11.3. Configuring ACME Issuer


This section describes how to configure an issuer for PKI ACME Responder. The configuration for ACME Issuer is located at /etc/pki/pki-tomcat/acme/issuer.conf.
You can configure the issuer via command-line using the pki-server acme-issuer-mod command.
  • Invoking this command without any parameters launches an interactive mode, for example:
    $ pki-server acme-issuer-mod
    The current value is displayed in the square brackets.
    To keep the current value, simply press Enter.
    To change the current value, enter the new value.
    To remove the current value, enter a blank space.
    
    Enter the type of the certificate issuer. Available types: nss, pki.
    Issuer Type: pki
    
    Enter the location of the PKI server (e.g. https://localhost.localdomain:8443).
    Server URL [https://localhost.localdomain:8443]:
    
    Enter the certificate nickname for client authentication.
    This might be the CA agent certificate.
    Enter blank to use basic authentication.
    Client Certificate:
    
    Enter the username of the CA agent for basic authentication.
    Enter blank if a CA agent certificate is used for client authentication.
    Agent Username [caadmin]:
    
    Enter the CA agent password for basic authentication.
    Enter blank if the password is already stored in a separate property file
    or if a CA agent certificate is used for client authentication.
    Agent Password [********]:
    
    Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert).
    Certificate Profile [acmeServerCert]:
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

11.3.1. Configuring PKI Issuer

You can configure PKI ACME Responder to issue certificates using PKI Issuer. A sample configuration is available at /usr/share/pki/acme/issuer/pki/issuer.conf.
  • To configure a PKI issuer, copy this sample issuer.conf into the /etc/pki/pki-tomcat/acme directory or execute the following command to customize some of the parameters:
    $ pki-server acme-issuer-mod --type pki \
                -Dusername=caadmin \
                -Dpassword=Secret.123
    Customize the configuration as needed. The issuer.conf file should look like the following:
    class=org.example.acme.issuer.PKIIssuer
    url=https://localhost.localdomain:8443
    profile=acmeServerCert
    username=caadmin
    password=Secret.123
  • The url parameter specifies the PKI issuer location.
  • The profile parameter specifies the certificate profile to use.
  • To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
  • To use basic authentication, specify the username in the username parameter as well as the password in the password parameter.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.