Difference between revisions of "PKI ACME Service"

From Dogtag
Jump to: navigation, search
m
m (Configuring ACME Database)
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
= Overview =
 +
 +
This page describes the procedure to install PKI ACME Service being developed for PKI 10.8.
 +
 +
The development branch is available at:
 +
 +
* https://github.com/edewata/pki/commits/acme
 +
 
= Current Issues =
 
= Current Issues =
  
 
* The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
 
* The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
* PKI CA requires authentication with admin's client cert.
 
* Bug in CertificatePoliciesExtDefault.
 
  
 
= Installing PKI Server =
 
= Installing PKI Server =
Line 16: Line 22:
  
 
= Configuring NSS Database =
 
= Configuring NSS Database =
 +
 +
To enable NSS/JSS on a basic PKI server:
  
 
<pre>
 
<pre>
Line 22: Line 30:
 
</pre>
 
</pre>
  
To import Let's Encrypt's CA certificates:
+
To import Root CA certificates:
  
 
* [https://letsencrypt.org/certs/isrgrootx1.pem.txt ISRG Root X1]
 
* [https://letsencrypt.org/certs/isrgrootx1.pem.txt ISRG Root X1]
 
* [https://letsencrypt.org/certs/trustid-x3-root.pem.txt DST Root CA X3]
 
* [https://letsencrypt.org/certs/trustid-x3-root.pem.txt DST Root CA X3]
 +
* [https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt DigiCert Global Root CA]
  
 
  $ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
 
  $ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
Line 31: Line 40:
 
  $ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
 
  $ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
 
  $ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
 
  $ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
 +
$ wget https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
 +
$ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i DigiCertGlobalRootCA.crt -n "DigiCert Global Root CA" -t CT,C,C
  
 
= Configuring TLS =
 
= Configuring TLS =
 +
 +
To configure TLS on a basic PKI server:
  
 
<pre>
 
<pre>
Line 64: Line 77:
 
== Configuring ACME Metadata ==
 
== Configuring ACME Metadata ==
  
The ACME metadata configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/metadata.xml:
+
The ACME metadata configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/metadata.json:
  
 
<pre>
 
<pre>
<metadata>
+
{
     <termsOfService>https://example.com/acme/docs/tos.pdf</termsOfService>
+
     "termsOfService": "https://www.dogtagpki.org/wiki/PKI_ACME_Service",
     <website>https://www.example.com/</website>
+
     "website": "https://www.dogtagpki.org",
     <caaIdentities>example.com</caaIdentities>
+
     "caaIdentities": [
     <externalAccountRequired>false</externalAccountRequired>
+
        "dogtagpki.org"
</metadata>
+
    ],
 +
     "externalAccountRequired": "false"
 +
}
 
</pre>
 
</pre>
  
= Configuring ACME Database ==
+
== Configuring ACME Database ==
  
The ACME database configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/database.xml.
+
The ACME database configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/database.json.
  
* PKI ACME Service with Memory Database
+
* [[PKI ACME Service with In-Memory Database]]
 +
* [[PKI ACME Service with Mongo Database]]
 +
* [[PKI ACME Service with PostgreSQL Database]]
 
* PKI ACME Service with LDAP Database
 
* PKI ACME Service with LDAP Database
* [[PKI ACME Service with Mongo Database]]
 
  
 
== Configuring ACME Backend ==
 
== Configuring ACME Backend ==
  
The ACME backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.xml.
+
The ACME backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.json.
  
 
* [[PKI ACME Service with PKI Backend]]
 
* [[PKI ACME Service with PKI Backend]]
Line 96: Line 112:
  
 
<pre>
 
<pre>
$ pki-server acme-deploy
+
$ pki-server acme-deploy -i tomcat@acme
 
</pre>
 
</pre>
  
Line 189: Line 205:
  
 
<pre>
 
<pre>
$ pki-server acme-undeploy
+
$ pki-server acme-undeploy -i tomcat@acme
 
</pre>
 
</pre>
  
Line 197: Line 213:
  
 
<pre>
 
<pre>
$ pki-server acme-remove
+
$ pki-server acme-remove -i tomcat@acme
 
</pre>
 
</pre>
  

Latest revision as of 04:31, 7 November 2019

Overview

This page describes the procedure to install PKI ACME Service being developed for PKI 10.8.

The development branch is available at:

Current Issues

  • The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.

Installing PKI Server

To install a basic PKI server:

$ pki-server create tomcat@acme

To install a PKI server with CA, see Installing CA.

Configuring NSS Database

To enable NSS/JSS on a basic PKI server:

$ pki-server nss-create -i tomcat@acme --no-password
$ pki-server jss-enable -i tomcat@acme

To import Root CA certificates:

$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
$ certutil -A -d /etc/pki/pki-tomcat/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
$ certutil -A -d /etc/pki/pki-tomcat/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
$ wget https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
$ certutil -A -d /etc/pki/pki-tomcat/alias -i DigiCertGlobalRootCA.crt -n "DigiCert Global Root CA" -t CT,C,C

Configuring TLS

To configure TLS on a basic PKI server:

$ pki-server http-connector-add -i tomcat@acme \
  --port 8443 \
  --scheme https \
  --secure true \
  --sslEnabled true \
  --sslProtocol SSL \
  Secure
$ pki-server http-connector-mod -i tomcat@acme \
  --sslImpl org.dogtagpki.tomcat.JSSImplementation \
  Secure
$ pki-server http-connector-cert-add -i tomcat@acme \
  --keyAlias sslserver \
  --keystoreType pkcs11 \
  --keystoreProvider Mozilla-JSS

Creating ACME Service

To create ACME service:

$ pki-server acme-create -i tomcat@acme

It will store the configuration files in /etc/pki/pki-tomcat/acme folder. Make sure the ACME subsystem is configured to point to PKI CA.

Configuring ACME Metadata

The ACME metadata configuration is located at /etc/pki/pki-tomcat/acme/metadata.json:

{
    "termsOfService": "https://www.dogtagpki.org/wiki/PKI_ACME_Service",
    "website": "https://www.dogtagpki.org",
    "caaIdentities": [
        "dogtagpki.org"
    ],
    "externalAccountRequired": "false"
}

Configuring ACME Database

The ACME database configuration is located at /etc/pki/pki-tomcat/acme/database.json.

Configuring ACME Backend

The ACME backend configuration is located at /etc/pki/pki-tomcat/acme/backend.json.

Deploying ACME Web Application

To deploy ACME web application:

$ pki-server acme-deploy -i tomcat@acme

It will create a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.

To verify, open the ACME service in a browser, for example:

Certificate Enrollment

HTTP-01 Challenge

To request a certificate with automatic http-01 challenge:

$ certbot certonly --standalone \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://server.example.com/.well-known/acme-challenge/<token>

DNS-01 Challenge

To request a certificate with manual dns-01 challenge:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

To revoke with private key:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

See also:

Undeploying ACME Web Application

To undeploy ACME web application:

$ pki-server acme-undeploy -i tomcat@acme

Removing ACME Subsystem

To remove ACME subsystem:

$ pki-server acme-remove -i tomcat@acme

See Also