« Previous 1 2
Obtain certificates with acme.sh
Simply Certified
Obtaining a Certificate with acme.sh
The Certbot client [4] is well documented on the Internet, so I will instead look at the easiest way to get a certificate from an ACME server by introducing the acme.sh shell script tool [5]. Unlike Certbot, it has only a few dependencies on other software packages. Nevertheless, it is almost identical in terms of functionality.
Instead of using the tool with the Let's Encrypt certification authority, you can of course use any other ACME-compliant server. For example, Dogtag [6] or the FreeIPA [6] identity management framework supports the ACME protocol. In these cases, however, you must make sure that you explicitly designate the ACME server with the --server option.
To begin, either download the ACME client from the official GitHub site [5], or simply install it with:
curl https://get.acme.sh | sh -s email=user@example.com
The configuration is already set up in ~/.acme.sh/. To start a registration for your account on the ACME server, call the tool and create the certificate request:
acme.sh --register-account acme.sh --issue --standalone -d www.example.com
The socat tool starts a simple web server on port 80, through which the ACME server can communicate with the client. If everything works, you will be able to view the details of the certificate you just issued with openssl (Listing 1).
Listing 1
Viewing Certificate
openssl x509 -in /home/tscherf/.acme.sh/www.example.com/www.example.com.cer -noout -issuer -subject -dates -serial issuer= /C=US/O=Let's Encrypt/CN=R3 subject= /CN=www.example.com notBefore=Feb 21 13:00:28 2021 GMT notAfter=May 22 13:00:28 2021 GMT serial=03B46ADF0F26B94C19443669ABD0C5100356
In the next step, you only have to include the complete certificate chain in the desired service. To use the tool with other challenge types or in more complex setups, as always, I recommend taking a look at the software documentation [5].
Conclusion
The ACME protocol is becoming increasingly popular. A whole range of products now use it, helping to spread the use of X.509 even further. The acme.sh shell script is a very lightweight ACME client that compares well with better known clients such as Certbot.
Infos
- Let's Encrypt project: https://letsencrypt.org
- ACME RFC8555: https://datatracker.ietf.org/doc/html/rfc8555
- ACME extension RFC8737: https://datatracker.ietf.org/doc/html/rfc8737
- ACME Certbot client: https://certbot.eff.org
- ACME shell script: https://github.com/acmesh-official/acme.sh
- Dogtag ACME Responder: https://github.com/dogtagpki/pki/wiki/ACME-Responde
The Author
Thorsten Scherf is a Senior Principal Product Experience Engineer who works in the global Red Hat Identity Management team. You can meet him as a speaker at various conferences.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Windows security with public key infrastructures
A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure. -
Microsoft Network Policy Server
Redmond's RADIUS implementation connects systems and provides secure authorization and logging. -
Certificate management with FreeIPA and Dogtag
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network. -
Secure authentication with FIDO2
The FIDO and FIDO2 standard supports passwordless authentication. We discuss the requirements for the use of FIDO2 and show a sample implementation for a web service. -
Hardening network services with DNS
The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.