Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
The acme.properties file contains the configuration parameters used by the ACME servlet.
| Code Block | ||
|---|---|---|
| ||
http://<pgwy-host>[:<port>]/pgwy/acme/<handler> |
Relative paths specified below are relative the <configroot>.
| Expand | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
|
Parameters
| Parameter | Description | |||||
|---|---|---|---|---|---|---|
| start | Controls if the ACME servlet should start or not.
| |||||
| tokenProcedure | The token procedure name that will be used to issue certificates from CF. | |||||
| orderExpiryDuration | The amount of time that an ACME order is valid until it expires. | |||||
| externalAccountRequired | If true, will require that ACME clients include a value for externalAccountBinding when creating new ACME accounts. When using certbot as ACME client, this is done with the --eab-kid and --eab-hmac-key parameters. This also requires that the keyid and HMAC key is pre-registered in CF before the ACME account can be created. | |||||
| baseUrl | By default, the ACME directory url will give paths to the caller by examining the URL of the incoming request. If the URL of the incoming requests is not the same as the externally accessible URLs for this installation, such as if the incoming requests have been re-written by a load-balancer, then it is possible to configure a base url here, that will be used in all URL responses. | |||||
| nonceSize | The size, in bytes, of the random nonce that is requested from CF for use in ACME protocol messages. Minimum value 16, max value 21. | |||||
| nonceExpiryDuration | The amount of time that a nonce that is created by CF is valid until it expires and is allowed to be removed from the CF DB by cleaning process. | |||||
| addAccountContactEmail | If true, adds the contact email address from the requesting account to the Rfc822 name field to the SAN extension in the certificate request. |
Define handlers
The parameter values in the default section are used by all handlers unless overridden in the handler section.
| Code Block | ||
|---|---|---|
| ||
#default.orderExpiryDuration = PT10M
#default.externalAccountRequired = false
#default.baseUrl = https://example.localdomain:8443/pgwy/acme
#default.nonceSize = 16
#default.nonceExpiryDuration = P1D
#default.addAccountContactEmail = false |
Each handler defines a mapping between the filter (from the URL) and the ACME directory that should process each filter.
| Code Block | ||
|---|---|---|
| ||
handler.0.filter = directory handler.0.format = acme/directory handler.0.tokenProcedure = ACME TLS Web Server Token |
Multiple CAs
It is possible to support multiple token procedures and thereby multiple CAs.
To configure Protocol Gateway to use ACME with different CAs, more than one ACME directory handler can be configured in acme.properties with different token procedures:
| Code Block | ||
|---|---|---|
| ||
#handler.1.filter = directory-for-other-ca #handler.1.format = acme/directory #handler.1.tokenProcedure = Token Procedure from other CA |
Identity Manager tenant
To issue certificates using an Identity Manager tenant, configure like this:
| Code Block | ||
|---|---|---|
| ||
#handler.1.filter = idm/directory
#handler.1.format = acme/directory
#handler.1.tokenProcedure = ACME Order Registration
#handler.1.idm.tls.token = client-tls.p12
#handler.1.idm.tls.password = abcd1234
#handler.1.idm.certTemplate = ScmCtServerCertificateP10
#handler.1.idm.requestUrl = https://example.idm:18444/prime_explorer/ws/processes/{{\
process }}/start?tenantId={{ tenant }}&task={{ taskId }} |
This article is valid for Certificate Manager 8.4.1 and later.
Related information
| Children Display | ||
|---|---|---|
|