Installing Standalone ACME Responder

From Dogtag
Jump to: navigation, search

Overview

This document describes the process to install a standalone ACME responder. The responder will need to be connected with an external services such as database and CA backends.

Create a Basic PKI Server

To create a basic PKI server:

$ pki-server create tomcat@pki

This command will create a Tomcat instance in /var/lib/tomcats/pki directory.

See also Installing Basic PKI Server.

Configuring NSS Database

To enable NSS/JSS on a basic PKI server:

$ pki-server nss-create -i tomcat@pki --no-password
$ pki-server jss-enable -i tomcat@pki

The above commands create an NSS database in /var/lib/tomcats/pki/alias directory and configure Tomcat to use the NSS database.

By default the NSS database does not trust any root CA certificates. To access external services, the root CA certificates for those services may need to be imported into the NSS database.

Here are some common root CA certificates:

To import the above root CA certificates:

$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
$ certutil -A -d /var/lib/tomcats/pki/alias -i isrgrootx1.pem.txt -n "ISRG Root X1" -t CT,C,C
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
$ certutil -A -d /var/lib/tomcats/pki/alias -i trustid-x3-root.pem.txt -n "DST Root CA X3" -t CT,C,C
$ wget https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
$ certutil -A -d /var/lib/tomcats/pki/alias -i DigiCertGlobalRootCA.crt -n "DigiCert Global Root CA" -t CT,C,C

Configuring TLS

To configure TLS on a basic PKI server:

$ pki-server http-connector-add -i tomcat@pki \
  --port 8443 \
  --scheme https \
  --secure true \
  --sslEnabled true \
  --sslProtocol SSL \
  --sslImpl org.dogtagpki.tomcat.JSSImplementation \
  Secure
$ pki-server http-connector-cert-add -i tomcat@pki \
  --keyAlias sslserver \
  --keystoreType pkcs11 \
  --keystoreProvider Mozilla-JSS

Creating ACME Responder

To create ACME responder:

$ pki-server acme-create -i tomcat@pki

It will store the initial configuration files in /var/lib/tomcats/pki/conf/acme folder.

To customize the configuration, see Configuring PKI ACME Responder.

Deploying ACME Responder

To deploy ACME responder:

$ pki-server acme-deploy -i tomcat@pki

It will create a deployment descriptor at /var/lib/tomcats/pki/conf/Catalina/localhost/acme.xml.

To verify, open the ACME responder in a browser, for example:

Undeploying ACME Responder

To undeploy ACME responder:

$ pki-server acme-undeploy -i tomcat@pki

Removing ACME Responder

To remove ACME responder:

$ pki-server acme-remove -i tomcat@pki

See Also