Public Certificate Authority API

Name: Public Certificate Authority API API
Brand: Public Certificate Authority API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth21 EndpointsREST

For Agents

Mint ACME External Account Binding keys that authorize ACME clients to request publicly trusted TLS certificates from Google Trust Services.

Quickstart

Get started with Public Certificate Authority API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create acme external account binding key for google trust services"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Public Certificate Authority API API.

Create ACME external account binding keys scoped to a Google Cloud project

Tie ACME account registration to a Google Cloud project for billing and quota tracking

Authorize automated certificate issuance from Google Trust Services through standard ACME clients

Enable certbot, lego, acme.sh, and other ACME clients to use Google Trust Services as their CA

GET STARTED

Start building with Public Certificate Authority API API

Explore with Jentic

View OpenAPI Document

Use for: I need to create an ACME external account binding key for Google Trust Services, Set up certbot to issue certificates from Google Trust Services, Generate an EAB key tied to my Google Cloud project for ACME registration, Retrieve the HMAC key material needed to register an ACME account with Google

Not supported: Does not issue certificates directly, manage ACME orders, or operate private CAs — use only to mint ACME External Account Binding keys for Google Trust Services.

The Google Public Certificate Authority API creates and manages ACME External Account Binding (EAB) keys associated with Google Trust Services, the publicly trusted CA operated by Google. EAB keys let an ACME client tie its account to a specific Google Cloud project so it can request publicly trusted TLS certificates from Google Trust Services through any RFC 8555 ACME workflow. The API surface is intentionally minimal — its single endpoint mints the EAB key material that downstream ACME clients consume.

Use Cases

Patterns agents use Public Certificate Authority API API for, with concrete tasks.

★ Public TLS via ACME with Google Trust Services

Configure an ACME client such as certbot, lego, or acme.sh to request publicly trusted TLS certificates from Google Trust Services. The Public CA API mints the EAB key material the client uses during account registration, after which all certificate issuance happens through the standard ACME flow.

Call POST /v1/{+parent}/externalAccountKeys with parent projects/my-project/locations/global, then pass the returned keyId and b64MacKey to certbot via --eab-kid and --eab-hmac-key.

Automated Certificate Renewal in CI

Wire EAB key creation into infrastructure-as-code or CI pipelines so a new account-bound ACME identity is provisioned on demand, then used to renew certificates for managed domains. This avoids hard-coding EAB keys in version control and lets renewal pipelines stay self-contained.

Mint a fresh EAB key in CI, register a new ACME account against acme-v02.api.pki.goog, and use it to issue a wildcard certificate for *.example.com.

Multi-Tenant Certificate Provisioning

Platforms that issue certificates on behalf of customer domains can mint per-tenant EAB keys so each tenant's certificate issuance traces back to a distinct ACME account, simplifying revocation and audit. The Public CA API issues these EAB keys in a single, schema-stable call.

For each new tenant, mint an EAB key under projects/platform/locations/global and store the keyId and b64MacKey in the tenant's secret bundle for ACME use.

Agent-Driven Certificate Bootstrapping

An infrastructure agent uses Jentic to obtain an EAB key, register an ACME account, and request a publicly trusted certificate when bringing up a new service domain, all without human intervention or copy-pasted EAB credentials.

Search Jentic for create acme external account binding key, load the schema, and execute it for the agent's deployment project to bootstrap ACME registration.

Key Endpoints

1 endpoints — the google public certificate authority api creates and manages acme external account binding (eab) keys associated with google trust services, the publicly trusted ca operated by google.

METHOD

PATH

DESCRIPTION

POST

/v1/{+parent}/externalAccountKeys

Create an ACME external account binding key for the given project and location

POST

/v1/{+parent}/externalAccountKeys

Create an ACME external account binding key for the given project and location

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 credentials are stored encrypted in the Jentic vault. Scoped, short-lived access tokens are issued at call time so the OAuth client secret never reaches the agent, and EAB keys returned by the API can be routed straight into Jentic-managed secrets for downstream ACME use.

Intent-based discovery

Agents search Jentic for create acme external account binding key and Jentic returns the single Public CA operation with its input schema, removing the need to read Google's discovery document for a one-endpoint API.

Time to first call

Direct integration takes about half a day for OAuth, IAM, and ACME client wiring. Through Jentic: under 30 minutes — search, load schema, execute and pipe the keys into your ACME client.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Certificate Authority API

Issues private CA certificates instead of publicly trusted ones

Use Certificate Authority Service when certificates are for internal mTLS or private PKI; use Public CA when browsers and external clients need to trust the certificate.

Complementary

Cloud DNS API

Manages DNS records used to satisfy ACME DNS-01 challenges

Use Cloud DNS to write the _acme-challenge TXT records that Google Trust Services validates during ACME issuance.

Complementary

Secret Manager API

Stores EAB key material and issued certificates securely

Use Secret Manager to persist the EAB keyId and HMAC key returned by Public CA so renewal pipelines can fetch them without checking secrets into source control.

FAQs

Specific to using Public Certificate Authority API API through Jentic.

What authentication does the Public CA API use?

The API uses Google OAuth 2.0 with the cloud-platform scope, sent as a Bearer token. Through Jentic the OAuth client and refresh token live in the vault and only short-lived access tokens are injected at call time, so the underlying credentials never enter the agent context.

What does the Public CA API actually issue?

It does not issue certificates directly — it issues ACME External Account Binding (EAB) keys that you then plug into a standard ACME client. The ACME client uses those EAB credentials when registering an account with Google Trust Services, and certificates are issued through the normal ACME challenge and finalize flow.

How do I create an EAB key through Jentic?

Search Jentic for create acme external account binding key, load the schema for projects.locations.externalAccountKeys.create which maps to POST /v1/{+parent}/externalAccountKeys, and execute it with parent set to projects/your-project/locations/global. The response contains the keyId and base64-encoded HMAC key your ACME client needs.

What are the rate limits for the Public CA API?

Per-project EAB key creation quotas are documented on Google's Public CA quotas page and are typically modest because each key supports many subsequent ACME issuances. Plan to mint a small number of EAB keys and reuse them across many certificate orders.

Is the Public CA API free?

Calling the API itself does not incur a charge, and certificates issued by Google Trust Services through ACME are free to issue under standard terms. Standard Google Cloud quotas and acceptable use policies apply.

Can I use this with certbot or lego?

Yes, any RFC 8555 compliant ACME client that supports External Account Binding can be configured to use Google Trust Services. Pass the keyId and b64MacKey returned by this API as the EAB credentials, and point the client at the Google Trust Services ACME directory.