Installing Standalone ACME Responder - dogtagpki/pki GitHub Wiki
This document describes the process to install a ACME responder on a standalone PKI server (without CA).
To create a basic PKI server:
$ pki-server create
This command will create a basic PKI server instance in /var/lib/pki/pki-tomcat
directory.
See also Installing Basic PKI Server.
To enable NSS/JSS on a basic PKI server:
$ pki-server nss-create --no-password $ pki-server jss-enable -i tomcat@pki
The above commands create an NSS database in /var/lib/pki/pki-tomcat/alias
directory
and configure a JSSListener
in /var/lib/pki/pki-tomcat/conf/server.xml
.
By default the NSS database does not trust any root CA certificates. To access external services, the root CA certificates for those services may need to be imported into the NSS database.
Here are some common root CA certificates:
To import the above root CA certificates:
$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt $ certutil -A \ -d /var/lib/pki/pki-tomcat/alias \ -i isrgrootx1.pem.txt \ -n "ISRG Root X1" \ -t CT,C,C $ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt $ certutil -A \ -d /var/lib/pki/pki-tomcat/alias \ -i trustid-x3-root.pem.txt \ -n "DST Root CA X3" \ -t CT,C,C $ wget https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt $ certutil -A \ -d /var/lib/pki/pki-tomcat/alias \ -i DigiCertGlobalRootCA.crt \ -n "DigiCert Global Root CA" \ -t CT,C,C
To configure TLS on a basic PKI server:
$ pki-server http-connector-add \ --port 8443 \ --scheme https \ --secure true \ --sslEnabled true \ --sslProtocol SSL \ --sslImpl org.dogtagpki.tomcat.JSSImplementation \ Secure $ pki-server http-connector-cert-add \ --keyAlias sslserver \ --keystoreType pkcs11 \ --keystoreProvider Mozilla-JSS
To create ACME responder:
$ pki-server acme-create
It will store the initial configuration files in /var/lib/pki/pki-tomcat/conf/acme
folder.
To configure ACME responder, see the following documents:
To deploy ACME responder:
$ pki-server acme-deploy
It will create a deployment descriptor at /var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml
.
Then start the server:
$ pki-server start
To verify, open the ACME responder in a browser, for example:
To undeploy ACME responder:
$ pki-server acme-undeploy
To remove ACME responder:
$ pki-server acme-remove