11.3. Configuring ACME Issuer
This section describes how to configure an issuer for PKI ACME Responder. The configuration for ACME Issuer is located at
/etc/pki/pki-tomcat/acme/issuer.conf
.
You can configure the issuer via command-line using the
pki-server acme-issuer-mod
command.
- Invoking this command without any parameters launches an interactive mode, for example:
$ pki-server acme-issuer-mod The current value is displayed in the square brackets. To keep the current value, simply press Enter. To change the current value, enter the new value. To remove the current value, enter a blank space. Enter the type of the certificate issuer. Available types: nss, pki. Issuer Type: pki Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). Server URL [https://localhost.localdomain:8443]: Enter the certificate nickname for client authentication. This might be the CA agent certificate. Enter blank to use basic authentication. Client Certificate: Enter the username of the CA agent for basic authentication. Enter blank if a CA agent certificate is used for client authentication. Agent Username [caadmin]: Enter the CA agent password for basic authentication. Enter blank if the password is already stored in a separate property file or if a CA agent certificate is used for client authentication. Agent Password [********]: Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). Certificate Profile [acmeServerCert]:
- Invoking the command with the
--type
parameter creates a new configuration based on the specified type. - Invoking the command with other parameters updates the specified parameters.
11.3.1. Configuring PKI Issuer
You can configure PKI ACME Responder to issue certificates using PKI Issuer. A sample configuration is available at
/usr/share/pki/acme/issuer/pki/issuer.conf
.
- To configure a PKI issuer, copy this sample
issuer.conf
into the/etc/pki/pki-tomcat/acme
directory or execute the following command to customize some of the parameters:$ pki-server acme-issuer-mod --type pki \ -Dusername=caadmin \ -Dpassword=Secret.123
Customize the configuration as needed. Theissuer.conf
file should look like the following:class=org.example.acme.issuer.PKIIssuer url=https://localhost.localdomain:8443 profile=acmeServerCert username=caadmin password=Secret.123
- The url parameter specifies the PKI issuer location.
- The profile parameter specifies the certificate profile to use.
- To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
- To use basic authentication, specify the username in the username parameter as well as the password in the password parameter.