PKI ACME Responder
Contents
- 1 Current Issues
- 2 Installing PKI Server
- 3 Creating ACME Service
- 4 Configuring NSS Database
- 5 Configuring TLS
- 6 Configuring Metadata
- 7 Configuring ACME Database
- 8 Configuring ACME Backend
- 9 Deploying ACME Web Application
- 10 Certificate Enrollment
- 11 Certificate Revocation
- 12 Undeploying ACME Web Application
- 13 Removing ACME Subsystem
- 14 See Also
Current Issues
- The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.
- PKI CA requires authentication with admin's client cert.
- Bug in CertificatePoliciesExtDefault.
Installing PKI Server
To install a basic PKI server:
$ pki-server create tomcat@acme
To install a PKI server with CA, see Installing CA.
Creating ACME Service
To create ACME service:
$ pki-server acme-create --database <database> --backend <backend>
It will store the configuration files in /etc/pki/pki-tomcat/acme folder. Make sure the ACME subsystem is configured to point to PKI CA.
Configuring NSS Database
$ pki-server nss-create -i tomcat@acme --no-password $ pki-server jss-enable -i tomcat@acme
To import Let's Encrypt's CA certificates:
$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt $ certutil -A -d /etc/pki/pki-tomcat/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C $ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt $ certutil -A -d /etc/pki/pki-tomcat/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
Configuring TLS
$ pki-server http-connector-add -i tomcat@acme \ --port 8443 \ --scheme https \ --secure true \ --sslEnabled true \ --sslProtocol SSL \ Secure $ pki-server http-connector-mod -i tomcat@acme \ --sslImpl org.dogtagpki.tomcat.JSSImplementation \ Secure $ pki-server http-connector-cert-add -i tomcat@acme \ --keyAlias sslserver \ --keystoreType pkcs11 \ --keystoreProvider Mozilla-JSS
Configuring Metadata
The ACME service metadata configuration is located at /etc/pki/pki-tomcat/acme/metadata.xml:
<metadata> <termsOfService>https://example.com/acme/docs/tos.pdf</termsOfService> <website>https://www.example.com/</website> <caaIdentities>example.com</caaIdentities> <externalAccountRequired>false</externalAccountRequired> </metadata>
Configuring ACME Database
The ACME database configuration is located at /etc/pki/pki-tomcat/acme/database.xml.
- PKI ACME Service with Memory Database
- PKI ACME Service with LDAP Database
- PKI ACME Service with Mongo Database
Configuring ACME Backend
The ACME backend configuration is located at /etc/pki/pki-tomcat/acme/backend.xml.
- PKI ACME Service with PKI Backend
- PKI ACME Service with OpenSSL Backend
- PKI ACME Service with Proxy Backend
Deploying ACME Web Application
To deploy ACME web application:
$ pki-server acme-deploy
It will create a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.
To verify, open the ACME service in a browser, for example:
Certificate Enrollment
HTTP-01 Challenge
To request a certificate with automatic http-01 challenge:
$ certbot certonly --standalone \ -d server.example.com \ --server https://acme.demo.dogtagpki.org/acme/directory \ --preferred-challenges http \ --register-unsafely-without-email
To request a certificate with manual http-01 validation:
$ certbot certonly --manual \ -d server.example.com \ --server https://acme.demo.dogtagpki.org/acme/directory \ --preferred-challenges http \ --register-unsafely-without-email
Make sure the web server is set up properly:
$ curl http://server.example.com/.well-known/acme-challenge/<token>
DNS-01 Challenge
To request a certificate with manual dns-01 challenge:
$ certbot certonly --manual \ -d server.example.com \ --server https://acme.demo.dogtagpki.org/acme/directory \ --preferred-challenges dns \ --register-unsafely-without-email
Make sure the TXT record is created properly:
$ dig _acme-challenge.server.example.com TXT
The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.
To inspect the certificate:
$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem
Certificate Revocation
To revoke with ACME account:
$ certbot revoke \ --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \ --server https://acme.demo.dogtagpki.org/acme/directory
To revoke with private key:
$ certbot revoke \ --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \ --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \ --server https://acme.demo.dogtagpki.org/acme/directory
See also:
Undeploying ACME Web Application
To undeploy ACME web application:
$ pki-server acme-undeploy
Removing ACME Subsystem
To remove ACME subsystem:
$ pki-server acme-remove