David Kluge, Technical Program Manager, and Andy Warner, Product Manager
Nobody likes preventable site errors, but they happen disappointingly often.
The last thing you want your customers to see is a dreaded ‘Your connection is not private’ error instead of the service they expected to reach. Most certificate errors are preventable and one of the best ways to help prevent issues is by automating your certificate lifecycle using the ACME standard. Google Trust Services now offers our ACME API to all users with a Google Cloud account (referred to as “users” here), allowing them to automatically acquire and renew publicly-trusted TLS certificates for free. The ACME API has been available as a preview and over 200 million certificates have been issued already, offering the same compatibility as major Google services like google.com or youtube.com.
The Automatic Certificate Management Environment (ACME) protocol enables users to easily automate their TLS certificate lifecycle using a standards based API supported by dozens of clients to maintain certificates. ACME has become the de facto standard for certificate management on the web and has helped broaden adoption of TLS. The majority of all TLS certificates in the WebPKI today are issued by ACME CAs. ACME users experience fewer service outages caused by expired certificates by using ACME’s automated certificate renewal capabilities. Manual certificate updates are a common source of outages, even for major online services. Sites already using ACME can configure multiple ACME providers to increase resilience during CA outages or mass renewal events.
What customers say
During the preview phase, the ACME endpoint has already been used extensively. The number of certificates requested by our users has driven up the GTS issuance volume to the fourth largest publicly trusted Certificate Authority.
“At Cloudflare, we believe encryption should be free for all; we pioneered that for all our customers back in 2014 when we included encryption for free in all our products. We’re glad to see Google join the ranks of certificate authorities that believe encryption should be free for everyone, and we’re proud to offer Google as a CA choice for our customers. Their technical expertise guarantees they’ll be able to scale to meet the needs of an increasingly encrypted Internet,” says Matthew Prince, CEO, Cloudflare.
Making the Web Safer
The Google Trust Services ACME API was introduced last year as a preview. The service recently expanded support for Google Domains customers. By further opening up the service, we’re adding another tool to Google’s Cyber Security Advancements, keeping individuals, businesses, and governments safer online through highly trusted and free certificates. We’re also introducing two significant features that further enhance the certificate ecosystem: ACME Renewal Information (ARI) and Multi-perspective Domain Validation. ARI is a new standard to help manage renewals that we’re excited to support. General availability of multi-perspective domain validation brings the benefits of years of work to increase the security of Google’s certificates for all users.
ACME Renewal Information (ARI)
ACME Renewal Information (ARI) addresses the longstanding challenge of knowing when a certificate must be replaced before its standard renewal period via an API.
ARI is an Internet Engineering Task Force (IETF) Internet Draft authored by Let’s Encrypt as an extension to the ACME protocol. It helps service operators automatically replace their certificates in case revocation must occur before the certificate expires.
Serving certificate renewal information via ACME is particularly useful for managing large certificate populations. ARI could have potentially made a difference in past certificate replacement events affecting large parts of the WebPKI, including the 2019 serial number entropy bug affecting multiple CAs which forced rapid replacement of hundreds of thousands of certificates.
Multi-Perspective Domain Validation
Multi-perspective domain validation (MPDV), enhances the validation process for certificate issuance. Publicly-trusted CAs, like Google Trust Services, ensure only authorized requesters can obtain certificates for a given domain name by confirming the requester can prove control over the domain via validation challenges. Domain validation provides a high level of assurance under normal conditions. However, domain control validation methods can be vulnerable to attacks such as DNS cache poisoning and Border Gateway Protocol (BGP) hijacking.
With MPDV, domain control verification is performed from multiple locations, referred to as “network perspectives.” Using multiple perspectives significantly improves the reliability of validation by preventing localized attacks from being able to fool validation checks. Let’s Encrypt adopted the first at-scale MPDV implementation, which performed the validation from three different network perspectives and required a quorum before issuance.
Our approach is similar. We also require a quorum of different network perspectives, but thanks to the scale and reach of our infrastructure, we have thousands of egress points forming “regional perspectives” that deter attackers from compromising enough targets to secure an invalid validation.
How do I use it?
Article Link: Google Online Security Blog: Google Trust Services ACME API available to all users at no cost