|
For the latest version, please use Certificate Lifecycle Manager 5.0.2! |
MTG ACME Server
MTG Certificate Lifecycle Manager Server includes an implementation of the ACME protocol according to RFC 8555.
Compatibility
An ACME Client compatibility list can be found here.
Usage
ACME can be used by all clients that are compliant to the RFC 8555 protocol. For the ACME service to be used, an ACME client needs the URL of the ACME directory endpoint, where it can obtain all ACME endpoints specified by the RFC. The URL follows the following pattern:
https://[ACME_URL_PREFIX]/[API_VERSION]/directory
- ACME_URL_PREFIX
-
This part specifies the location of the application. It consists of the domain the ACME server is hosted and a URL prefix which offsets the root of the server application. For example, the URL prefix could be "example.com/acme".
- API_VERSION
-
The API version the ACME endpoint has to use. Since currently only the latest version 2 is supported, the value of API_VERSION has to be "v2".
Listing 1 shows a certificate application using the certbot ACME client.
The first command shows the creation of an ACME account which authenticates the subsequent communication with the ACME server.
The second command executes the actual certificate application for the example domain mydomain.example.com.
certbot --server https://example.com/acme/v2/directory register \
--no-eff-email -m test@example.com --agree-tos
certbot --server https://example.com/acme/v2/directory certonly \
-d mydomain.example.com --standalonecert-manager
If you use Kubernetes and OpenShift and do not want to experience expired certificates, the cert-manager tool makes up for the solution since it is compatible with MTG ERS and particularly the MTG ACME Server.
cert-manager has built-in mechanisms to use and deploy X.509 certificates, with management functions like requesting and renewing certificates. Certificates can be covertly renewed before they expire, which means that outages of services are avoided. This allows you to provision your resources in Kubernetes using TLS, while not worrying about certificate management. Setting up cert-manager with MTG ERS provides an easy and seamless certificate management experience.
Endpoints for other policies
By default, the ACME server provides the following endpoint:
https://[ACME_URL_PREFIX]/[API_VERSION]/directory
Client requests to this endpoint use the default policy.
The ACME server provides additional endpoints to support requests that require a different policy. Requests to these endpoints specify a different policy, instead of the default policy of the associated API client. These are the endpoints for the different policy endpoints:
https://[ACME_URL_PREFIX]/[API_VERSION]/[POLICY_ID]/directory
The POLICY_ID must be replaced with a valid policy ID.
For example, to create a certificate under the policy
2ef92632-aaff-4d13-b3cb-6b27f2dac399, use the following URL:
https://[ACME_URL_PREFIX]/[API_VERSION]/2ef92632-aaff-4d13-b3cb-6b27f2dac399/directory.
Using win-acme with ERS ACME
Get the latest version from the official website of win-acme.
Create directory c:\ers and place the zip file in this directory.
Open a PowerShell window with administration rights. Run the commands:
cd c:\ers
Copy-Item -Path "win-acme.v*.x64.trimmed.zip" -Destination "winacme.zip"
Expand-Archive .\winacme.zip -Destination win-acme
cd .\win-acme\
.\wacs.exe --register --accepttos --emailaddress acme@ers.example.com --baseuri "https://acme.example.com/acme/v2/directory"
.\wacs.exe --target manual --host demo.example.com --accepttos --baseuri "https://acme.example.com/acme/v2/directory"In Listing 2 exchange domain acme.example.com in the URL acme.example.com/acme/v2/directory
with the domain where your ERS ACME runs.
win-acme stores data under C:\ProgramData\win-acme.
win-acme offers lots of possibilities to configure properties, for example to use an HTTP proxy.
See www.win-acme.com/reference/settings and www.win-acme.com/reference/cli for
more information.