Configuring ACME with OpenSSL Issuer

Creating PKI Server

$ pki-server create tomcat@acme

Creating ACME Responder

$ pki-server acme-create -i tomcat@acme --backend openssl openssl

Creating OpenSSL CA

Create OpenSSL CA certificate and key:

$ cd /var/lib/tomcats/acme/conf/openssl
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -key ca.key -out ca.crt -subj "/O=EXAMPLE/CN=Certificate Authority"

Store the OpenSSL CA configuration in /var/lib/tomcats/acme/conf/openssl/ca.conf:

[ca]
default_ca      = acme_ca

[acme_ca]
serial          = /var/lib/tomcats/acme/conf/openssl/ca.srl
database        = /var/lib/tomcats/acme/conf/openssl/ca.db
new_certs_dir   = /var/lib/tomcats/acme/conf/openssl/certs
certificate     = /var/lib/tomcats/acme/conf/openssl/ca.crt
private_key     = /var/lib/tomcats/acme/conf/openssl/ca.key

default_md      = sha256
default_days    = 90

policy          = acme_dn_policy
copy_extensions = copy

[acme_dn_policy]

Store the certificate extension configuration in /var/lib/tomcats/acme/conf/openssl/ext.conf:

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @acme_policy

[acme_policy]
policyIdentifier       = 1.3.6.1.4.1.44947.1.1.1
CPS.1                  = http://cps.example.com

Create the certificate database:

$ mkdir -p certs
$ touch ca.db
$ echo 01 > ca.srl
$ chown tomcat.tomcat *

Configuring ACME Responder

To configure the ACME responder with an OpenSSL issuer, edit /var/lib/tomcats/acme/conf/issuer.conf as follows:

class    = org.dogtagpki.acme.issuer.OpenSSLIssuer
ca_conf  = ca.conf
ext_conf = ext.conf
ca_cert  = ca.crt
ca_key   = ca.key

See Also

• Creating Self-Signed CA Signing Certificate with OpenSSL