Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 10. Setting up PKI ACME responder

This chapter describes the installation and initial configuration on an ACME responder on a PKI server that already has a CA subsystem.

Note

The following assumes you installed the CA with the default instance name (i.e. pki-tomcat).

For information on how to manage PKI ACME Responder, see the Managing PKI ACME Responder chapter in the Red Hat Certificate System Administration Guide.

10.1. Installing PKI ACME Responder
Copier lien

To install PKI ACME Responder on your PKI server,

  1. First download and install the pki-acme RPM package: 

    $ dnf install pki-acme
    Copy to Clipboard Toggle word wrap

  2. Create an ACME responder in a PKI server instance using the following command: 

    $ pki-server acme-create
    Copy to Clipboard Toggle word wrap

This creates the initial configuration files in the /etc/pki/pki-tomcat/acme directory.

For more information, see the pki-server-acme manpage.

10.2. Configuring an ACME database
Copier lien

This section describes how to configure a database for the ACME responder. The database configuration is located at /etc/pki/pki-tomcat/acme/database.conf.

  • You can configure the database via command-line using the pki-server acme-database-mod command. Invoking this command without any parameters launches an interactive mode, for example: 

    $ pki-server acme-database-mod

The current value is displayed in the square brackets.
To keep the current value, simply press Enter.
To change the current value, enter the new value.
To remove the current value, enter a blank space.

Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql.
Database Type: ds

Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
Server URL [ldap://localhost.localdomain:389]:

Enter the authentication type. Available types: BasicAuth, SslClientAuth.
Authentication Type [BasicAuth]:

Enter the bind DN.
Bind DN [cn=Directory Manager]:

Enter the bind password.
Bind Password [ ****** ]:

Enter the base DN for the ACME subtree.
Base DN [dc=acme,dc=pki,dc=example,dc=com]:
    Copy to Clipboard Toggle word wrap
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

Certain ACME configuration properties are stored in the database, enabling you to configure all ACME responders in the cluster consistently. By default, the ACME responder directly accesses the database when retrieving or updating the ACME configuration properties, which may increase the load on the database. Some databases might provide an ACME configuration monitor to reduce this load.

10.2.1. Configuring a DS database
Copier lien

You can configure the ACME responder to use a DS database. A sample DS database configuration is available at /usr/share/pki/acme/database/ds/database.conf.

To configure a DS database:

  1. First add the ACME DS schema by importing the /usr/share/pki/acme/database/ds/schema.ldif file with the following command: 

    $ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/database/ds/schema.ldif
    Copy to Clipboard Toggle word wrap
  2. Next, prepare an LDIF file to create the ACME subtree. A sample LDIF file is available at usr/share/pki/acme/database/ds/create.ldif. This example uses dc=acme,dc=pki,dc=example,dc=com as the base DN.

  3. Import the LDIF file using the ldapadd command: 

    $ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/database/ds/create.ldif
    Copy to Clipboard Toggle word wrap

  4. Copy the sample database configuration file from /usr/share/pki/acme/database/ds/database.conf into the /etc/pki/pki-tomcat/acme directory, or execute the following command to customize some of the parameters: 

    $ pki-server acme-database-mod --type ds \
            -DbindPassword=Secret.123
    Copy to Clipboard Toggle word wrap

  5. Customize the configuration as needed:

    • In a standalone ACME deployment, the database.conf should look like the following: 

      class=org.example.acme.database.DSDatabase
url=ldap://<hostname>:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
baseDN=dc=acme,dc=pki,dc=example,dc=com
      Copy to Clipboard Toggle word wrap

    • In a shared CA and ACME deployment, the database.conf should look like the following: 

      class=org.example.acme.database.DSDatabase
                configFile=conf/ca/CS.cfg
                baseDN=dc=acme,dc=pki,dc=example,dc=com
      Copy to Clipboard Toggle word wrap

The DS database provides an ACME configuration monitor using search persistence. You can enable it by enabling setting the following parameter: monitor.enabled=true

10.3. Configuring ACME Issuer
Copier lien

This section describes how to configure an issuer for PKI ACME Responder. The configuration for ACME Issuer is located at /etc/pki/pki-tomcat/acme/issuer.conf.

You can configure the issuer via command-line using the pki-server acme-issuer-mod command.

  • Invoking this command without any parameters launches an interactive mode, for example: 

    $ pki-server acme-issuer-mod
The current value is displayed in the square brackets.
To keep the current value, simply press Enter.
To change the current value, enter the new value.
To remove the current value, enter a blank space.

