Configuring ACME with PKI Issuer - dogtagpki/pki GitHub Wiki
This document describes the process to configure ACME responder to issue certificates using a PKI issuer (i.e. CA). It assumes that the CA has been installed as described in Installing CA.
A sample PKI issuer configuration is available at /usr/share/pki/acme/issuer/pki/issuer.conf.
To configure a PKI issuer, copy the sample issuer.conf into the /var/lib/pki/pki-tomcat/conf/acme folder,
or execute the following command to customize some of the parameters:
$ pki-server acme-issuer-mod --type pki \
-Dusername=caadmin \
-Dpassword=Secret.123
Customize the configuration as needed. The issuer.conf should look like the following:
class=org.dogtagpki.acme.issuer.PKIIssuer url=https://<hostname>:8443 profile=acmeServerCert username=caadmin password=Secret.123
The url parameter is used to specify the PKI issuer location.
The profile parameter is used to specify the certificate profile to use.
To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
To use basic authentication, specify the username in the username parameter and the password in the password parameter.
PKI issuer can direct ACME enrollment requests to the specific CA authority.
The authority can be specified either by using its ID or LDAP DN as part of the
issuer.conf with authority-id or authority-dn parameters. These
parameters can also be added with the following command:
$ pki-server acme-issuer-mod --type pki \
-Dauthority-id=some-ID
By default PKI issuer does not pass any authority ID or LDAP DN, meaning the request would be handled by the main CA.