Server certificates via DFN-PKI
ACME configuration

If you have received access data from us via the ACME form, you can have certificates issued via various ACME clients.

You will receive a key-id and a hmac-key from us for each account.

Details on the ACME protocol can be found in the protocol specification.

General information on the use of ACME in TCS can also be found in the DFN Wiki on the subject (German only).

It is important that the ACME client used supports the External Account Binding feature. This links your ACME client to the account we have created in TCS and authorises it to issue certificates for the approved hostnames.

Below you will find instructions for specific ACME clients. If you have successfully configured a different client, please let us know.

The following is a quick guide on how to issue certificates via certbot using ACME. Details are described in the cerbot documentation.

Depending on the setup, the commands must all be executed via sudo. However, you can also specify user directories with the parameters --config-dir, --work-dir and --logs-dir and then execute the commands with an unprivileged user.

Step 1 – Register

Firstly, you need to create the ACME account and link it to the access data we have created. To do this, execute the following command:

certbot register --agree-tos --no-eff-email --email <contact-mail> --server https://acme.sectigo.com/v2/OV --eab-kid <key-id> --eab-hmac-key <hmac-key>

You will receive the values for <key-id> and <hmac-key> from us by email.

The value <contact-mail> is a contact address for the account. This address will also be informed about the expiry. You should therefore enter a functional address here if possible.

Step 2 – Issue

You can then issue any certificates for the hostnames (<domain>) we have released. To do this, use the following command for the first time:
certbot certonly --standalone --non-interactive --server https://acme.sectigo.com/v2/OV --domain <domain> --cert-name <certname>

<certname> is a freely selectable identifier for this certificate. It determines, for example, where the private keys and certificates are created or stored by the command. These can usually be found under /etc/letsencrypt/live/<certname> after executing the command.

It can also be used to renew or revoke an individual certificate.

Step 3 – Renew

Certbot implements automatic renewal by executing the certbot renew -q command, e.g. via cron, at regular intervals. This checks whether a certificate is due for renewal and renews it accordingly. The ‘*-hook’ options, which can be viewed under certbot -h renew, are also interesting for further automation.

The following is a quick guide on how to issue certificates via acme.sh. (Thanks to Jochen Becker from TUDa-CERT for the instructions).

Step 1 – Install

The general installation instructions describe the process, but apply to zero ssl (default) or lets encrypt therefore the following deviation: DO NOT enter an email address at this point and ignore the note

As root user (clear recommendation)

curl https://get.acme.sh | sh -s

or

git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
acme.sh --install

In the documentation there are 4 more ways of installation.

Step 2 – Set Geant Server as default

acme.sh --set-default-ca --server https://acme.sectigo.com/v2/OV

Step 3 – Register account once

acme.sh --register-account --email ‘<kontakt-mail>’ --eab-kid ‘<key-id>’ --eab-hmac-key ‘<hmac-key>’ --server https://acme.sectigo.com/v2/OV

You will receive the values for <key-id> and <hmac-key> from us by email.

The value <kontact-mail> is a contact address for the account. This address will also be informed about the expiry. You should therefore enter a functional address here if possible.

Step 4 – Issuing a certificate

The following steps are repeated again and again:

Issuing certificates and retrieving them for only one domain (<domain>) without subject alternative names

acme.sh --issue -d <domain> --keylength 4096 --days 350 --stateless

acme.sh --issue -d <domain> --keylength ec-384 --days 350 --stateless

Issuing certificates and retrieving them for only one domain (<domain>) with additional subject alternative names

acme.sh --issue -d <domain> -d <SAN1> -d <SAN2> --keylength 4096 --days 350 --stateless

acme.sh --issue -d <domain> -d <SAN1> -d <SAN2> --keylength ec-384 --days 350 --stateless

Step 5 – Extend

If the cron option (default) is activated, the certificate is automatically renewed and stored.

Services may have to be reloaded after a file exchange for a new certificate (reload, restart). Only the certificate is constantly updated, not the key or the chain.