Chapter 18. Deploying and managing the ACME service in IdM
Automated Certificate Management Environment (ACME) is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes in certificate lifecycle management.
Using RHEL Identity Management (IdM), the administrator can easily deploy and manage the ACME service topology-wide from a single system.
18.1. The ACME service in IdM
ACME uses a challenge and response authentication mechanism to prove that a client has control of an identifier. In ACME, an identifier is a proof of ownership used to obtain a certificate by solving a challenge. In Identity Management (IdM), ACME currently supports the following challenges:
-
dns-01where the client creates DNS records to prove it has control of the identifier -
http-01where the client provisions an HTTP resource to prove it has control of the identifier
In IdM, the ACME service uses the the PKI ACME responder. The ACME subsystem is automatically deployed on every CA server in the IdM deployment, but it will not service requests until the administrator enables it. The servers are discovered using the name ipa-ca.DOMAIN. All IdM CA servers are registered with this DNS name so requests are load balanced via round-robin to them.
ACME is also deployed, but disabled, when the administrator upgrades a server using the ipa-server-upgrade command.
ACME runs as a separate service within Apache Tomcat. The ACME configuration files are stored in /etc/pki/pki-tomcat/acme and PKI logs ACME information to /var/log/pki/pki-tomcat/acme/.
IdM uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. For this reason, it is strongly recommended to set ACME to automatically remove expired certificates so that they do not accumulate in the CA, as this could negatively affect performance.
There are different ACME clients available. For use with RHEL, the chosen client must support either of the dns-01 and http-01 challenges. Currently, the following clients have been tested and are known to work with ACME in RHEL:
-
certbotwith both thehttp-01anddns-01challenges -
mod_md, which supports only thehttp-01challenge
18.2. Enabling the ACME service in IdM
By default, the ACME service is deployed, but disabled. Enabling the ACME service enables it on all IdM CA servers across the entire IdM deployment. This is handled via replication.
In this example, you enable ACME and set it to automatically remove expired certificates on the first day of every month at midnight.
Prerequisites
- Servers in the IdM deployment are running RHEL 9.2 or newer with Random Certificate Serial Numbers (RSNv3) enabled.
- You have root privileges on the IdM server on which you are running the procedure.
Procedure
Enable ACME across the whole IdM deployment:
# ipa-acme-manage enable The ipa-acme-manage command was successful
Set ACME to automatically remove expired certificates from the CA:
# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
NoteExpired certificates are removed after their retention period. By default, this is 30 days after expiry.
Verification steps
-
To check if the ACME service is installed and enabled, use the
ipa-acme-manage statuscommand:
# ipa-acme-manage status ACME is enabled The ipa-acme-manage command was successful
18.3. Disabling the ACME service in IdM
Disabling the ACME service disables it across the entire IdM deployment. This is handled via replication.
Prerequisites
- Servers in the IdM deployment are running RHEL 9.2 or newer with Random Certificate Serial Numbers (RSNv3) enabled.
- You have root privileges on the IdM server on which you are running the procedure.
Procedure
Disable ACME across the whole IdM deployment:
# ipa-acme-manage disable The ipa-acme-manage command was successful
(Optional) Disable automatic removal of expired certificates:
ipa-acme-manage pruning --disable
Verification steps
-
To check if the ACME service is installed, but disabled, use the
ipa-acme-manage statuscommand:
# ipa-acme-manage status ACME is disabled The ipa-acme-manage command was successful