Get free GTS SSL for your website with Caddy

Are you interested in learning how to obtain a free SSL certificate for your website from Google Trust Services using Caddy? Let me guide you through the process.

As you may be aware, Let's Encrypt's root certificate has expired, and some website owners have switched to a different certificate issuer or are dealing with Let's Encrypt's new root. For my personal websites, I use ZeroSSL and Amazon SSL, which work great for me, and Sectigo Root benefits from its accessible OSCP servers. However, I recently learned that Google is offering free public certificates for websites, which is pretty cool, and I decided to secure my website with GTS.

Here's how you can get a free SSL certificate from Google and install it with Caddy:

  1. Create a project on Google Cloud Platform first (it's free, and you get a free $200 credit when you sign up).

  2. Get your project ID: go to your GCP dashboard ( and click the "My Project" button in the top left corner. Your project ID (e.g., sharp-fire-310310) should appear. Alternatively, you can copy your project ID after query in url ?project=.

  3. Go to to activate your Public Certificate Authority API. where Project ID is what you obtained in the previous step. Enable it for free.

  4. Create an authority key: In the top right corner, click the Cloud Shell icon. Type in the following command:

    gcloud config set project <Project ID>
    gcloud beta publicca external-account-keys create

    Where Project ID is the same as previous step. (When it prompts up for authorization, click accept)

    If the key created successfully, it should return something like

    Created an external account key
    [b64MacKey: 3f90fbuKnl9a0c8ItD-BZygttn-5yCxgak7NKVXHml5x3NM09cygJgbVZd1EDWxFif_OGzx2ZtDJCcH19_9QMA
    keyId: 5743b1609344f82973328515f883faa1

    The phrase after b64MacKey is your key, and after keyId is key id you need to use.

  5. Update your Caddyfile: add following to your global option for Caddy

    email <Your email>
    acme_eab {
            key_id <Your keyId>
            mac_key <Your b64MacKey>

    If you aren't familiar with Caddy global options, see

  6. Reload Caddy: after run Caddy reload or systemctl restart caddy. Your GTS certificate should now be ready. (This is faster than I expected since Lets and ZeroSSL issue SSL certificates slower than this).

  7. To confirm that your certificate is ready, run systemctl status caddy, and you should see output indicating that your GTS SSL is active.

    Feb 15 11:15:24 misty caddy[2981403]: {"level":"info","ts":1676477724.6448865,"logger":"tls","msg":"served key authentication certificate","server_name":"<Your domain>","challenge":"tls-alpn-01","remote":"","distributed":false}
    Feb 15 11:15:28 misty caddy[2981403]: {"level":"info","ts":1676477728.6581016,"logger":"http.acme_client","msg":"authorization finalized","identifier":"<Your domain>","authz_status":"valid"}
    Feb 15 11:15:28 misty caddy[2981403]: {"level":"info","ts":1676477728.6589515,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":""}
    Feb 15 11:15:34 misty caddy[2981403]: {"level":"info","ts":1676477734.5884278,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":1,"first_url":""}
    Feb 15 11:15:34 misty caddy[2981403]: {"level":"info","ts":1676477734.589921,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"<Your domain>"}
    Feb 15 11:15:34 misty caddy[2981403]: {"level":"info","ts":1676477734.5903862,"logger":"tls.obtain","msg":"releasing lock","identifier":"<Your domain>"}

And that's it! Your website should now be secured with a free SSL certificate from Google Trust Services. Check it out and enjoy the added security. I've included an image of a website secured with GTS SSL for reference

Website with GTS SSL