MTG ACME Server

MTG Certificate Lifecycle Manager Server includes an implementation of the ACME protocol according to [RFC8555].

Compatibility

An ACME Client compatibility list can be found here.

Usage

ACME can be used by all clients that are compliant to the [RFC8555] protocol. For the ACME service to be used, an ACME client needs the URL of the ACME directory endpoint, where it can obtain all ACME endpoints specified by the RFC. The URL follows the following pattern:

https://[ACME_URL_PREFIX]/[API_VERSION]/directory

ACME_URL_PREFIX: This part specifies the location of the application. It consists of the domain the ACME server is hosted and a URL prefix which offsets the root of the server application. For example, the URL prefix could be "example.com/acme".
API_VERSION: The API version the ACME endpoint has to use. Since currently only the latest version 2 is supported, the value of API_VERSION has to be "v2".

Listing 1 shows a certificate application using the certbot ACME client. The first command shows the creation of an ACME account which authenticates the subsequent communication with the ACME server. The second command executes the actual certificate application for the example domain mydomain.example.com.

Listing 1. Request certificate via certbot

certbot --server https://example.com/acme/v2/directory register \
        --no-eff-email -m test@example.com --agree-tos

certbot --server https://example.com/acme/v2/directory certonly \
        -d mydomain.example.com --standalone

cert-manager

If you use Kubernetes and OpenShift and do not want to experience expired certificates, the cert-manager tool makes up for the solution since it is compatible with MTG ERS and particularly the MTG ACME Server.

cert-manager has built-in mechanisms to use and deploy X.509 certificates, with management functions like requesting and renewing certificates. Certificates can be covertly renewed before they expire, which means that outages of services are avoided. This allows you to provision your resources in Kubernetes using TLS, while not worrying about certificate management. Setting up cert-manager with MTG ERS provides an easy and seamless certificate management experience.

Endpoints for other policies

By default, the ACME server provides the following endpoint:

https://[ACME_URL_PREFIX]/[API_VERSION]/directory

Client requests to this endpoint use the default policy.

The ACME server provides additional endpoints to support requests that require a different policy. Requests to these endpoints specify a different policy, instead of the default policy of the associated API client. These are the endpoints for the different policy endpoints:

https://[ACME_URL_PREFIX]/[API_VERSION]/[POLICY_ID]/directory

The POLICY_ID must be replaced with a valid policy ID.

For example, to create a certificate under the policy 2ef92632-aaff-4d13-b3cb-6b27f2dac399, use the following URL:

https://[ACME_URL_PREFIX]/[API_VERSION]/2ef92632-aaff-4d13-b3cb-6b27f2dac399/directory.

References

[RFC8555] R. Barnes, J. Hoffman-Andrews, D. McCarney & J. Kasten. Automatic Certificate Management Environment (ACME). RFC 8555.