Enter the type of the certificate issuer. Available types: nss, pki.
Issuer Type: pki

Enter the location of the PKI server (e.g. https://localhost.localdomain:8443).
Server URL [https://localhost.localdomain:8443]:

Enter the certificate nickname for client authentication.
This might be the CA agent certificate.
Enter blank to use basic authentication.
Client Certificate:

Enter the username of the CA agent for basic authentication.
Enter blank if a CA agent certificate is used for client authentication.
Agent Username [caadmin]:

Enter the CA agent password for basic authentication.
Enter blank if the password is already stored in a separate property file
or if a CA agent certificate is used for client authentication.
Agent Password [ ****** ]:

Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert).
Certificate Profile [acmeServerCert]:
    Copy to Clipboard Toggle word wrap
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

10.3.1. Configuring PKI Issuer
Copier lien

You can configure PKI ACME Responder to issue certificates using PKI Issuer. A sample configuration is available at /usr/share/pki/acme/issuer/pki/issuer.conf.

  • To configure a PKI issuer, copy this sample issuer.conf into the /etc/pki/pki-tomcat/acme directory or execute the following command to customize some of the parameters: 

    $ pki-server acme-issuer-mod --type pki \
            -Dusername=caadmin \
            -Dpassword=Secret.123
    Copy to Clipboard Toggle word wrap

    Customize the configuration as needed. The issuer.conf file should look like the following: 

    class=org.example.acme.issuer.PKIIssuer
url=https://localhost.localdomain:8443
profile=acmeServerCert
username=caadmin
password=Secret.123
    Copy to Clipboard Toggle word wrap
  • The url parameter specifies the PKI issuer location.
  • The profile parameter specifies the certificate profile to use.
  • To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
  • To use basic authentication, specify the username in the username parameter as well as the password in the password parameter.

10.4. Configuring ACME Realm
Copier lien

This section describes how to configure a realm for PKI ACME responder. The realm configuration is located at /etc/pki/pki-tomcat/acme/realm.conf.

You can configure ACME Realm via command line using the pki-server acme-realm-mod command.

  • Invoking this command without any parameters launches an interactive mode, for example: 

    $ pki-server acme-realm-mod
The current value is displayed in the square brackets.
To keep the current value, simply press Enter.
To change the current value, enter the new value.
To remove the current value, enter a blank space.

Enter the type of the realm. Available types: ds.
Database Type: ds

Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
Server URL [ldap://localhost.localdomain:389]:

Enter the authentication type. Available types: BasicAuth, SslClientAuth.
Authentication Type [BasicAuth]:

Enter the bind DN.
Bind DN [cn=Directory Manager]:

Enter the bind password.
Bind Password [ ****** ]:

Enter the base DN for the ACME users subtree.
Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]:

Enter the base DN for the ACME groups subtree.
Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]:
    Copy to Clipboard Toggle word wrap
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

10.4.1. Configuring DS Realm
Copier lien

You can configure PKI ACME Responder to use a Directory Server realm. A sample configuration for DS Realm is available at /usr/share/pki/acme/realm/ds/realm.conf.

To configure a Directory Server realm:

  1. Prepare subtrees for ACME users and groups in DS. A sample LDIF file is available at /usr/share/pki/acme/realm/ds/create.ldif]. This example uses dc=acme,dc=pki,dc=example,dc=com as the base DN.

  2. Import the LDIF file using the ldapadd command: 

    $ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/realm/ds/create.ldif
    Copy to Clipboard Toggle word wrap

  3. Copy the sample configuration file from /usr/share/pki/acme/realm/ds/realm.conf into the /etc/pki/pki-tomcat/acme directory, or run the following command to customize some of the parameters: 

    $ pki-server acme-realm-mod --type ds \
            -DbindPassword=Secret.123
    Copy to Clipboard Toggle word wrap

  4. Customize the configuration as needed:

    • In a standalone ACME deployment, the realm.conf file should look like the following: 

      class=org.example.acme.realm.DSRealm
url=ldap://<hostname>:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
      Copy to Clipboard Toggle word wrap

    • In a shared CA and ACME deployment, the realm.conf file should look like the following: 

      class=org.example.acme.realm.DSRealm
configFile=conf/ca/CS.cfg
usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com
      Copy to Clipboard Toggle word wrap

10.5. Deploying ACME Responder
Copier lien

  1. Once you have configured the ACME responder, deploy it using the following command: 

    $ pki-server acme-deploy
    Copy to Clipboard Toggle word wrap

    This creates a deployment descriptor at /etc/pki/pki-tomcat/Catalina/localhost/acme.xml.

    The PKI server starts ACME Responder automatically after a few seconds, you do not need to restart the server.

  2. To verify that ACME Responder is running, use the following command: 

    $ curl -s -k https://$HOSTNAME:8443/acme/directory | python -m json.tool
{
"meta": {
"caaIdentities": [
"example.com"
],
"externalAccountRequired": false,
"termsOfService": "https://example.com/acme/tos.pdf",
"website": "https://www.example.com"
},
"newAccount": "https://<hostname>:8443/acme/new-account",
"newNonce": "https://<hostname>:8443/acme/new-nonce",
"newOrder": "https://<hostname>:8443/acme/new-order",
"revokeCert": "https://<hostname>:8443/acme/revoke-cert"
}
    Copy to Clipboard Toggle word wrap

For more information, see the pki-server-acme manpage.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat