Difference between revisions of "PKI ACME Responder"
m (→Creating an Account) |
m (→Creating an Account) |
||
| Line 102: | Line 102: | ||
$ certbot register \ | $ certbot register \ | ||
--server http://$HOSTNAME:8080/acme/directory \ | --server http://$HOSTNAME:8080/acme/directory \ | ||
| − | -m admin@example.com | + | -m admin@example.com \ |
| + | --agree-tos | ||
</pre> | </pre> | ||
Revision as of 18:21, 13 January 2020
Contents
Overview
This page describes the procedure to install ACME responder being developed for PKI 10.8.
The development branch is available at:
Installation
Usage
Note that certbot does not accept self-signed CA certificate, so the operations below are executed with plain HTTP URLs.
Certificate Enrollment with HTTP-01
To request a certificate with automatic http-01 validation:
$ certbot certonly --standalone \
--server http://$HOSTNAME:8080/acme/directory \
-d $HOSTNAME \
--preferred-challenges http \
--register-unsafely-without-email
To request a certificate with manual http-01 validation:
$ certbot certonly --manual \
--server http://$HOSTNAME:8080/acme/directory \
-d $HOSTNAME \
--preferred-challenges http \
--register-unsafely-without-email
Make sure the web server is set up properly:
$ curl http://$HOSTNAME/.well-known/acme-challenge/<token>
Certificate Enrollment with DNS-01
To request a certificate with manual dns-01 validation:
$ certbot certonly --manual \
--server http://$HOSTNAME:8080/acme/directory \
-d server.example.com \
--preferred-challenges dns \
--register-unsafely-without-email
Make sure the TXT record is created properly:
$ dig _acme-challenge.server.example.com TXT
The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.
To inspect the certificate:
$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem
Certificate Revocation
To revoke with ACME account:
$ certbot revoke \
--server http://$HOSTNAME:8080/acme/directory \
--cert-path /etc/letsencrypt/live/server.example.com/cert.pem
To revoke with private key:
$ certbot revoke \
--server http://$HOSTNAME:8080/acme/directory \
--cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
--key-path /etc/letsencrypt/live/server.example.com/privkey.pem
See also:
Creating an Account
To create an ACME account:
$ certbot register \
--server http://$HOSTNAME:8080/acme/directory \
-m admin@example.com \
--agree-tos
Updating Account
To update an ACME account:
$ certbot update_account --server http://$HOSTNAME:8080/acme/directory
Deactivating an Account
To deactivate an ACME account:
$ certbot unregister --server http://$HOSTNAME:8080/acme/directory
