ACME Server
ACME, or Automated Certificate Management Environment, streamlines certificate management by enabling clients to interact directly with the Certificate Authority (CA) at every stage of the certificate lifecycle, including issuance, revocation, and renewal.
The ACME protocol defines an external account binding (EAB), allowing clients to securely interact with the ACME Server for certificate management.
Akeyless supports creating a PKI Cert Issuer that deploys an ACME Server on the Gateway, with EAB support for secure registration. This setup allows external ACME clients (like CertBot) to automate the management of TLS certificates within the organization’s security framework.
Before proceeding, ensure you have permission to manage ACME on your Gateway.
Enable ACME Server
In this guide, we will create a PKI Cert Issuer with ACME Server where we will register CertBot as an ACME Client using External Account Binding.
Create a Signer Key
Let's create DFC Key for our PKI Cert Issuer with a self-signed certificate, first let's create the CSR conf file:
cat <<EOF > csr.conf
countryName= US
stateOrProvinceName= NY
localityName= NY
organizationName= Akeyless
organizationalUnitName= Security
commonName= acme.com
[ v3_req ]
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
Where:
-
basicConstraints
: Basic Constraints that indicate the certificate requested in the CSR can be used as a Certificate Authority (CA) to sign other certificates -
keyUsage
: Key Usage for CA certificate withdigitalSignature
,KeyCertSign
,cRLSign
Run the following command to create the Signer Key:
akeyless create-dfc-key \
--name /ACME/Server/SignerKey \
--alg RSA2048 \
--generate-self-signed-certificate true \
--certificate-ttl 365 \
--certificate-format pem \
--conf-file-path csr.conf
Upon successful creation, we will have a Private Key with a Self-Signed Certificate valid for a year, that we will use as a Signer Key for our PKI Cert Issuer.
Create a PKI Cert Issuer
Run the following command to create a PKI Cert Issuer with ACME Server:
akeyless create-pki-cert-issuer \
--name /ACME/Server/ACMEIssuer \
--signer-key-name /ACME/Server/SignerKey \
--gw-cluster-url 'https://<Your-Akeyless-GW-URL:8000>' \
--destination-path /ACME/Server/Certificates \
--ttl 90d \
--allowed-domains acme.com \
--enable-acme true
Where:
-
name
: A unique name for the PKI issuer. The name can include a path to the virtual folder where you want to create a new PKI cert issuer using the slash / separators. If the folder does not exist, it will be created together with the item. -
signer-key-name
: The Signer Key that was created earlier which will sign the certificates -
gw-cluster-url
: Akeyless Gateway Configuration Manager URL (port8000
) -
destination-path
: A path in Akeyless to save generated certificates -
ttl
: The requested TTL for the issued certificate, Maximum 90 days -
allowed-domains
: Allowed domains that clients can request to be included in the certificate -
enable-acme
: Enable ACME Server.
Upon successful creation, the generated ACME Server URL will use the following format:
https://<Your-Akeyless-GW-URL:8000/acme/<issuer-display-id>/directory
To extract the issuer-display-id
from the CLI, run the following command:
akeyless describe-item --name /ACME/Server/ACMEIssuer | jq -r '.display_id'
Alternatively, you can extract the full ACME Server URL from the console.
External Account Binding
External Account Binding, defined in the ACME Protocol RFC 8555, is a feature that improves the security of certificate issuance by connecting certificate requests to specific accounts. This ensures that only authorized clients can request and receive certificates for those accounts, making the process much safer.
Run the following command to generate an external account binding token which will be restricted for one-time use and valid only for 1 Hour for the registration of a new client:
akeyless generate-acme-eab --cert-issuer-name /ACME/Server/ACMEIssuer
Upon successful generation of an external account binding token, the following will be presented:
{
"kid": "...",
"mac_key": "...",
"expires_at": "..."
}
Where:
-
kid
: The Key Identifier for the external account will be used by the ACME client -
mac_key
: The HMAC key for the external account will be used by the ACME client
This external account binding token will be used to register an ACME client to request a certificate from the ACME server.
Request a Certificate
In the following example, we will request a certificate from the ACME server, using Certbot:
certbot certonly --standalone --server https://<Your-Akeyless-GW-URL:8000/acme/<issuer-display-id>/directory --domain acme.com --eab-kid <kid> --eab-hmac-key <mac key> --config-dir C:\Users\<username>\certbot\conf --work-dir C:\Users\<username>\certbot\work --logs-dir C:\Users\<username>\certbot\logs
certbot certonly --standalone --server https://<Your-Akeyless-GW-URL:8000/acme/<issuer-display-id>/directory --domain acme.com --eab-kid <kid> --eab-hmac-key <mac key> --config-dir /home/ubuntu/certbot/conf --work-dir /home/ubuntu/certbot/work --logs-dir /home/ubuntu/certbot/logs
Where:
-
server
: The ACME Server URL, can be found under ACME Server tab on the PKI Cert Issuer in the console -
domain
: The domain name for which you want to issue the certificate, must be listed in the PKI Cert Issuer under theAllowed domains list
field. -
eab-kid
: The external accounts binding Key Identifier -
eab-hmac-key
: The external account binding HMAC key
Upon successful certificate request, the certificate will be issued.
Manage External Accounts
Multiple external accounts can be created under the same PKI Cert Issuer, therefore, it's possible to monitor the status of each external account. These external accounts can be used to request certificates using external clients. Keeping track of external accounts' status helps ensure that only authorized users can create certificates and reduces potential security risks.
The following endpoints show how to list and deactivate external accounts when necessary.
List External Accounts
To list the external accounts, both in the status of valid
or deactivated
run the following command:
akeyless list-acme-accounts --cert-issuer-name /ACME/Server/ACMEIssuer
The output of this command:
{
"accounts": [
{
"account_id": "...",
"key_digest": "...",
"status": "valid"
}
]
}
Deactivate an External Account
To deactivate an external Account, run the following command:
akeyless deactivate-acme-account \
--cert-issuer-name /ACME/Server/ACMEIssuer \
--acme-account-id <account-id> \
--delete-account true / flase
Where:
-
cert-issuer-name
: The full path of the PKI Cert Issuer of the ACME Server -
acme-account-id
: The Account ID of the external account -
delete-account
: Set totrue
to delete the account
You can find the complete list of parameters for these commands in the CLI Reference - ACME section.
Updated 2 months ago