Overview

PKI provides an ACME responder which implements ACME v2 protocol as defined in RFC 8555.

Availability:

• PKI 10.9 (tech preview)
• PKI 10.10 or later (fully supported)

Installation

• Installing Standalone ACME Responder
• Installing ACME Responder in PKI CA
• Configuring PKI ACME Responder
• Deploying PKI ACME Responder on Podman
• Deploying PKI ACME Responder on OpenShift

Usage

• Using PKI ACME Responder
• Using PKI ACME Responder with Certbot
• Managing PKI ACME Responder
• PKI ACME CLI
• PKI ACME REST API

Demo

A demo ACME responder is available at https://pki.demo.dogtagpki.org/acme.

PKI CLI

To access the demo with PKI CLI, install the p11-kit-trust module in the NSS database:

$ pki client-init
$ modutil -dbdir ~/.dogtag/nssdb -add p11-kit-trust -libfile /usr/lib64/pkcs11/p11-kit-trust.so
$ pki -U https://pki.demo.dogtagpki.org acme-info
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-disable
$ pki -U https://pki.demo.dogtagpki.org -u admin -w Secret.123 acme-enable

Web UI

To access the demo with a Web browser, open https://pki.demo.dogtagpki.org/acme.

Log in with the following credentials:

• Username: admin
• Password: Secret.123

ACME Client

To access the demo with an ACME client, use the following endpoint: https://pki.demo.dogtagpki.org/acme/directory. For example:

$ certbot certonly \
    --server https://pki.demo.dogtagpki.org/acme/directory \
    --standalone \
    --preferred-challenges http \
    -d server.example.com

See Also

• ACME
• PKI ACME Container
• PKI ACME OpenShift
• PKI Server ACME CLI
• IPA ACME Responder
• certbot
• Generate Wildcard SSL certificate using Let’s Encrypt/Certbot
• Boulder's nonce implementation