Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 10. Setting up PKI ACME responder
This chapter describes the installation and initial configuration on an ACME responder on a PKI server that already has a CA subsystem.
The following assumes you installed the CA with the default instance name (i.e. pki-tomcat).
For information on how to manage PKI ACME Responder, see the Managing PKI ACME Responder chapter in the Red Hat Certificate System Administration Guide.
10.1. Installing PKI ACME Responder
To install PKI ACME Responder on your PKI server,
First download and install the
pki-acmeRPM package:$ dnf install pki-acmeCreate an ACME responder in a PKI server instance using the following command:
$ pki-server acme-create
This creates the initial configuration files in the /etc/pki/pki-tomcat/acme directory.
For more information, see the pki-server-acme manpage.
10.2. Configuring an ACME database
This section describes how to configure a database for the ACME responder. The database configuration is located at /etc/pki/pki-tomcat/acme/database.conf.
You can configure the database via command-line using the
pki-server acme-database-modcommand. Invoking this command without any parameters launches an interactive mode, for example:$ pki-server acme-database-mod The current value is displayed in the square brackets. To keep the current value, simply press Enter. To change the current value, enter the new value. To remove the current value, enter a blank space. Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql. Database Type: ds Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). Server URL [ldap://localhost.localdomain:389]: Enter the authentication type. Available types: BasicAuth, SslClientAuth. Authentication Type [BasicAuth]: Enter the bind DN. Bind DN [cn=Directory Manager]: Enter the bind password. Bind Password [ ****** ]: Enter the base DN for the ACME subtree. Base DN [dc=acme,dc=pki,dc=example,dc=com]:-
Invoking the command with the
--typeparameter creates a new configuration based on the specified type. - Invoking the command with other parameters updates the specified parameters.
Certain ACME configuration properties are stored in the database, enabling you to configure all ACME responders in the cluster consistently. By default, the ACME responder directly accesses the database when retrieving or updating the ACME configuration properties, which may increase the load on the database. Some databases might provide an ACME configuration monitor to reduce this load.
10.2.1. Configuring a DS database
You can configure the ACME responder to use a DS database. A sample DS database configuration is available at /usr/share/pki/acme/database/ds/database.conf.
To configure a DS database:
First add the ACME DS schema by importing the
/usr/share/pki/acme/database/ds/schema.ldiffile with the following command:$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ -f /usr/share/pki/acme/database/ds/schema.ldif-
Next, prepare an LDIF file to create the ACME subtree. A sample LDIF file is available at
usr/share/pki/acme/database/ds/create.ldif. This example usesdc=acme,dc=pki,dc=example,dc=comas the base DN. Import the LDIF file using the
ldapaddcommand:$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ -f /usr/share/pki/acme/database/ds/create.ldifCopy the sample database configuration file from
/usr/share/pki/acme/database/ds/database.confinto the/etc/pki/pki-tomcat/acmedirectory, or execute the following command to customize some of the parameters:$ pki-server acme-database-mod --type ds \ -DbindPassword=Secret.123Customize the configuration as needed:
In a standalone ACME deployment, the
database.confshould look like the following:class=org.example.acme.database.DSDatabase url=ldap://<hostname>:389 authType=BasicAuth bindDN=cn=Directory Manager bindPassword=Secret.123 baseDN=dc=acme,dc=pki,dc=example,dc=comIn a shared CA and ACME deployment, the database.conf should look like the following:
class=org.example.acme.database.DSDatabase configFile=conf/ca/CS.cfg baseDN=dc=acme,dc=pki,dc=example,dc=com
The DS database provides an ACME configuration monitor using search persistence. You can enable it by enabling setting the following parameter: monitor.enabled=true
10.3. Configuring ACME Issuer
This section describes how to configure an issuer for PKI ACME Responder. The configuration for ACME Issuer is located at /etc/pki/pki-tomcat/acme/issuer.conf.
You can configure the issuer via command-line using the pki-server acme-issuer-mod command.
Invoking this command without any parameters launches an interactive mode, for example:
$ pki-server acme-issuer-mod The current value is displayed in the square brackets. To keep the current value, simply press Enter. To change the current value, enter the new value. To remove the current value, enter a blank space. Enter the type of the certificate issuer. Available types: nss, pki. Issuer Type: pki Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). Server URL [https://localhost.localdomain:8443]: Enter the certificate nickname for client authentication. This might be the CA agent certificate. Enter blank to use basic authentication. Client Certificate: Enter the username of the CA agent for basic authentication. Enter blank if a CA agent certificate is used for client authentication. Agent Username [caadmin]: Enter the CA agent password for basic authentication. Enter blank if the password is already stored in a separate property file or if a CA agent certificate is used for client authentication. Agent Password [ ****** ]: Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). Certificate Profile [acmeServerCert]:-
Invoking the command with the
--typeparameter creates a new configuration based on the specified type. - Invoking the command with other parameters updates the specified parameters.
