New Release of Smallstep ACME RA: Automating internal TLS with ACME + Google CAS

Carl Tashian

Follow Smallstep

We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority (RA) for Google CA Services (CAS). This release aims to make your internal PKI easier to use, more secure, and simpler to scale:

• An ACME interface to Google CAS. Our ACME server makes internal automated certificate enrollment and renewal simpler, by bringing the ACME protocol (used by Let's Encrypt;RFC8555) to your internal Google CAS environment. It supports all of the challenge types that Let's Encrypt supports, so it's straightforward to add ACME support to existing services.

  For internal services, ACME is a great way to automate TLS certificate enrollment and renewal, due to its broad support across languages and platforms.

• Leverage Google Security & Scalability. Our ACME server connects to your Google CAS instance, which acts as your CA and issues Google-signed certificates. In this scenario, our ACME server acts narrowly as a registration authority, sitting between Google CAS and your ACME clients.

  Google CAS is a highly-available, scalable private CA that is backed by Hardware Security Modules (HSM). It uses FIPS 140-2 Level 3 validated HSMs.

• Easy automated enrollment and renewal. Automation with ACME clients obviates the need for manual SSL certificate renewal, while preventing outages related to certificate expiry.

If you want internal ACME support, consider running Google CAS with Smallstep's ACME RA. Together you can think of the two as an HSM-backed cloud ACME server.

Our click-to-deploy image is available in the Google cloud marketplace.

How ACME works

ACME is a JSON API that runs mostly over HTTPS. To get a certificate issued by an ACME server, a client must prove that it controls the requested domain name(s). It does this by responding to ACME challenges from the server.

Once challenges have been met for each DNS name listed on the certificate, the client can retrieve its signed certificate from the server. Later, the client returns to the ACME server to renew its certificate using the same approach.

Getting started with Google CAS and ACME

Smallstep ACME Registration Authority (RA) brings ACME protocol support to GCP CAS, allowing you to automate certificate enrollment and renewal using ACME-compliant clients like certbot, Terraform, Caddy, and Kubernetes cert-manager. The Smallstep RA does not sign certificates itself. Instead, certificate requests are passed to GCP CAS to sign and catalog delivering a number of benefits including:

• Issued certificates are trusted by anything that trusts your GCP CAS root certificate.

• Issued certificates appear in your GCP CAS console and audit logs.

• Security-sensitive signing keys are managed by GCP CAS and never seen by Smallstep ACME RA.

Smallstep ACME RA is built and supported by Smallstep, the company behind the open-source step-ca certificate management toolchain. It builds on the open-source step-ca project, adding click-to-deploy integration with GCP CAS, updates, and support. Head over to the GCP marketplace and give it a try today.