The Automatic Certificate Management Environment (ACME) protocol allows automated interactions between certificate authorities and your servers. This means you can automate the deployment of your public key infrastructure at a low cost, with relatively little effort. ACME provides automated identifier validation and certificate issuance, and its goal is to improve security by providing certificates with a short lifespan (3 months by default, in line with the Let’s Encrypt specification), and by avoiding manual (and error-prone) processes from certificate lifecycle management.
The Let’s Encrypt public Certificate Authority (CA) is by far the most used ACME server. It's a free publicly-trusted CA, and supports a majority of client implementations (they recommend certbot). There are other CAs that implement ACME, including the Dogtag CA, provided by Red Hat Identity Management (IdM). This is a Technology Preview since RHEL 8.4 in IdM, but the upstream project FreeIPA has several articles on the topic. Because the current support level is Technology Preview, we recommend against relying on this feature in production environments. The objective of this article is to introduce the management of ACME with IdM and Red Hat Enterprise Linux (RHEL) clients with mod_md for Apache httpd (the only ACME client implementation completely supported by Red Hat). I also cover new aspects of this feature coming in mod_md in RHEL 9.5 and in the meantime on IdM CA.
ACME components
As a starting point, I have an IdM server in RHEL 9.4, and a client also in 9.4 joined with the default options:
As an introduction to the protocol, the ACME service provided by IdM CA uses a challenge and response authentication mechanism to prove that a client has control of an identifier. This challenge is a proof of ownership used to obtain a certificate. Specifically, I discuss the http-01
and the dns-01
challenge. The client implementation mod_md
implements the http-01, tls-alpn-01
and dns-01
challenge, and IdM understands http-01
and dns-01
, so these are the only options I have for the client to prove control of the identifier. This challenge requires the client to provision an HTTP resource. The identifier is authorized when sufficient challenges (usually one for a single identifier) have been validated. Then the client finalizes the order, causing the CA to issue a new key and certificate pair. Finally, the client configures the issued certificate to be used by the application automatically. In this article, I discuss mod_md
, the ACME client module for Apache httpd
.
In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. Additionally, enabling or disabling the ACME service affects the entire IdM deployment. Turning the ACME service on or off is a deployment-wide operation because the configuration is in the replicated LDAP database. The ipa-acme-manage
command controls the feature for the whole deployment.
Also, it is only possible to enable ACME on fresh installations of IdM (specifically in IdM RHEL greater than or equal to 9.2, with Random Serial Numbers v3 (RSNv3) enabled. This is documented in the prerequisites, and is due to the pruning mechanism for expired certificates in the Dogtag CA database. ACME runs as a separate service within Apache Tomcat. ACME configuration files are stored in /etc/pki/pki-tomcat/acme
, and PKI logs ACME information to /var/log/pki/pki-tomcat/acme/
.
Managing ACME in IdM
By default, the service is disabled. When you enable it, the service runs on any and all IdM CA server in your deployment. First, verify the status of the service:
[root@idm ~]# ipa-acme-manage status
ACME is disabled
The ipa-acme-manage command was successful
Enable it:
[root@idm ~]# ipa-acme-manage enable
The ipa-acme-manage command was successful
[root@idm ~]# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful
It's important to configure a timespan for removal of expired certificates. You can do this with a cron job (for example, on the first day of every month at midnight). The command to do that, and also a typical error, can be the following:
[root@idm ~]# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
Certificate pruning requires random serial numbers
The ipa-acme-manage command failed.
This means that you have not enabled the random serial numbers when installing your IdM on RHEL 9.2 or later. To perform the installation with RSNv3:
[root@idm ~]# ipa-server-install --random-serial-numbers --setup-dns
Or RHEL 9.2 and later, you can only enable the pruning if you installed the IdM with this option. If this is not enabled, the certificates accumulate on the server and the performance is degraded. The feature can still be used without automatic pruning and RSNv3, but be aware that if you issue a large number of certificates, you can manually prune expired certificates from the database to maintain performance.
Here's an example of a fresh installation of an IdM server without random serial numbers:
Instead, if you enable random serial numbers, this is the result:
And with the installation according to RSN, the pruning command works fine:
[root@idmserver ~]# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
Status: enabled
Certificate Retention Time: 30
Certificate Retention Unit: day
Certificate Search Size Limit: 1000
Certificate Search Time Limit: 0
Request Retention Time: day
Request Retention Unit: 30
Request Search Size Limit: 1000
Request Search Time Limit: 0
cron Schedule: 0 0 1 * *
The CA service must be restarted for changes to take effect
The ipa-acme-manage command was successful
The Certificate Retention Time: 30
property is the retention period before pruning an expired certificate. After enabling pruning, you must restart the CA service:
[root@idmserver ~]# systemctl restart pki-tomcatd@pki-tomcat.service
For illustrative purposes, I'm using sequential ascending serial numbers, so that the certificate serial number is easily identified, and I can easily track the lifecycle of certificates.
Managing certificates
Our IdM server is now set up and ready to issue certificates through the ACME protocol. In a future post, I will look at how to configure mod_md
in a client to automatically generate a key and acquire a certificate, how to alter the certificate profile in IdM to modify the expiration lifetime of a certificate issued with ACME, and how revoking a certificate automatically causes a reissue of a new certificate.
Because IdM is included in your standard RHEL subscription, you can try to replicate this content in your lab environment without any additional subscription to set up your own ACME environment. If you are not already a RHEL subscriber, get a no-cost trial from Red Hat.
저자 소개
Technical Account Manager Platform in EMEA. Proud RHCA Level XIII, CKA, CKAD, CKS. Multiple interests in Philosophy, Literature, Humanities, etc. Joined Red Hat at February 2022.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.