Chapter 20. Deploying and managing the ACME service in IdM

Important

This feature is a technology preview.

Automated Certificate Management Environment (ACME) is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes in certificate lifecycle management.

Using RHEL Identity Management (IdM), the administrator can easily deploy and manage the ACME service topology-wide from a single system.

20.1. The ACME service in IdM

Important

This feature is a technology preview.

Note

IdM currently supports ACME only in RHEL 9.2 or newer with Random Certificate Serial Numbers (RSNv3) enabled.

ACME uses a challenge and response authentication mechanism to prove that a client has control of an identifier. In ACME, an identifier is a proof of ownership used to obtain a certificate by solving a challenge. In Identity Management (IdM), ACME currently supports the following challenges:

  • dns-01 where the client creates DNS records to prove it has control of the identifier
  • http-01 where the client provisions an HTTP resource to prove it has control of the identifier

In IdM, the ACME service uses the PKI ACME responder. The ACME subsystem is automatically deployed on every CA server in the IdM deployment, but it will not service requests until the administrator enables it. The servers are discovered using the name ipa-ca.DOMAIN. All IdM CA servers are registered with this DNS name so requests are load balanced via round-robin to them.

ACME is also deployed, but disabled, when the administrator upgrades a server using the ipa-server-upgrade command.

ACME runs as a separate service within Apache Tomcat. The ACME configuration files are stored in /etc/pki/pki-tomcat/acme and PKI logs ACME information to /var/log/pki/pki-tomcat/acme/.

IdM uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. For this reason, it is strongly recommended to set ACME to automatically remove expired certificates so that they do not accumulate in the CA, as this could negatively affect performance.

There are different ACME clients available. For use with RHEL, the chosen client must support either of the dns-01 and http-01 challenges. Currently, the following clients have been tested and are known to work with ACME in RHEL:

  • certbot with both the http-01 and dns-01 challenges
  • mod_md, which supports only the http-01 challenge

20.2. Enabling the ACME service in IdM

Important

This feature is a technology preview.

By default, the ACME service is deployed, but disabled. Enabling the ACME service enables it on all IdM CA servers across the entire IdM deployment. This is handled via replication.

In this example, you enable ACME and set it to automatically remove expired certificates on the first day of every month at midnight.

Prerequisites

  • Servers in the IdM deployment are running RHEL 9.2 or newer with Random Certificate Serial Numbers (RSNv3) enabled.
  • You have root privileges on the IdM server on which you are running the procedure.

Procedure

  1. Enable ACME across the whole IdM deployment:

    # ipa-acme-manage enable
    The ipa-acme-manage command was successful
  2. Set ACME to automatically remove expired certificates from the CA:

    # ipa-acme-manage pruning --enable --cron "0 0 1 * *"
    Note

    Expired certificates are removed after their retention period. By default, this is 30 days after expiry.

Verification steps

  • To check if the ACME service is installed and enabled, use the ipa-acme-manage status command:
# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful

20.3. Disabling the ACME service in IdM

Important

This feature is a technology preview.

Disabling the ACME service disables it across the entire IdM deployment. This is handled via replication.

Prerequisites

  • Servers in the IdM deployment are running RHEL 9.2 or newer with Random Certificate Serial Numbers (RSNv3) enabled.
  • You have root privileges on the IdM server on which you are running the procedure.

Procedure

  1. Disable ACME across the whole IdM deployment:

    # ipa-acme-manage disable
    The ipa-acme-manage command was successful
  2. (Optional) Disable automatic removal of expired certificates:

    ipa-acme-manage pruning --disable

Verification steps

  • To check if the ACME service is installed, but disabled, use the ipa-acme-manage status command:
# ipa-acme-manage status
ACME is disabled
The ipa-acme-manage command was successful