IT博客汇 | 使用 acme.sh 申请 Google CA SSL 证书

使用 acme.sh 申请 Google CA SSL 证书

肥兔发表于 2024-02-04 15:47:51

How long are the certificates you issue good for?
By default all certificates issued by Google Trust Services are good for up to 90 days; however, ACME allows for clients to request certificates with different validity periods.

一、创建项目并申请EAB
在 https://console.cloud.google.com/ 创建一个项目，记录下项目id。
1.进入Cloud Shell 执行如下命令

gcloud projects add-iam-policy-binding 项目id \
--member=user:邮箱地址 \
--role=roles/publicca.externalAccountKeyCreator

2.启用公共 CA API

gcloud services enable publicca.googleapis.com

3.申请 EAB，并复制下来

gcloud publicca external-account-keys create

4.切换到生产环境

gcloud config unset api_endpoint_overrides/publicca

二、服务器操作
acme.sh中注册账户

/usr/local/acme.sh/acme.sh  --home "/usr/local/acme.sh" --register-account -m email --server google \
--eab-kid keyId \
--eab-hmac-key b64MacKey

以alidns验证方式申请90天的泛域名证书

/usr/local/acme.sh/acme.sh  --home "/usr/local/acme.sh"  -f  --server google  --issue -d 32mb.net -d '*.32mb.net'  --dns dns_ali

CAA信任域名为：pki.goog

详细说明参考 https://cloud.google.com/certificate-manager/docs/public-ca-tutorial