Skip to content

Installing Standalone ACME Responder

Endi S. Dewata edited this page Jan 20, 2022 · 5 revisions

Overview

This document describes the process to install a ACME responder on a standalone PKI server (without CA).

Create a Basic PKI Server

To create a basic PKI server:

$ pki-server create

This command will create a basic PKI server instance in /var/lib/pki/pki-tomcat directory.

Configuring NSS Database

To enable NSS/JSS on a basic PKI server:

$ pki-server nss-create --no-password
$ pki-server jss-enable -i tomcat@pki

The above commands create an NSS database in /var/lib/pki/pki-tomcat/alias directory and configure a JSSListener in /var/lib/pki/pki-tomcat/conf/server.xml.

By default the NSS database does not trust any root CA certificates. To access external services, the root CA certificates for those services may need to be imported into the NSS database.

Here are some common root CA certificates:

To import the above root CA certificates:

$ wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
$ certutil -A \
    -d /var/lib/pki/pki-tomcat/alias \
    -i isrgrootx1.pem.txt \
    -n "ISRG Root X1" \
    -t CT,C,C
$ wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
$ certutil -A \
    -d /var/lib/pki/pki-tomcat/alias \
    -i trustid-x3-root.pem.txt \
    -n "DST Root CA X3" \
    -t CT,C,C
$ wget https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
$ certutil -A \
    -d /var/lib/pki/pki-tomcat/alias \
    -i DigiCertGlobalRootCA.crt \
    -n "DigiCert Global Root CA" \
    -t CT,C,C

Configuring TLS

To configure TLS on a basic PKI server:

$ pki-server http-connector-add \
    --port 8443 \
    --scheme https \
    --secure true \
    --sslEnabled true \
    --sslProtocol SSL \
    --sslImpl org.dogtagpki.tomcat.JSSImplementation \
    Secure
$ pki-server http-connector-cert-add \
    --keyAlias sslserver \
    --keystoreType pkcs11 \
    --keystoreProvider Mozilla-JSS

Creating ACME Responder

To create ACME responder:

$ pki-server acme-create

It will store the initial configuration files in /var/lib/pki/pki-tomcat/conf/acme folder.

Configuring ACME Responder

To configure ACME responder, see the following documents:

Deploying ACME Responder

To deploy ACME responder:

$ pki-server acme-deploy

It will create a deployment descriptor at /var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml.

Then start the server:

$ pki-server start

To verify, open the ACME responder in a browser, for example:

Undeploying ACME Responder

To undeploy ACME responder:

$ pki-server acme-undeploy

Removing ACME Responder

To remove ACME responder:

$ pki-server acme-remove
Clone this wiki locally