Difference between revisions of "PKI ACME Responder"

From Dogtag
Jump to: navigation, search
m (Removing ACME Subsystem)
m
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Current Issues =
+
= Overview =
  
* The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
+
This page describes the procedure to install ACME responder being developed for PKI 10.8.
* PKI CA requires authentication with admin's client cert.
 
* Bug in CertificatePoliciesExtDefault.
 
  
= Installing PKI Server =
+
The development branch is available at:
  
To install a basic PKI server:
+
* https://github.com/edewata/pki/commits/acme
  
<pre>
+
= Installation =
$ pki-server create tomcat@acme
 
</pre>
 
 
 
To install a PKI server with CA, see [[Installing CA]].
 
 
 
= Configuring NSS Database =
 
 
 
<pre>
 
$ pki-server nss-create -i tomcat@acme --no-password
 
$ pki-server jss-enable -i tomcat@acme
 
</pre>
 
 
 
To import Let's Encrypt's CA certificates:
 
 
 
* [https://letsencrypt.org/certs/isrgrootx1.pem.txt ISRG Root X1]
 
* [https://letsencrypt.org/certs/trustid-x3-root.pem.txt DST Root CA X3]
 
 
 
$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
 
$ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
 
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
 
$ certutil -A -d /etc/pki/<font color="red">pki-tomcat</font>/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
 
 
 
= Configuring TLS =
 
 
 
<pre>
 
$ pki-server http-connector-add -i tomcat@acme \
 
  --port 8443 \
 
  --scheme https \
 
  --secure true \
 
  --sslEnabled true \
 
  --sslProtocol SSL \
 
  Secure
 
$ pki-server http-connector-mod -i tomcat@acme \
 
  --sslImpl org.dogtagpki.tomcat.JSSImplementation \
 
  Secure
 
$ pki-server http-connector-cert-add -i tomcat@acme \
 
  --keyAlias sslserver \
 
  --keystoreType pkcs11 \
 
  --keystoreProvider Mozilla-JSS
 
</pre>
 
 
 
= Creating ACME Service =
 
 
 
To create ACME service:
 
 
 
<pre>
 
$ pki-server acme-create -i tomcat@acme
 
</pre>
 
 
 
It will store the configuration files in /etc/pki/<font color="red">pki-tomcat</font>/acme folder.
 
Make sure the ACME subsystem is configured to point to PKI CA.
 
 
 
== Configuring ACME Metadata ==
 
 
 
The ACME metadata configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/metadata.xml:
 
 
 
<pre>
 
<metadata>
 
    <termsOfService>https://example.com/acme/docs/tos.pdf</termsOfService>
 
    <website>https://www.example.com/</website>
 
    <caaIdentities>example.com</caaIdentities>
 
    <externalAccountRequired>false</externalAccountRequired>
 
</metadata>
 
</pre>
 
 
 
== Configuring ACME Database ==
 
 
 
The ACME database configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/database.xml.
 
 
 
* PKI ACME Service with Memory Database
 
* PKI ACME Service with LDAP Database
 
* [[PKI ACME Service with Mongo Database]]
 
  
== Configuring ACME Backend ==
+
* [[Installing Standalone ACME Responder]]
 +
* [[Installing ACME Responder in PKI CA]]
 +
* [[Configuring ACME Responder]]
  
The ACME backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.xml.
+
= Verification =
  
* [[PKI ACME Service with PKI Backend]]
+
Note that certbot does not accept self-signed CA certificate,
* [[PKI ACME Service with OpenSSL Backend]]
+
so the operations below are executed with plain HTTP URLs.
* [[PKI ACME Service with Proxy Backend]]
 
  
= Deploying ACME Web Application =
+
== Certificate Enrollment with HTTP-01 ==
  
To deploy ACME web application:
+
To request a certificate with automatic http-01 validation:
 
 
<pre>
 
$ pki-server acme-deploy -i tomcat@acme
 
</pre>
 
 
 
It will create a deployment descriptor at /etc/pki/<font color="red">pki-tomcat</font>/Catalina/localhost/acme.xml.
 
