Difference between revisions of "PKI ACME Responder"

From Dogtag
Jump to: navigation, search
m (Setting up NSS Database)
m (ACME Client)
 
(65 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Current Issues =
+
= Overview =
  
* The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
+
PKI provides an ACME responder which implements ACME v2 protocol as defined in [https://tools.ietf.org/html/rfc8555 RFC 8555].
* PKI CA requires authentication with admin's client cert.
 
* Bug in CertificatePoliciesExtDefault.
 
  
= Installing PKI CA =
+
Availability:
 +
* PKI 10.9 (tech preview)
 +
* PKI 10.10 or later (fully supported)
  
See [[Installing CA]].
+
= Installation =
  
= Creating ACME Service =
+
* [[Installing Standalone ACME Responder]]
 +
* [[Installing ACME Responder in PKI CA]]
 +
* [[Configuring PKI ACME Responder]]
 +
* [https://github.com/dogtagpki/pki/blob/master/docs/installation/podman/Deploying_PKI_ACME_Responder_on_Podman.md Deploying PKI ACME Responder on Podman]
 +
* [https://github.com/dogtagpki/pki/blob/master/docs/installation/openshift/Deploying_PKI_ACME_Responder_on_OpenShift.md Deploying PKI ACME Responder on OpenShift]
  
To create ACME service:
+
= Usage =
  
<pre>
+
* [https://github.com/dogtagpki/pki/blob/master/docs/user/acme/Using_PKI_ACME_Responder.md Using PKI ACME Responder]
$ pki-server acme-create --database <database> --backend <backend>
+
* [https://github.com/dogtagpki/pki/blob/master/docs/user/acme/Using_PKI_ACME_Responder_with_Certbot.md Using PKI ACME Responder with Certbot]
</pre>
+
* [https://github.com/dogtagpki/pki/blob/master/docs/admin/acme/Managing_PKI_ACME_Responder.md Managing PKI ACME Responder]
 
+
* [https://github.com/dogtagpki/pki/wiki/PKI-ACME-CLI PKI ACME CLI]
It will store the configuration files in /etc/pki/<font color="red">pki-tomcat</font>/acme folder.
+
* [https://github.com/dogtagpki/pki/wiki/PKI-ACME-REST-API PKI ACME REST API]
Make sure the ACME subsystem is configured to point to PKI CA.
 
 
 
= Configuring NSS Database =
 
 
 
<pre>
 
$ pki-server nss-create -i tomcat@acme --no-password
 
$ pki-server jss-enable -i tomcat@acme
 
</pre>
 
 
 
To import Let's Encrypt's CA certificates:
 
 
 
* [https://letsencrypt.org/certs/isrgrootx1.pem.txt ISRG Root X1]
 
* [https://letsencrypt.org/certs/trustid-x3-root.pem.txt DST Root CA X3]
 
 
 
$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
 
$ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
 
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
 
$ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
 
 
 
= Configuring TLS =
 
 
 
<pre>
 
$ pki-server http-connector-add -i tomcat@acme \
 
  --port 8443 \
 
  --scheme https \
 
  --secure true \
 
  --sslEnabled true \
 
  --sslProtocol SSL \
 
  Secure
 
$ pki-server http-connector-mod -i tomcat@acme \
 
  --sslImpl org.dogtagpki.tomcat.JSSImplementation \
 
  Secure
 
$ pki-server http-connector-cert-add -i tomcat@acme \
 
  --keyAlias sslserver \
 
  --keystoreType pkcs11 \
 
  --keystoreProvider Mozilla-JSS
 
</pre>
 
 
 
= Configuring Metadata =
 
 
 
The ACME service metadata configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/metadata.xml:
 
 
 
<pre>
 
<metadata>
 
    <termsOfService>https://example.com/acme/docs/tos.pdf</termsOfService>
 
    <website>https://www.example.com/</website>
 
    <caaIdentities>example.com</caaIdentities>
 
    <externalAccountRequired>false</externalAccountRequired>
 
</metadata>
 
</pre>
 
  
= Configuring ACME Database =
+
= Demo =
  
The ACME database configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/database.xml.
+
A demo ACME responder is available at https://pki.demo.dogtagpki.org/acme.
  
* PKI ACME Service with Memory Database
+
== PKI CLI ==
* PKI ACME Service with LDAP Database
 
* [[PKI ACME Service with Mongo Database]]
 
  
= Configuring ACME Backend =
+
To access the demo with PKI CLI, install the p11-kit-trust module in the NSS database:
 
 
The ACME backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.xml.
 
 
 
* [[PKI ACME Service with PKI Backend]]
 
* [[PKI ACME Service with OpenSSL Backend]]
 
* [[PKI ACME Service with Proxy Backend]]
 
 
 
= Deploying ACME Web Application =
 
 
 
To deploy ACME web application:
 
  
 
<pre>
 
<pre>
$ pki-server acme-deploy
+
$ pki client-init
 +
$ modutil -dbdir ~/.dogtag/nssdb -add p11-kit-trust -libfile /usr/lib64/pkcs11/p11-kit-trust.so
 +
$ pki -U https://pki.demo.dogtagpki.org acme-info
 +
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-disable
 +
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-enable
 
</pre>
 
</pre>
  
It will create a deployment descriptor at /etc/pki/<font color="red">pki-tomcat</font>/Catalina/localhost/acme.xml.
+
== Web UI ==
 
 
To verify, open the ACME service in a browser, for example:
 
  
* https://acme.demo.dogtagpki.org/acme/directory
+
To access the demo with a Web browser, open https://pki.demo.dogtagpki.org/acme.
  
