How to get a free TLS Certificate from Google Cloud Platform with acme


Page content

Application preparation for account

First open Google sign in page, log in to your Google account, then go to Google Cloud Platform and create a new Google Cloud Project (if required).

Open the application form while staying logged in, fill it out and wait for Google to send you an email.

Get a Google Cloud Project ID

Open ,

click on your project name in the top left corner, and you will see your Project ID in the pop-up list.

Get the Account Key

Enable the API

Open the following link to enable the API, where is the Project ID you just used to apply.

Open the link and click “Enable”, then wait for “API is enabled” to appear on the right side to close the page.

Apply Key

Then open the “Google Cloud Shell” (click on the CloudShell icon in the top right corner to activate it).

Wait for the assignment to complete and enter the following command in the Shell window.

gcloud config set project <Project ID>
gcloud beta publicca external-account-keys create

The “Provide authorization for Cloud Shell” pop-up will appear, so click Authorize.

After execution, the output will be similar to the following; note that you should not execute this command without receiving an email from Google, as it will return that the command does not exist.

Created an external account key
[b64MacKey: xxx
keyId: xxx]
Request a certificate

Install ACME

Execute the following command to install ACME automatically, and replace your email address

curl | sh -s email=<EMAIL>

Register an account --register-account -m <EMAIL> --server google \
    --eab-kid xxxx \
    --eab-hmac-key xxxxxxxxxx

Issue certificate -f --server google --issue \
    -d test.domain \
    -w "/home/root/web/certs/main" \
    --reloadcmd "/etc/init.d/nginx reload"

If you want the ECC certificate you can specify the key type ec-256: -f --server google --issue \
    -d test.domain --keylength ec-256\
    -w "/home/root/web/certs/main" \
    --reloadcmd "/etc/init.d/nginx reload"

The -w parameter specifies the location of the certificate output.

--reloadcmd specifies the restart command for your http server, in this example is nginx.

Certificate Trust Chain

Free certificates are issued by GTS CA 1P5. The trust chain as following:

Your certificate -> GTS CA 1P5 -> GTS Root R1 .

Google Free TLS Certificate advantages and disadvantages (Pros and Cons) compare with Let’s Encrypt

  • You can set the validity period of the issued certificate; (maximum 90 days, minimum 1 day) Supports multiple domain names and wildcards; (same as Let’s Encrypt)
  • Supports DNS validation and file validation only, not email validation; (same as Let’s Encrypt)
  • Supports IP addresses, but only allows the owner of the IP address block to authenticate; (not supported by Let’s Encrypt at this time)
  • IDN (International Domain Name, encoded using Punycode, like xn-1.xn-2) is not supported. (already supported by Let’s Encrypt)
  • Currently issued certificates, even if you choose ECC type, the intermediate certificate of the certificate chain is RSA (Let’s Encrypt already supports full chain ECC)


The supported validation types are: dns-01 , but you specified: http-01


To apply wildcard certificate, need use DNS authentication instead of http. e.g.:


See also: