How to Apply for an SSL Certificate from Google Trust Services

ServBay is not only a powerful local web development environment—it also natively supports the ACME protocol, making it easy for you to request and manage trusted SSL certificates for both local and remote domains. Using trusted SSL certificates (such as those issued by Google Trust Services) allows you to simulate production HTTPS connections in your local development or testing environment. This is indispensable for debugging mixed content warnings, testing security headers, and ensuring your apps work correctly under HTTPS.

This article provides a step-by-step guide on how to use ServBay to request SSL certificates for your website via the public CA service offered by Google Trust Services (GTS) using the ACME protocol.

Prerequisites

Before you begin, make sure you have completed the following:

1. Own a Domain and Control DNS: You must have a valid domain name and full control over its DNS records. This is foundational for domain ownership verification via DNS API.
2. Obtain DNS API Credentials: ServBay automates the domain ownership verification process through DNS APIs. You need to get the appropriate API credentials from your domain registrar or DNS service provider. Each provider uses different methods and parameter names. Refer to the acme.sh DNS API Wiki for details specific to your provider and required keys.
3. Get Google Trust Services EAB Keys: Google Trust Services' ACME service requires External Account Binding (EAB). EAB is a mechanism that associates your ACME client account (managed by ServBay) with your Google Cloud account, authorizing certificate issuance. You must obtain the EAB Key ID and EAB HMAC Key from the Google Cloud Console. See Google's official documentation: Get EAB info from Google Cloud for step-by-step instructions.

Steps to Request a Certificate

1. Open the ServBay Control Panel: Launch the ServBay app and enter the graphical management panel.

2. Navigate to SSL Certificate Management: Find and select the SSL Certificates option from the sidebar or top menu to access the certificate management interface.

3. Initiate the Certificate Application Process: Click the “+” button at the top right of the certificate list interface to start requesting a new SSL certificate.

4. Configure Certificate Request Details: In the “Request Certificate” popup window, provide the following information as required:

   • Common Name: Enter a name to identify this certificate request, such as your project name or main domain. For example: servbay.demo Certificate.
   • Usage Purpose: Keep the default setting TLS/SSL, indicating the certificate will be used to encrypt web server connections.
   • Request Method: Select ACME to use the Automated Certificate Management Environment protocol for the request.
   • Issuer: From the dropdown, select Google Trust Services as your Certificate Authority (CA).
   • DNS API Provider: Choose your DNS service provider from the dropdown (for example: Cloudflare, GoDaddy, AliYun, etc.). If your provider isn’t listed, refer to the ServBay or acme.sh documentation to check support or for additional configuration.
   • Algorithm: Select the certificate’s key algorithm. It is recommended to use ECC (Elliptic Curve Cryptography) as it offers stronger security with shorter keys. Choose key length 384.
   • EAB Key ID: Enter the EAB Key ID you obtained from Google Cloud.
   • EAB HMAC Key: Enter the EAB HMAC Key you obtained from Google Cloud.
   • DNS API Tokens: Enter your DNS API keys and related parameters. [Important] Make sure to refer to the guidance for your DNS provider in the acme.sh DNS API Wiki, using the correct environment variable names and values. Do not include the export command itself in the input box. For example, for Cloudflare, you may need to enter CF_Key=YOUR_API_KEY and CF_Email=YOUR_EMAIL, one parameter per line.
   • Domain: Enter one or more domains you wish to secure with the certificate. For a single domain, type it directly (e.g., servbay.demo). To request a certificate for multiple domains (SAN certificate), separate them with commas (e.g., servbay.demo, www.servbay.demo). For a wildcard certificate, use the format *.yourdomain.com (e.g., *.servbay.demo), but note that wildcard certificates usually require DNS validation.

   

5. Submit the Request: Once all information is correctly filled in, click the “Request” button at the bottom of the window.

6. Wait for Processing to Complete: ServBay will automatically carry out the ACME procedure in the background. This includes contacting Google Trust Services, verifying domain ownership via DNS API, and finally issuing the certificate. This process may take some time, depending on DNS record propagation speed and ACME server response. Once successful, the new certificate will appear in your list of ServBay SSL certificates.

Applying the Certificate to Your Website

Once your certificate is successfully issued and appears in the ServBay SSL certificates list, you can configure it for your website. Go to the Websites configuration interface and select the website you want to set up. In the SSL settings section, choose ACME as the certificate type. Then, in the associated dropdown, select the Google Trust Services certificate you just applied for. After saving, your website will be enabled with HTTPS through this certificate.

Certificate Auto-Renewal

ACME certificates issued by Google Trust Services are typically valid for 90 days. To ensure continued certificate validity, ServBay includes a built-in auto-renewal feature. It will automatically attempt to renew your certificates prior to expiration, so you don’t have to monitor or operate manually. Please make sure ServBay runs regularly for the renewal task to work properly.

FAQ & Troubleshooting

• Certificate request fails with DNS verification error:
  • Double-check that your DNS API keys and parameters are correct, including environment variable names and values.
  • Ensure your DNS provider supports domain verification via API, and that you’ve selected the correct DNS API Provider.
  • Use an online DNS checker (such as dnschecker.org) to confirm that your domain’s DNS records have propagated properly. DNS changes may take some time to take effect.
  • Check your network or firewall settings to ensure ServBay can reach both the ACME server and your DNS provider’s API.
• EAB error during request:
  • Carefully verify the EAB Key ID and EAB HMAC Key you obtained from Google Cloud match exactly what you enter in ServBay.
  • Ensure these EAB credentials are still valid in your Google Cloud account and have not been revoked or expired.
• Request process hangs or is unresponsive:
  • Check the ServBay log files (typically located in the logs folder inside the ServBay application directory) for detailed error messages.
  • Temporarily disable your firewall or security software to rule out interference with ACME communications.
  • Make sure your internet connection is stable.

Conclusion

Thanks to ServBay’s integrated ACME support and compatibility with Google Trust Services, obtaining and managing trusted SSL certificates is easier than ever. This not only streamlines HTTPS setup in your local development environment, enhancing security, but also makes it convenient to simulate production conditions. With ServBay’s automation capabilities, you can focus on coding and leave the complexity of certificate management to the tool, ensuring your website connections always remain safe and reliable.