ACME Server Implementation (Private Network)

This section describes the system's capability to act as an ACME (Automated Certificate Management Environment) server, allowing external ACME clients (such as Certbot) to automatically request and obtain SSL/TLS certificates from this PKI system. This feature is particularly useful for providing valid HTTPS certificates for internal services within a private network.

Key Functionalities

ACME Directory

  • Endpoint: GET /api/v1/acme/directory
  • Description: Serves as the ACME directory endpoint, which ACME clients use for discovery. It provides URLs for other ACME endpoints (new account, new order, new nonce, revoke certificate, key change).
  • Inferred Specification: Complies with the ACME protocol for directory discovery.

New Account Registration

  • Endpoint: POST /api/v1/acme/new-account
  • Description: Allows ACME clients to register a new account with this ACME server. This involves generating an ACME account key pair and submitting the public key to the server.
  • Inferred Specification: Handles JSON Web Signature (JWS) for account creation requests and stores ACME account details.

New Order Creation

  • Endpoint: POST /api/v1/acme/new-order
  • Description: Enables ACME clients to initiate a new certificate order for one or more domain names.
  • Inferred Specification: Processes JWS-signed order requests, creates AcmeOrder records, and generates AcmeChallenges for each domain.

Challenge Response

  • Endpoint: POST /api/v1/acme/chall/{challengeId}
  • Description: Allows ACME clients to inform the server that a specific challenge (e.g., http-01, dns-01) has been fulfilled.
  • Inferred Specification: Validates the challenge response, verifies the client's proof of domain control, and updates the challenge status.

Finalize Order and Certificate Issuance

  • Endpoint: POST /api/v1/acme/finalize/{orderId}
  • Description: Once all challenges for an order are complete, the ACME client requests the server to finalize the order and issue the certificate.
  • Inferred Specification: Processes the finalization request, generates the certificate using an internal CA, and provides the certificate to the client.

Revoke Certificate

  • Endpoint: POST /api/v1/acme/revoke-cert
  • Description: Allows ACME clients to request the revocation of an issued certificate.
  • Inferred Specification: Processes JWS-signed revocation requests and marks the specified certificate as revoked within the PKI system.

Inferred Specifications

  • ACME Protocol Compliance: The system implements the ACME v2 protocol, making it compatible with standard ACME clients like Certbot.
  • Private Network PKI: Designed to provide valid HTTPS certificates for internal services that might not be publicly accessible, by acting as a trusted ACME server within a private network.
  • JWS (JSON Web Signature) Support: All ACME API interactions are secured using JWS for authentication and integrity.
  • Challenge Handling: Supports standard ACME challenge types (e.g., http-01, dns-01) for domain validation.
  • Internal CA Integration: Certificates issued by this ACME server are signed by an internal Certificate Authority managed by the PKI system.
  • Automated Certificate Lifecycle: Enables full automation of certificate issuance and renewal for internal services.
  • Audit Logging: All ACME server operations (account registration, order creation, challenge responses, certificate issuance, revocation) are logged for security and compliance (implied by LogsPkiEvents trait and overall system design).

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service