PKI ACME Responder with OpenSSL Issuer

From Dogtag
Jump to: navigation, search

Creating PKI Server

$ pki-server create tomcat@acme

Creating ACME Responder

$ pki-server acme-create -i tomcat@acme --backend openssl openssl

Creating OpenSSL CA

Create OpenSSL CA certificate and key:

$ cd /var/lib/tomcats/acme/conf/openssl
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -key ca.key -out ca.crt -subj "/O=EXAMPLE/CN=Certificate Authority"

Store the OpenSSL CA configuration in /var/lib/tomcats/acme/conf/openssl/ca.conf:

default_ca      = acme_ca

serial          = /var/lib/tomcats/acme/conf/openssl/
database        = /var/lib/tomcats/acme/conf/openssl/ca.db
new_certs_dir   = /var/lib/tomcats/acme/conf/openssl/certs
certificate     = /var/lib/tomcats/acme/conf/openssl/ca.crt
private_key     = /var/lib/tomcats/acme/conf/openssl/ca.key

default_md      = sha256
default_days    = 90

policy          = acme_dn_policy
copy_extensions = copy


Store the certificate extension configuration in /var/lib/tomcats/acme/conf/openssl/ext.conf:

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:, caIssuers;URI:
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    =, @acme_policy

policyIdentifier       =
CPS.1                  =

Create the certificate database:

$ mkdir -p certs
$ touch ca.db
$ echo 01 >
$ chown tomcat.tomcat *

Configuring ACME Responder

To configure the ACME responder with an OpenSSL issuer, edit /var/lib/tomcats/acme/conf/issuer.conf as follows:

class    = org.dogtagpki.acme.issuer.OpenSSLIssuer
ca_conf  = ca.conf
ext_conf = ext.conf
ca_cert  = ca.crt
ca_key   = ca.key

See Also