Difference between revisions of "PKI ACME Responder"

From Dogtag
Jump to: navigation, search
m
m (Using PKI ACME Responder)
 
(3 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
* [[Configuring ACME Responder]]
 
* [[Configuring ACME Responder]]
  
= Verification =
+
= Usage =
  
 
Note that certbot does not accept self-signed CA certificate,
 
Note that certbot does not accept self-signed CA certificate,
Line 94: Line 94:
  
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 +
 +
== Creating an Account ==
 +
 +
To create an ACME account:
 +
 +
<pre>
 +
$ certbot register --server http://$HOSTNAME:8080/acme/directory
 +
</pre>
 +
 +
== Updating Account ==
 +
 +
To update an ACME account:
 +
 +
<pre>
 +
$ certbot update_account --server http://$HOSTNAME:8080/acme/directory
 +
</pre>
 +
 +
== Deactivating an Account ==
 +
 +
To deactivate an ACME account:
 +
 +
<pre>
 +
$ certbot unregister --server http://$HOSTNAME:8080/acme/directory
 +
</pre>
  
 
= See Also =
 
= See Also =

Latest revision as of 00:14, 5 December 2019

Overview

This page describes the procedure to install ACME responder being developed for PKI 10.8.

The development branch is available at:

Installation

Usage

Note that certbot does not accept self-signed CA certificate, so the operations below are executed with plain HTTP URLs.

Certificate Enrollment with HTTP-01

To request a certificate with automatic http-01 validation:

$ certbot certonly --standalone \
    --server http://$HOSTNAME:8080/acme/directory \
    -d $HOSTNAME \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    --server http://$HOSTNAME:8080/acme/directory \
    -d $HOSTNAME \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://$HOSTNAME/.well-known/acme-challenge/<token>

Certificate Enrollment with DNS-01

To request a certificate with manual dns-01 validation:

$ certbot certonly --manual \
    --server http://$HOSTNAME:8080/acme/directory \
    -d server.example.com \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --server http://$HOSTNAME:8080/acme/directory \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem

To revoke with private key:

$ certbot revoke \
    --server http://$HOSTNAME:8080/acme/directory \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem

See also:

Creating an Account

To create an ACME account:

$ certbot register --server http://$HOSTNAME:8080/acme/directory

Updating Account

To update an ACME account:

$ certbot update_account --server http://$HOSTNAME:8080/acme/directory

Deactivating an Account

To deactivate an ACME account:

$ certbot unregister --server http://$HOSTNAME:8080/acme/directory

See Also