Menu Close

11.3. Configuring ACME Issuer

This section describes how to configure an issuer for PKI ACME Responder. The configuration for ACME Issuer is located at /etc/pki/pki-tomcat/acme/issuer.conf.
You can configure the issuer via command-line using the pki-server acme-issuer-mod command.
  • Invoking this command without any parameters launches an interactive mode, for example:
    $ pki-server acme-issuer-mod
    The current value is displayed in the square brackets.
    To keep the current value, simply press Enter.
    To change the current value, enter the new value.
    To remove the current value, enter a blank space.
    
    Enter the type of the certificate issuer. Available types: nss, pki.
    Issuer Type: pki
    
    Enter the location of the PKI server (e.g. https://localhost.localdomain:8443).
    Server URL [https://localhost.localdomain:8443]:
    
    Enter the certificate nickname for client authentication.
    This might be the CA agent certificate.
    Enter blank to use basic authentication.
    Client Certificate:
    
    Enter the username of the CA agent for basic authentication.
    Enter blank if a CA agent certificate is used for client authentication.
    Agent Username [caadmin]:
    
    Enter the CA agent password for basic authentication.
    Enter blank if the password is already stored in a separate property file
    or if a CA agent certificate is used for client authentication.
    Agent Password [********]:
    
    Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert).
    Certificate Profile [acmeServerCert]:
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

11.3.1. Configuring PKI Issuer

You can configure PKI ACME Responder to issue certificates using PKI Issuer. A sample configuration is available at /usr/share/pki/acme/issuer/pki/issuer.conf.
  • To configure a PKI issuer, copy this sample issuer.conf into the /etc/pki/pki-tomcat/acme directory or execute the following command to customize some of the parameters:
    $ pki-server acme-issuer-mod --type pki \
                -Dusername=caadmin \
                -Dpassword=Secret.123
    Customize the configuration as needed. The issuer.conf file should look like the following:
    class=org.example.acme.issuer.PKIIssuer
    url=https://localhost.localdomain:8443
    profile=acmeServerCert
    username=caadmin
    password=Secret.123
  • The url parameter specifies the PKI issuer location.
  • The profile parameter specifies the certificate profile to use.
  • To use client certificate authentication, specify the client certificate nickname in the nickname parameter.
  • To use basic authentication, specify the username in the username parameter as well as the password in the password parameter.