Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google Domains
We’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able to acquire public certificates for their websites at no additional cost, whether the site runs on a Google service or uses another provider. Additionally, Google Domains is now making an API available to allow for DNS-01 challenges with Google Domains DNS servers to issue and renew certificates automatically.
Like the existing Google Cloud integration, Automatic Certificate Management Environment (ACME) protocol is used to enable seamless automatic lifecycle management of TLS certificates.
These certificates are issued by the same Certificate Authority (CA) Google uses for its own sites, so they are widely supported across the entire spectrum of devices used to access your services.
How do I use it?
Using ACME ensures your certificates are renewed automatically and many hosting services already support ACME. If you’re running your own web servers / services, there are ACME clients that integrate easily with common servers. To use this feature, you will need an API key called an External Account Binding key. This enables your certificate requests to be associated with your Google Domains account. You can get an API key by visiting Google Domains and navigating to the Security page for your domain. There you’ll see a section for Google Trust Services where you can get your EAB Key.
Example of EAB Credentials in Google Domains
As an example, with the popular Certbot ACME client, the configuration to register an account looks like:
certbot register --email <CONTACT_EMAIL> --no-eff-email --server “https://dv.acme-v02.api.pki.goog/directory” --eab-kid “<EAB_KEY_ID>” --eab-hmac-key “<EAB_HMAC_KEY>”
The EAB_KEY_ID and EAB_HMAC_KEY are both provided on your Google Domains security page.
After the account is created, you may issue certificates by running:
certbot certonly -d <domain.com> --server “https://dv.acme-v02.api.pki.goog/directory” --standalone
Then follow the prompts to complete validation and download your certificate. If you need additional information please visit the Google Domains help center.
Google Domains and ACME DNS-01
ACME uses challenges to validate domain control before issuing certificates. The ACME DNS-01 challenge can be an efficient way for users to automate the validation process and integrate with existing websites and web hosting services.
Google Domains now provides an API for ACME DNS-01 challenges that helps streamline the process for users to authenticate domain control quickly and securely. This is now offered in some popular ACME clients like Certbot via this plugin, Caddy, Certify The Web, Posh-ACME. You can find additional information on the Google Domains site.
Example of DNS API Access Token in Google Domains
To set up automatic certificate provisioning with ACME and DNS-01, follow these steps:
- Sign in to Google Domains.
- Select the domain that you want to use.
- At the top left, click “Menu” and select “Security”.
- Under section “ACME DNS API”, click “Create token”.
- A dialog box will appear with an “API Token”. This is the API Token you will need to enter into your ACME client. You will need to copy this value and can do so by clicking the copy button next to the API Token.
- NOTE: This value is only shown once. After the dialog box is closed you will not be able to see this API Token again. Store this token in a safe place, since anyone that has it gains the ability to modify some DNS TXT records for your Domain.
- If you did not save this value before closing the dialog box, you can easily delete and create a new API token.
- A limit of 10 API tokens per domain can exist at a time.
Regardless of which ACME client you use, Google Domains and Google Trust Services are excited to offer a reliable option for no-cost TLS certificates. This continues the mission of helping build a safer internet by providing a transparent, trusted, and reliable Certificate Authority.