Difference between revisions of "PKI ACME Service"

From Dogtag
Jump to: navigation, search
m (Creating ACME Service)
m (Configuring Backend)
 
Line 45: Line 45:
 
</pre>
 
</pre>
  
= Configuring Backend =
+
= Configuring ACME Database =
  
The ACME service backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.xml.
+
The ACME database configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/database.xml.
 +
 
 +
* PKI ACME Service with Memory Database
 +
* PKI ACME Service with LDAP Database
 +
* [[PKI ACME Service with Mongo Database]]
 +
 
 +
= Configuring ACME Backend =
 +
 
 +
The ACME backend configuration is located at /etc/pki/<font color="red">pki-tomcat</font>/acme/backend.xml.
  
 
* [[PKI ACME Service with PKI Backend]]
 
* [[PKI ACME Service with PKI Backend]]

Latest revision as of 22:11, 13 September 2019

Current Issues

  • The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
  • PKI CA requires authentication with admin's client cert.
  • Bug in CertificatePoliciesExtDefault.

Installing PKI CA

See Installing CA.

Creating ACME Service

To create ACME service:

$ pki-server acme-create --database <database> --backend <backend>

It will store the configuration files in /etc/pki/pki-tomcat/acme folder. Make sure the ACME subsystem is configured to point to PKI CA.

Setting up NSS Database

To import Let's Encrypt's CA certificates:

$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
$ certutil -A -d /etc/pki/pki-tomcat/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
$ certutil -A -d /etc/pki/pki-tomcat/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C

Configuring Metadata

The ACME service metadata configuration is located at /etc/pki/pki-tomcat/acme/metadata.xml:

<metadata>
    <termsOfService>https://example.com/acme/docs/tos.pdf</termsOfService>
    <website>https://www.example.com/</website>
    <caaIdentities>example.com</caaIdentities>
    <externalAccountRequired>false</externalAccountRequired>
</metadata>

Configuring ACME Database

The ACME database configuration is located at /etc/pki/pki-tomcat/acme/database.xml.

Configuring ACME Backend

The ACME backend configuration is located at /etc/pki/pki-tomcat/acme/backend.xml.

Deploying ACME Web Application

To deploy ACME web application:

$ pki-server acme-deploy

It will create a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.

To verify, open the ACME service in a browser, for example:

Certificate Enrollment

HTTP-01 Challenge

To request a certificate with automatic http-01 challenge:

$ certbot certonly --standalone \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://server.example.com/.well-known/acme-challenge/<token>

DNS-01 Challenge

To request a certificate with manual dns-01 challenge:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

To revoke with private key:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

See also:

Undeploying ACME Web Application

To undeploy ACME web application:

$ pki-server acme-undeploy

Removing ACME Subsystem

To remove ACME subsystem:

$ pki-server acme-remove

See Also