scale Data Insights

What forms of domain control verification do you support?
The ACME protocol defines several mechanisms for domain control verification and we support three of them, they include : TLS-ALPN-01, HTTP-01, and DNS-01.

Each of these have different scenarios where their use makes the most sense, for example TLS-ALPN-01 might make sense in cases where HTTPS is not used and the requestor does not have access to dynamically update DNS records. Choose the mechanism that fits your use case best.

Do you support email based domain control verification?
No we do not.

Do you issue wildcard certificates?
Yes we do. Please note, as with other Certificate Authorities you must currently use  DNS based domain control verification to get a wildcard certificate.

Do you issue certificates for punycode encoded Unicode domain names?
Not at this time.

Do you issue certificates containing IP addresses?
Yes we do; however, this is currently limited to customers who control an IANA assigned IP address block. Contact your sales representative for more information.

Can I use ACME to get private certificates from Cloud CA Service?
Yes, but not directly. Our partner SmallStep created an ACME Registration Authority (RA) that can be used to get certificates from the Cloud CA Service.

What algorithms and key lengths do you support?
We support issuing both ECC and RSA certificates. For more information see our Certificate Practice Statement and CA Certificate Repository

Do you offer certificates from a pure ECC based certificate chain?
Not at this time.

What root certificates do you use?
We list all of our root certificates and intermediate certificates here and we do change which ones we use from time to time.

Read More  Google Cloud Doubles-Down On Ecosystem In 2022 To Meet Customer Demand

It is important to also note that we send the appropriate intermediate certificates with every certificate request via the ACME protocol.

Why should I use Google Trust Services instead of another certificate authority?
There are multiple good ACME CAs you may use.

We envision a world where those that deploy SSL use a number of ACME based certificate authorities to enable sites to continue to operate without downtime when one provider has availability issues. If you need a large number of certificates or guarantees on geographic diversity, the GTS CA may be an especially good fit.

It is our hope that by making this service available to cloud customers they will be able to get the benefit of that robustness, and reduce latency for workloads terminating TLS within Google Cloud.

You recently announced Certificate Manager, is this an alternative to that offering?
No it is not. This extends Certificate Manager so that workloads that choose to terminate TLS on their own are able to get certificates from the same CA we use when we manage your certificates for you.

It is our hope that with this ACME API, you will be able to simplify your HTTPS certificate lifecycle management for your workloads.

 

 

By: Ryan Hurst (Product Manager, Security) and Babi Seal (Product Manager, Load Balancing)
Source: Google Cloud Blog</a


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Automatic Certificate Management Environment
  • Certificates
  • Google Cloud
  • Google Cloud Console
  • Security
  • Tutorial
You May Also Like
View Post
  • Computing
  • Multi-Cloud
  • Technology

Reliance on US tech providers is making IT leaders skittish

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Examine the 4 types of edge computing, with examples

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

AI and private cloud: 2 lessons from Dell Tech World 2025

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

TD Synnex named as UK distributor for Cohesity

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Weigh these 6 enterprise advantages of storage as a service

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Pulsant targets partner diversity with new IaaS solution

  • May 23, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Growing AI workloads are causing hybrid cloud headaches

  • May 23, 2025

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.