PKI ACME Responder

From Dogtag
(Redirected from PKI ACME Service)
Jump to: navigation, search

Overview

This page describes the procedure to install ACME responder being developed for PKI 10.8.

The development branch is available at:

Current Issues

  • The certbot generates CSR with empty subject, but the caServerCert profile requires a subject that starts with CN=.

Installation

Certificate Enrollment

HTTP-01 Challenge

To request a certificate with automatic http-01 challenge:

$ certbot certonly --standalone \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

To request a certificate with manual http-01 validation:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges http \
    --register-unsafely-without-email

Make sure the web server is set up properly:

$ curl http://server.example.com/.well-known/acme-challenge/<token>

DNS-01 Challenge

To request a certificate with manual dns-01 challenge:

$ certbot certonly --manual \
    -d server.example.com \
    --server https://acme.demo.dogtagpki.org/acme/directory \
    --preferred-challenges dns \
    --register-unsafely-without-email

Make sure the TXT record is created properly:

$ dig _acme-challenge.server.example.com TXT

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

Certificate Revocation

To revoke with ACME account:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

To revoke with private key:

$ certbot revoke \
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem \
    --server https://acme.demo.dogtagpki.org/acme/directory

See also:

See Also