PKI ACME Responder with OpenSSL Backend

From Dogtag
Jump to: navigation, search

Creating PKI Server

$ pki-server create tomcat@acme

Creating ACME Responder

$ pki-server acme-create -i tomcat@acme --backend openssl openssl

Creating OpenSSL CA

Create OpenSSL CA certificate and key:

$ cd /var/lib/tomcats/acme/conf/openssl
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -key ca.key -out ca.crt -subj "/O=EXAMPLE/CN=Certificate Authority"

Store the OpenSSL CA configuration in /var/lib/tomcats/acme/conf/openssl/ca.conf:

[ca]
default_ca = acme_ca

[acme_ca]
serial = /var/lib/tomcats/acme/conf/openssl/ca.srl
database = /var/lib/tomcats/acme/conf/openssl/ca.db
new_certs_dir = /var/lib/tomcats/acme/conf/openssl/certs
certificate = /var/lib/tomcats/acme/conf/openssl/ca.crt
private_key = /var/lib/tomcats/acme/conf/openssl/ca.key

default_md = sha256
default_days = 90

policy = acme_dn_policy
copy_extensions = copy

[acme_dn_policy]

Store the certificate extension configuration in /var/lib/tomcats/acme/conf/openssl/ext.conf:

basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = critical, serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @acme_cps_policy

[acme_cps_policy]

policyIdentifier       = 1.3.6.1.4.1.44947.1.1.1
CPS.1                  = http://cps.example.com

Create the certificate database:

$ mkdir -p certs
$ touch ca.db
$ echo 01 > ca.srl
$ chown tomcat.tomcat *

Configuring ACME Responder

To configure the ACME responder with OpenSSL as a backend, edit /var/lib/tomcats/acme/conf/backend.json:

{
    "class": "org.dogtagpki.acme.backend.OpenSSLBackend",
    "parameters": {
        "ca_conf": "/var/lib/tomcats/acme/conf/openssl/ca.conf",
        "ext_conf": "/var/lib/tomcats/acme/conf/openssl/ext.conf",
        "ca_cert": "/var/lib/tomcats/acme/conf/openssl/ca.crt",
        "ca_key": "/var/lib/tomcats/acme/conf/openssl/ca.key"
    }
}

See Also