10.3.1. Configuring PKI Issuer
You can configure PKI ACME Responder to issue certificates using PKI Issuer. A sample configuration is available at /usr/share/pki/acme/issuer/pki/issuer.conf.
To configure a PKI issuer, copy this sample
issuer.confinto the/etc/pki/pki-tomcat/acmedirectory or execute the following command to customize some of the parameters:$ pki-server acme-issuer-mod --type pki \ -Dusername=caadmin \ -Dpassword=Secret.123Customize the configuration as needed. The
issuer.conffile should look like the following:class=org.example.acme.issuer.PKIIssuer url=https://localhost.localdomain:8443 profile=acmeServerCert username=caadmin password=Secret.123- The url parameter specifies the PKI issuer location.
- The profile parameter specifies the certificate profile to use.
- To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
- To use basic authentication, specify the username in the username parameter as well as the password in the password parameter.
10.4. Configuring ACME Realm
This section describes how to configure a realm for PKI ACME responder. The realm configuration is located at /etc/pki/pki-tomcat/acme/realm.conf.
You can configure ACME Realm via command line using the pki-server acme-realm-mod command.
Invoking this command without any parameters launches an interactive mode, for example:
$ pki-server acme-realm-mod The current value is displayed in the square brackets. To keep the current value, simply press Enter. To change the current value, enter the new value. To remove the current value, enter a blank space. Enter the type of the realm. Available types: ds. Database Type: ds Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). Server URL [ldap://localhost.localdomain:389]: Enter the authentication type. Available types: BasicAuth, SslClientAuth. Authentication Type [BasicAuth]: Enter the bind DN. Bind DN [cn=Directory Manager]: Enter the bind password. Bind Password [ ****** ]: Enter the base DN for the ACME users subtree. Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]: Enter the base DN for the ACME groups subtree. Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]:-
Invoking the command with the
--typeparameter creates a new configuration based on the specified type. - Invoking the command with other parameters updates the specified parameters.
10.4.1. Configuring DS Realm
You can configure PKI ACME Responder to use a Directory Server realm. A sample configuration for DS Realm is available at /usr/share/pki/acme/realm/ds/realm.conf.
To configure a Directory Server realm:
-
Prepare subtrees for ACME users and groups in DS. A sample LDIF file is available at
/usr/share/pki/acme/realm/ds/create.ldif]. This example usesdc=acme,dc=pki,dc=example,dc=comas the base DN. Import the LDIF file using the
ldapaddcommand:$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ -f /usr/share/pki/acme/realm/ds/create.ldifCopy the sample configuration file from
/usr/share/pki/acme/realm/ds/realm.confinto the/etc/pki/pki-tomcat/acmedirectory, or run the following command to customize some of the parameters:$ pki-server acme-realm-mod --type ds \ -DbindPassword=Secret.123Customize the configuration as needed:
In a standalone ACME deployment, the
realm.conffile should look like the following:class=org.example.acme.realm.DSRealm url=ldap://<hostname>:389 authType=BasicAuth bindDN=cn=Directory Manager bindPassword=Secret.123 usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=comIn a shared CA and ACME deployment, the
realm.conffile should look like the following:class=org.example.acme.realm.DSRealm configFile=conf/ca/CS.cfg usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com
10.5. Deploying ACME Responder
Once you have configured the ACME responder, deploy it using the following command:
$ pki-server acme-deployThis creates a deployment descriptor at
/etc/pki/pki-tomcat/Catalina/localhost/acme.xml.The PKI server starts ACME Responder automatically after a few seconds, you do not need to restart the server.
To verify that ACME Responder is running, use the following command:
$ curl -s -k https://$HOSTNAME:8443/acme/directory | python -m json.tool { "meta": { "caaIdentities": [ "example.com" ], "externalAccountRequired": false, "termsOfService": "https://example.com/acme/tos.pdf", "website": "https://www.example.com" }, "newAccount": "https://<hostname>:8443/acme/new-account", "newNonce": "https://<hostname>:8443/acme/new-nonce", "newOrder": "https://<hostname>:8443/acme/new-order", "revokeCert": "https://<hostname>:8443/acme/revoke-cert" }
For more information, see the pki-server-acme manpage.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}