The following is a quick guide on how to issue certificates via acme.sh. (Thanks to Jochen Becker from TUDa-CERT for the instructions).
Step 1 – Install
The general installation instructions describe the process, but apply to zero ssl (default) or lets encrypt therefore the following deviation: DO NOT enter an email address at this point and ignore the note
As root user (clear recommendation)
curl https://get.acme.sh | sh -s
or
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
acme.sh --install
In the documentation there are 4 more ways of installation.
Step 2 – Set Geant Server as default
acme.sh --set-default-ca --server https://acme.sectigo.com/v2/OV
Step 3 – Register account once
acme.sh --register-account --email ‘<kontakt-mail>’ --eab-kid ‘<key-id>’ --eab-hmac-key ‘<hmac-key>’ --server https://acme.sectigo.com/v2/OV
You will receive the values for <key-id>
and <hmac-key>
from us by email.
The value <kontact-mail>
is a contact address for the account. This address will also be informed about the expiry. You should therefore enter a functional address here if possible.
Step 4 – Issuing a certificate
The following steps are repeated again and again:
Issuing certificates and retrieving them for only one domain (<domain>
) without subject alternative names
acme.sh --issue -d <domain> --keylength 4096 --days 350 --stateless
acme.sh --issue -d <domain> --keylength ec-384 --days 350 --stateless
Issuing certificates and retrieving them for only one domain (<domain>
) with additional subject alternative names
acme.sh --issue -d <domain> -d <SAN1> -d <SAN2> --keylength 4096 --days 350 --stateless
acme.sh --issue -d <domain> -d <SAN1> -d <SAN2> --keylength ec-384 --days 350 --stateless
Step 5 – Extend
If the cron option (default) is activated, the certificate is automatically renewed and stored.
Services may have to be reloaded after a file exchange for a new certificate (reload, restart). Only the certificate is constantly updated, not the key or the chain.