= Certificate Enrollment =
+
Log in with the following credentials:
 +
* Username: admin
 +
* Password: Secret.123
  
== HTTP-01 Challenge ==
+
== ACME Client ==
  
To request a certificate with automatic http-01 challenge:
+
To access the demo with an ACME client, use the following endpoint: https://pki.demo.dogtagpki.org/acme/directory. For example:
  
 
<pre>
 
<pre>
$ certbot certonly --standalone \
+
$ certbot certonly \
    -d server.example.com \
+
     --server https://pki.demo.dogtagpki.org/acme/directory \
     --server https://acme.demo.dogtagpki.org/acme/directory \
+
    --standalone \
 
     --preferred-challenges http \
 
     --preferred-challenges http \
    --register-unsafely-without-email
+
     -d server.example.com
</pre>
 
 
 
To request a certificate with manual http-01 validation:
 
 
 
<pre>
 
$ certbot certonly --manual \
 
     -d server.example.com \
 
    --server https://acme.demo.dogtagpki.org/acme/directory \
 
    --preferred-challenges http \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
Make sure the web server is set up properly:
 
 
 
<pre>
 
$ curl http://server.example.com/.well-known/acme-challenge/<token>
 
</pre>
 
 
 
== DNS-01 Challenge ==
 
 
 
To request a certificate with manual dns-01 challenge:
 
 
 
<pre>
 
$ certbot certonly --manual \
 
    -d server.example.com \
 
    --server https://acme.demo.dogtagpki.org/acme/directory \
 
    --preferred-challenges dns \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
Make sure the TXT record is created properly:
 
 
 
<pre>
 
$ dig _acme-challenge.server.example.com TXT
 
</pre>
 
 
 
The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.
 
 
 
To inspect the certificate:
 
 
 
<pre>
 
$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem
 
</pre>
 
 
 
= Certificate Revocation =
 
 
 
To revoke with ACME account:
 
 
 
<pre>
 
$ certbot revoke \
 
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
 
    --server https://acme.demo.dogtagpki.org/acme/directory
 
</pre>
 
 
 
To revoke with private key:
 
 
 
<pre>
 
$ certbot revoke \
 
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
 
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \
 
    --server https://acme.demo.dogtagpki.org/acme/directory
 
</pre>
 
 
 
See also:
 
 
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 
 
 
= Undeploying ACME Web Application =
 
 
 
To undeploy ACME web application:
 
 
 
<pre>
 
$ pki-server acme-undeploy
 
</pre>
 
 
 
= Removing ACME Subsystem =
 
 
 
To remove ACME subsystem:
 
 
 
<pre>
 
$ pki-server acme-remove
 
 
</pre>
 
</pre>
  
Line 199: Line 64:
 
* [[PKI ACME Container]]
 
* [[PKI ACME Container]]
 
* [[PKI ACME OpenShift]]
 
* [[PKI ACME OpenShift]]
* [[PKI Server Webapp CLI]]
+
* [https://github.com/dogtagpki/pki/wiki/PKI-Server-ACME-CLI PKI Server ACME CLI]
* [[IPA ACME Service]]
+
* [[IPA ACME Responder]]
* [[certbot]]
+
* [[certbot]]
 +
* [https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 Generate Wildcard SSL certificate using Let’s Encrypt/Certbot]
 +
* [https://github.com/letsencrypt/boulder/blob/main/nonce/nonce.go Boulder's nonce implementation]

Latest revision as of 17:37, 28 October 2020

Overview

PKI provides an ACME responder which implements ACME v2 protocol as defined in RFC 8555.

Availability:

  • PKI 10.9 (tech preview)
  • PKI 10.10 or later (fully supported)

Installation

Usage

Demo

A demo ACME responder is available at https://pki.demo.dogtagpki.org/acme.

PKI CLI

To access the demo with PKI CLI, install the p11-kit-trust module in the NSS database:

$ pki client-init
$ modutil -dbdir ~/.dogtag/nssdb -add p11-kit-trust -libfile /usr/lib64/pkcs11/p11-kit-trust.so
$ pki -U https://pki.demo.dogtagpki.org acme-info
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-disable
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-enable

Web UI

To access the demo with a Web browser, open https://pki.demo.dogtagpki.org/acme.

Log in with the following credentials:

  • Username: admin
  • Password: Secret.123

ACME Client

To access the demo with an ACME client, use the following endpoint: https://pki.demo.dogtagpki.org/acme/directory. For example:

$ certbot certonly \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    --standalone \
    --preferred-challenges http \
    -d server.example.com

See Also