Difference between revisions of "ACME"

From Dogtag
Jump to: navigation, search
m (References)
m (References)
Line 65: Line 65:
 
* [[OpenShift ACME]]
 
* [[OpenShift ACME]]
 
* [[PKI ACME Service]]
 
* [[PKI ACME Service]]
* [https://tools.ietf.org/html/draft-ietf-acme-authority-token-03 ACME Challenges Using an Authority Token]
+
* [https://tools.ietf.org/html/draft-ietf-acme-authority-token-04 ACME Challenges Using an Authority Token]

Revision as of 02:05, 6 November 2019

ACME Protocol

Domain Validation

  • Client generates agent keypair and sends authentication request to server
  • Server generates authentication challenges and nonce and sends the response to client
  • Client generates authentication response and signs nonce and notifies server
  • Server verifies signed nonce
  • Server verifies authentication response
    • with DNS record: _acme-challenge.<domain>.
    • with well-known URI: http://<domain>/.well-known/acme-challenge/<filename>

Certificate Issuance and Revocation

  • Client generates a CSR and sends a signed request to server
  • Server validates CSR signature and agent signature
  • Server generates a certificate and send it to client

Certificate Revocation

  • Client sends a signed request to server
  • Server validates the request
  • Server generates CRL

ACME Certificate

See ACME Certificate.

ACME API

See ACME API.

ACME Servers

ACME Clients

See ACME Client.

ACME Proxies

Public Proxy

Public proxy will accept requests from ACME client and pass them to ACME server. ACME server will perform validation directly against ACME clients.

Private Proxy

Public proxy will accept requests from ACME client and pass them to ACME server. ACME server will perform validation against the ACME proxy and pass the result to ACME clients.

References