Revision as of 02:40, 14 January 2020

ACME Protocol

Domain Validation

• Client generates agent keypair and sends authentication request to server
• Server generates authentication challenges and nonce and sends the response to client
• Client generates authentication response and signs nonce and notifies server
• Server verifies signed nonce
• Server verifies authentication response
  • with DNS record: _acme-challenge.<domain>.
  • with well-known URI: http://<domain>/.well-known/acme-challenge/<filename>

Certificate Issuance and Revocation

• Client generates a CSR and sends a signed request to server
• Server validates CSR signature and agent signature
• Server generates a certificate and send it to client

Certificate Revocation

• Client sends a signed request to server
• Server validates the request
• Server generates CRL

ACME Certificate

See ACME Certificate.

ACME API

See ACME API.

ACME Servers

• PKI ACME Responder
• IPA ACME Responder
• https://github.com/letsencrypt/pebble
• https://github.com/letsencrypt/boulder

ACME Clients

See ACME Client.

ACME Proxies

Public Proxy

Public proxy will accept requests from ACME client and pass them to ACME server. ACME server will perform validation directly against ACME clients.

Private Proxy

Public proxy will accept requests from ACME client and pass them to ACME server. ACME server will perform validation against the ACME proxy and pass the result to ACME clients.

References

• RFC 8555 - Automatic Certificate Management Environment (ACME)
• Let’s Encrypt
• Let's Encrypt - How It Works
• Automated Certificate Management Environment
• Deploying Let’s Encrypt certificates using tls-alpn-01 (https)
• DNS
• PKI ACME Responder
• ACME Challenges Using an Authority Token
• Dynamic SSL certificates using LetsEncrypt on OpenShift