PKI ACME Responder

From Dogtag
Revision as of 15:36, 13 October 2019 by Edewata (talk | contribs)

Jump to: navigation, search

Current Issues

  • The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
  • PKI CA requires authentication with admin's client cert.
  • Bug in CertificatePoliciesExtDefault.

Installing PKI Server

To install a basic PKI server:

$ pki-server create tomcat@acme

To install a PKI server with CA, see Installing CA.

Configuring NSS Database

$ pki-server nss-create -i tomcat@acme --no-password
$ pki-server jss-enable -i tomcat@acme

To import Let's Encrypt's CA certificates:

$ wget
$ certutil -A -d /etc/pki/pki-tomcat/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
$ wget
$ certutil -A -d /etc/pki/pki-tomcat/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C

Configuring TLS

$ pki-server http-connector-add -i tomcat@acme \
  --port 8443 \
  --scheme https \
  --secure true \
  --sslEnabled true \
  --sslProtocol SSL \
$ pki-server http-connector-mod -i tomcat@acme \
  --sslImpl org.dogtagpki.tomcat.JSSImplementation \
$ pki-server http-connector-cert-add -i tomcat@acme \
  --keyAlias sslserver \
  --keystoreType pkcs11 \
  --keystoreProvider Mozilla-JSS

Creating ACME Service

To create ACME service:

$ pki-server acme-create -i tomcat@acme

It will store the configuration files in /etc/pki/pki-tomcat/acme folder. Make sure the ACME subsystem is configured to point to PKI CA.

Configuring ACME Metadata

The ACME metadata configuration is located at /etc/pki/pki-tomcat/acme/metadata.xml:


Configuring ACME Database =

The ACME database configuration is located at /etc/pki/pki-tomcat/acme/database.xml.

Configuring ACME Backend

The ACME backend configuration is located at /etc/pki/pki-tomcat/acme/backend.xml.

Deploying ACME Web Application

To deploy ACME web application:

$ pki-server acme-deploy

It will create a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.

To verify, open the ACME service in a browser, for example:

Certificate Enrollment

HTTP-01 Challenge

To request a certificate with automatic http-01 challenge:

$ certbot certonly --standalone \
    -d \
    --server \
    --preferred-challenges http \

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    -d \
    --server \
    --preferred-challenges http \

Make sure the web server is set up properly:

$ curl<token>

DNS-01 Challenge

To request a certificate with manual dns-01 challenge:

$ certbot certonly --manual \
    -d \
    --server \
    --preferred-challenges dns \

Make sure the TXT record is created properly:

$ dig TXT

The certificate will be stored at /etc/letsencrypt/live/

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/ \

To revoke with private key:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/ \
    --key-path /etc/letsencrypt/live/ \

See also:

Undeploying ACME Web Application

To undeploy ACME web application:

$ pki-server acme-undeploy

Removing ACME Subsystem

To remove ACME subsystem:

$ pki-server acme-remove

See Also