Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for CM 8.4.1

The file contains the configuration parameters used by the ACME servlet. 

Code Block
titleRequest URL

Relative paths specified below are relative the <configroot>

titleAbout <configroot>
Excerpt Include
Configuration files in Protocol Gateway
Configuration files in Protocol Gateway



Controls if the ACME servlet should start or not.

Code Block
start = false


The token procedure name that will be used to issue certificates from CF.

orderExpiryDurationThe amount of time that an ACME order is valid until it expires.
externalAccountRequiredIf true, will require that ACME clients include a value for externalAccountBinding when creating new ACME accounts. When using certbot as ACME client, this is done with the --eab-kid and --eab-hmac-key parameters. This also requires that the keyid and HMAC key is pre-registered in CF before the ACME account can be created.
baseUrlBy default, the ACME directory url will give paths to the caller by examining the URL of the incoming request. If the URL of the incoming requests is not the same as the externally accessible URLs for this installation, such as if the incoming requests have been re-written by a load-balancer, then it is possible to configure a base url here, that will be used in all URL responses.
nonceSizeThe size, in bytes, of the random nonce that is requested from CF for use in ACME protocol messages. Minimum value 16, max value 21.
nonceExpiryDurationThe amount of time that a nonce that is created by CF is valid until it expires and is allowed to be removed from the CF DB by cleaning process.
addAccountContactEmailIf true, adds the contact email address from the requesting account to the Rfc822 name field to the SAN extension in the certificate request.

Define handlers

The parameter values in the default section are used by all handlers unless overridden in the handler section.

Code Block
titleExample: default values for handlers
#default.orderExpiryDuration = PT10M
#default.externalAccountRequired = false
#default.baseUrl = https://example.localdomain:8443/pgwy/acme
#default.nonceSize = 16
#default.nonceExpiryDuration = P1D
#default.addAccountContactEmail = false

Each handler defines a mapping between the filter (from the URL) and the ACME directory that should process each filter.

Code Block
titleExample: handlers
handler.0.filter = directory
handler.0.format = acme/directory
handler.0.tokenProcedure = ACME TLS Web Server Token

Multiple CAs

It is possible to support multiple token procedures and thereby multiple CAs.

To configure Protocol Gateway to use ACME with different CAs, more than one ACME directory handler can be configured in with different token procedures:

Code Block
titleExample: Multiple CAs
#handler.1.filter = directory-for-other-ca
#handler.1.format = acme/directory
#handler.1.tokenProcedure = Token Procedure from other CA

Identity Manager tenant

To issue certificates using an Identity Manager tenant, configure like this:

Code Block
titleExample: IDM tenant
#handler.1.filter = idm/directory
#handler.1.format = acme/directory
#handler.1.tokenProcedure = ACME Order Registration
#handler.1.idm.tls.token = client-tls.p12
#handler.1.idm.tls.password = abcd1234
#handler.1.idm.certTemplate = ScmCtServerCertificateP10
#handler.1.idm.requestUrl = https://example.idm:18444/prime_explorer/ws/processes/{{\
process }}/start?tenantId={{ tenant }}&task={{ taskId }}

This article is valid for Certificate Manager 8.4.1 and later.

Related information

Children Display
pageAbout configuration in Protocol Gateway