PKI ACME Responder with PKI Backend

From Dogtag
Jump to: navigation, search

Installing SANToCNDefault Policy

Edit /etc/pki/pki-tomcat/ca/registry.cfg and add the SANToCNDefault policy in the following properties:

defaultPolicy.ids=...,sanToCNDefaultImpl
defaultPolicy.sanToCNDefaultImpl.class=com.netscape.cms.profile.def.SANToCNDefault
defaultPolicy.sanToCNDefaultImpl.desc=SAN to CN Default
defaultPolicy.sanToCNDefaultImpl.name=SAN to CN Default

Then restart the server.

Installing ACME Profile

To install ACME profile on PKI CA:

$ pki -u caadmin -w Secret.123 ca-profile-add /usr/share/pki/ca/profiles/acmeServerCert.cfg --raw

To enable the profile:

$ pki -u caadmin -w Secret.123 ca-profile-enable acmeServerCert

Configuring CA Backend for ACME Responder

To configure the ACME responder to use Dogtag PKI CA:

$ cp /usr/share/pki/acme/conf/backend/pki/backend.json /etc/pki/pki-tomcat/acme/backend.json

The configuration will be stored in /etc/pki/pki-tomcat/acme/backend.json:

{
    "class": "org.dogtagpki.acme.backend.PKIBackend",
    "parameters": {
        "url": "https://localhost:8443",
        "profile": "acmeServerCert",
        "username": "caadmin",
        "password": "Secret.123"
    }
}

See Also