Difference between revisions of "PKI ACME Service"

From Dogtag
Jump to: navigation, search
m (See Also)
m (Deploying ACME Web Application)
(2 intermediate revisions by the same user not shown)
Line 30: Line 30:
 
It will create a deployment descriptor at /etc/pki/<font color="red">pki-tomcat</font>/Catalina/localhost/acme.xml.
 
It will create a deployment descriptor at /etc/pki/<font color="red">pki-tomcat</font>/Catalina/localhost/acme.xml.
  
To verify, open the following URLs in a browser:
+
To verify, open the ACME service in a browser, for example:
  
* http://localhost:8080/acme/directory
+
* https://acme.demo.dogtagpki.org/acme/directory
  
 
= Requesting a Certificate =
 
= Requesting a Certificate =
  
To request a certificate from the ACME service:
+
To request a certificate with automatic http-01 validation:
 +
 
 +
<pre>
 +
$ certbot certonly --standalone \
 +
    -d server.example.com \
 +
    --server https://acme.demo.dogtagpki.org/acme/directory \
 +
    --preferred-challenges http \
 +
    --register-unsafely-without-email
 +
</pre>
 +
 
 +
To request a certificate with manual http-01 validation:
  
 
<pre>
 
<pre>
 
$ certbot certonly --manual \
 
$ certbot certonly --manual \
 
     -d server.example.com \
 
     -d server.example.com \
     --server http://localhost:8080/acme/directory \
+
     --server https://acme.demo.dogtagpki.org/acme/directory \
 +
    --preferred-challenges http \
 
     --register-unsafely-without-email
 
     --register-unsafely-without-email
 +
</pre>
 +
 +
Make sure the web server is set up properly:
 +
 +
<pre>
 +
$ curl http://server.example.com/.well-known/acme-challenge/<token>
 +
</pre>
 +
 +
To request a certificate with manual dns-01 validation:
 +
 +
<pre>
 +
$ certbot certonly --manual \
 +
    -d server.example.com \
 +
    --server https://acme.demo.dogtagpki.org/acme/directory \
 +
    --preferred-challenges dns \
 +
    --register-unsafely-without-email
 +
</pre>
 +
 +
Make sure the TXT record is created properly:
 +
 +
<pre>
 +
$ dig _acme-challenge.server.example.com TXT
 
</pre>
 
</pre>
  

Revision as of 22:03, 14 August 2019

Current Issues

  • The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
  • PKI CA requires authentication with admin's client cert.
  • Bug in CertificatePoliciesExtDefault.

Installing PKI CA

See Installing CA.

Creating ACME Subsystem

To create ACME subsystem:

$ pki-server acme-create

It will store the configuration files in /etc/pki/pki-tomcat/acme folder. Make sure the ACME subsystem is configured to point to PKI CA.

Deploying ACME Web Application

To deploy ACME web application:

$ pki-server acme-deploy

It will create a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.

To verify, open the ACME service in a browser, for example:

Requesting a Certificate

To request a certificate with automatic http-01 validation:

$ certbot certonly --standalone \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://server.example.com/.well-known/acme-challenge/<token>

To request a certificate with manual dns-01 validation:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Undeploying ACME Web Application

To undeploy ACME web application:

$ pki-server acme-undeploy

Removing ACME Subsystem

To remove ACME subsystem:

$ pki-server acme-remove

See Also