Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 26. Deploying and managing the ACME service in IdM
Automated Certificate Management Environment (ACME) is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes in certificate lifecycle management.
Using RHEL Identity Management (IdM), the administrator can easily deploy and manage the ACME service topology-wide from a single system.
26.1. The ACME service in IdM
IdM only supports ACME with Random Certificate Serial Numbers (RSNv3) enabled.
ACME uses a challenge and response authentication mechanism to prove that a client has control of an identifier. In ACME, an identifier is a proof of ownership used to obtain a certificate by solving a challenge. In Identity Management (IdM), ACME currently supports the following challenges:
-
dns-01where the client creates DNS records to prove it has control of the identifier -
http-01where the client provisions an HTTP resource to prove it has control of the identifier
In IdM, the ACME service uses the PKI ACME responder. The ACME subsystem is automatically deployed on every CA server in the IdM deployment, but it will not service requests until the administrator enables it. The servers are discovered using the name ipa-ca.DOMAIN. All IdM CA servers are registered with this DNS name so requests are load balanced via round-robin to them.
ACME is also deployed, but disabled, when the administrator upgrades a server using the ipa-server-upgrade command.
ACME runs as a separate service within Apache Tomcat. The ACME configuration files are stored in /etc/pki/pki-tomcat/acme and PKI logs ACME information to /var/log/pki/pki-tomcat/acme/.
IdM uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. For this reason, it is strongly recommended to set ACME to automatically remove expired certificates so that they do not accumulate in the CA, as this could negatively affect performance.
There are different ACME clients available. For use with RHEL, the chosen client must support either of the dns-01 and http-01 challenges. Currently, the following clients have been tested and are known to work with ACME in RHEL:
-
certbotwith both thehttp-01anddns-01challenges -
mod_md, which supports only thehttp-01challenge
26.2. Enabling the ACME service in IdM
By default, the ACME service is deployed, but disabled. Enabling the ACME service enables it on all IdM CA servers across the entire IdM deployment. This is handled via replication.
In this example, you enable ACME and set it to automatically remove expired certificates on the first day of every month at midnight.
Prerequisites
- Servers in the IdM deployment have Random Certificate Serial Numbers (RSNv3) enabled.
- You have root privileges on the IdM server on which you are running the procedure.
Procedure
Enable ACME across the whole IdM deployment:
ipa-acme-manage enable
# ipa-acme-manage enable The ipa-acme-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set ACME to automatically remove expired certificates from the CA:
ipa-acme-manage pruning --enable --cron "0 0 1 * *"
# ipa-acme-manage pruning --enable --cron "0 0 1 * *"Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteExpired certificates are removed after their retention period. By default, this is 30 days after expiry.
Verification
-
To check if the ACME service is installed and enabled, use the
ipa-acme-manage statuscommand:
ipa-acme-manage status
# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful26.3. Disabling the ACME service in IdM
Disabling the ACME service disables it across the entire IdM deployment. This is handled via replication.
Prerequisites
- Servers in the IdM deployment have Random Certificate Serial Numbers (RSNv3) enabled.
- You have root privileges on the IdM server on which you are running the procedure.
Procedure
Disable ACME across the whole IdM deployment:
ipa-acme-manage disable
# ipa-acme-manage disable The ipa-acme-manage command was successfulCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Disable automatic removal of expired certificates:
ipa-acme-manage pruning --disable
ipa-acme-manage pruning --disableCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
-
To check if the ACME service is installed, but disabled, use the
ipa-acme-manage statuscommand:
ipa-acme-manage status
# ipa-acme-manage status
ACME is disabled
The ipa-acme-manage command was successful
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}