 
 
To verify, open the ACME service in a browser, for example:
 
 
 
* https://acme.demo.dogtagpki.org/acme/directory
 
 
 
= Certificate Enrollment =
 
 
 
== HTTP-01 Challenge ==
 
 
 
To request a certificate with automatic http-01 challenge:
 
  
 
<pre>
 
<pre>
 
$ certbot certonly --standalone \
 
$ certbot certonly --standalone \
    -d server.example.com \
+
     --server http://$HOSTNAME:8080/acme/directory \
     --server https://acme.demo.dogtagpki.org/acme/directory \
+
    -d $HOSTNAME \
 
     --preferred-challenges http \
 
     --preferred-challenges http \
 
     --register-unsafely-without-email
 
     --register-unsafely-without-email
Line 123: Line 34:
 
<pre>
 
<pre>
 
$ certbot certonly --manual \
 
$ certbot certonly --manual \
    -d server.example.com \
+
     --server http://$HOSTNAME:8080/acme/directory \
     --server https://acme.demo.dogtagpki.org/acme/directory \
+
    -d $HOSTNAME \
 
     --preferred-challenges http \
 
     --preferred-challenges http \
 
     --register-unsafely-without-email
 
     --register-unsafely-without-email
Line 132: Line 43:
  
 
<pre>
 
<pre>
$ curl http://server.example.com/.well-known/acme-challenge/<token>
+
$ curl http://$HOSTNAME/.well-known/acme-challenge/<token>
 
</pre>
 
</pre>
  
== DNS-01 Challenge ==
+
== Certificate Enrollment with DNS-01 ==
  
To request a certificate with manual dns-01 challenge:
+
To request a certificate with manual dns-01 validation:
  
 
<pre>
 
<pre>
 
$ certbot certonly --manual \
 
$ certbot certonly --manual \
 +
    --server http://$HOSTNAME:8080/acme/directory \
 
     -d server.example.com \
 
     -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
 
 
     --preferred-challenges dns \
 
     --preferred-challenges dns \
 
     --register-unsafely-without-email
 
     --register-unsafely-without-email
Line 161: Line 72:
 
</pre>
 
</pre>
  
= Certificate Revocation =
+
== Certificate Revocation ==
  
 
To revoke with ACME account:
 
To revoke with ACME account:
Line 167: Line 78:
 
<pre>
 
<pre>
 
$ certbot revoke \
 
$ certbot revoke \
     --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
+
    --server http://$HOSTNAME:8080/acme/directory \
    --server https://acme.demo.dogtagpki.org/acme/directory
+
     --cert-path /etc/letsencrypt/live/server.example.com/cert.pem
 
</pre>
 
</pre>
  
Line 175: Line 86:
 
<pre>
 
<pre>
 
$ certbot revoke \
 
$ certbot revoke \
 +
    --server http://$HOSTNAME:8080/acme/directory \
 
     --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
 
     --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
     --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \
+
     --key-path /etc/letsencrypt/live/server.example.com/privkey.pem
    --server https://acme.demo.dogtagpki.org/acme/directory
 
 
</pre>
 
</pre>
  
Line 183: Line 94:
  
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 
= Undeploying ACME Web Application =
 
 
To undeploy ACME web application:
 
 
<pre>
 
$ pki-server acme-undeploy -i tomcat@acme
 
</pre>
 
 
= Removing ACME Subsystem =
 
 
To remove ACME subsystem:
 
 
<pre>
 
$ pki-server acme-remove -i tomcat@acme
 
</pre>
 
  
 
= See Also =
 
= See Also =
Line 206: Line 101:
 
* [[PKI ACME OpenShift]]
 
* [[PKI ACME OpenShift]]
 
* [[PKI Server Webapp CLI]]
 
* [[PKI Server Webapp CLI]]
* [[IPA ACME Service]]
+
* [[IPA ACME Responder]]
 
* [[certbot]]
 
* [[certbot]]

Latest revision as of 17:57, 21 November 2019

Overview

This page describes the procedure to install ACME responder being developed for PKI 10.8.

The development branch is available at:

Installation

Verification

Note that certbot does not accept self-signed CA certificate, so the operations below are executed with plain HTTP URLs.

Certificate Enrollment with HTTP-01

To request a certificate with automatic http-01 validation:

$ certbot certonly --standalone \
    --server http://$HOSTNAME:8080/acme/directory \
    -d $HOSTNAME \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    --server http://$HOSTNAME:8080/acme/directory \
    -d $HOSTNAME \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://$HOSTNAME/.well-known/acme-challenge/<token>

Certificate Enrollment with DNS-01

To request a certificate with manual dns-01 validation:

$ certbot certonly --manual \
    --server http://$HOSTNAME:8080/acme/directory \
    -d server.example.com \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --server http://$HOSTNAME:8080/acme/directory \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem

To revoke with private key:

$ certbot revoke \
    --server http://$HOSTNAME:8080/acme/directory \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem

See also:

See Also