The Automatic Certificate Management Environment (ACME) protocol lets in computerized interactions between certificates government and your servers. This method you’ll be able to automate the deployment of your public key infrastructure at a low charge, with slightly little effort. ACME supplies computerized identifier validation and certificates issuance, and its purpose is to beef up safety through offering certificate with a brief lifespan (3 months through default, in keeping with the Let’s Encrypt specification), and through warding off handbook (and error-prone) processes from certificates lifecycle control. 

The Let’s Encrypt public Certificate Authority (CA) is through some distance essentially the most used ACME server. It’s a loose publicly-trusted CA, and helps a majority of consumer implementations (they suggest certbot). There are different CAs that put into effect ACME, together with the Dogtag CA, supplied through Red Hat Identity Management (IdM). This is a Technology Preview since RHEL 8.4 in IdM, however the upstream mission FreeIPA has a number of articles at the matter. Because the present fortify stage is Technology Preview, we advise in opposition to depending in this function in manufacturing environments. The purpose of this text is to introduce the control of ACME with IdM and Red Hat Enterprise Linux (RHEL) shoppers with mod_md for Apache httpd (the one ACME consumer implementation utterly supported through Red Hat). I additionally duvet new sides of this selection coming in mod_md in RHEL 9.5 and within the period in-between on IdM CA. 

ACME parts

As a kick off point, I’ve an IdM server in RHEL 9.4, and a shopper additionally in 9.4 joined with the default choices:

As an creation to the protocol, the ACME provider supplied through IdM CA makes use of a problem and reaction authentication mechanism to end up {that a} consumer has keep watch over of an identifier. This problem is an explanation of possession used to acquire a certificates. Specifically, I speak about the http-01 and the dns-01 problem. The consumer implementation mod_md implements the http-01, tls-alpn-01 and dns-01 problem, and IdM understands http-01 and dns-01, so those are the one choices I’ve for the customer to end up keep watch over of the identifier. This problem calls for the customer to provision an HTTP useful resource. The identifier is permitted when enough demanding situations (normally one for a unmarried identifier) had been validated. Then the customer finalizes the order, inflicting the CA to factor a brand new key and certificates pair. Finally, the customer configures the issued certificates for use through the applying routinely. In this text, I speak about mod_md, the ACME consumer module for Apache httpd.

In RHEL, the ACME provider makes use of the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is routinely deployed on each certificates authority (CA) server within the IdM deployment, however it does no longer provider requests till the administrator allows it. Additionally, enabling or disabling the ACME provider impacts all of the IdM deployment. Turning the ACME provider on or off is a deployment-wide operation for the reason that configuration is within the replicated LDAP database. The ipa-acme-manage command controls the function for the complete deployment.

Also, it’s only imaginable to allow ACME on contemporary installations of IdM (in particular in IdM RHEL more than or equivalent to 9.2, with Random Serial Numbers v3 (RSNv3) enabled. This is documented within the must haves, and is because of the pruning mechanism for expired certificate within the Dogtag CA database. ACME runs as a separate provider inside Apache Tomcat. ACME configuration recordsdata are saved in /and so forth/pki/pki-tomcat/acme, and PKI logs ACME data to /var/log/pki/pki-tomcat/acme/.

Managing ACME in IdM

By default, the provider is disabled. When you allow it, the provider runs on any and all IdM CA server to your deployment. First, check the standing of the provider:

[root@idm ~]# ipa-acme-manage standing
ACME is disabled
The ipa-acme-manage command used to be a success

Enable it:

[root@idm ~]# ipa-acme-manage allow
The ipa-acme-manage command used to be a success
[root@idm ~]# ipa-acme-manage standing
ACME is enabled
The ipa-acme-manage command used to be a success

It’s necessary to configure a timespan for elimination of expired certificate. You can do that with a cron process (for instance, at the first day of each month in the dead of night). The command to try this, and likewise a standard error, may also be the next:

[root@idm ~]# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
Certificate pruning calls for random serial numbers
The ipa-acme-manage command failed.

This signifies that you haven’t enabled the random serial numbers when putting in your IdM on RHEL 9.2 or later. To carry out the set up with RSNv3:

[root@idm ~]# ipa-server-install --random-serial-numbers --setup-dns

Or RHEL 9.2 and later, you’ll be able to simplest allow the pruning in the event you put in the IdM with this feature. If this isn’t enabled, the certificate collect at the server and the efficiency is degraded. The function can nonetheless be used with out computerized pruning and RSNv3, however remember that in the event you factor numerous certificate, you’ll be able to manually prune expired certificate from the database to handle efficiency.

Here’s an instance of a contemporary set up of an IdM server with out random serial numbers:

Instead, in the event you allow random serial numbers, that is the outcome:

And with the set up in line with RSN, the pruning command works wonderful:

[root@idmserver ~]# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
Status: enabled
Certificate Retention Time: 30
Certificate Retention Unit: day
Certificate Search Size Limit: 1000
Certificate Search Time Limit: 0
Request Retention Time: day
Request Retention Unit: 30
Request Search Size Limit: 1000
Request Search Time Limit: 0
cron Schedule: 0 0 1 * *
The CA provider will have to be restarted for adjustments to take impact
The ipa-acme-manage command used to be a success

The Certificate Retention Time: 30 belongings is the retention duration sooner than pruning an expired certificates. After enabling pruning, you will have to restart the CA provider:

[root@idmserver ~]# systemctl restart [email protected]

For illustrative functions, I’m the use of sequential ascending serial numbers, in order that the certificates serial quantity is well known, and I will be able to simply observe the lifecycle of certificate.

Managing certificate

Our IdM server is now arrange and in a position to factor certificate in the course of the ACME protocol. In a long term put up, I will be able to have a look at how one can configure mod_md in a shopper to routinely generate a key and obtain a certificates, how one can regulate the certificates profile in IdM to change the expiration life of a certificates issued with ACME, and the way revoking a certificates routinely reasons a reissue of a brand new certificates.

Because IdM is incorporated to your same old RHEL subscription, you’ll be able to attempt to mirror this content material to your lab surroundings with none further subscription to arrange your individual ACME surroundings. If you aren’t already a RHEL subscriber, get a no-cost trial from Red Hat.