The ACME protocol (Automatic Certificate Management Environment) is a protocol to automate interactions between the Certification Authorities and the web server users, allowing the generation and deployment of digital certificates in a simple and economic manner.
The ACME protocol is a protocol maintained by the IETF and promoted by Internet Security Research Group that offers a service of Certification Authority free for the generation of digital certificates of type Domain Validation.
This service called Let’s Encrypt It is generally associated with the protocol ACME.
The protocol ACME provides various mechanisms for the release of a digital certificate for the validation of domain dv. The mechanism usually used is called http challenge in which:
- Created a private key is generated a CSR, certificate signing request containing a valid domain name.
- The CSR is shipped to the service of CA Let’s Encrypt.
- The CA asks to publish in the domain specified by CSR a file containing a key. This key must be reachable from a url always indicated by service.
- Once the publication, the service of CA verifies the existence of the key.
- If the outcome is positive, the CA sends the certificate that can be published.
HTTP Challenge, Https://letsencrypt.org/how-it-works source
Figure 2 HTTP Challenge, Https://letsencrypt.org/how-it-works source
LBL®Global Distributed Gateway as ADC terminator of SSL and SSL offload is located in an ideal position for the application of the Protocol ACME and HTTP Challenge.
Figure 3 HTTP Challenge with LBL ADC
In order to be able to take advantage of this feature you must enable a rule to rewrite.
The Rule intercepts requests for verification of the CA and respond with the correct key of the domain to validate.
In order to be able to take advantage of the functionality of generation of digital certificates through the protocol ACME, you must enable the rule of rewrite LBLHttpAcmeChallengeCsr in ADC module through which it is delivered the domain to validate.
Through the ADC menu Settings select Rewrite management and then rewrite header rules.
Figure 4 ADC Settings -> Rewrite manament -> Rewrite Header Rules
Through the search field, search for the rule LBLHttpAcmeChallengeCsr.
It is sufficient to use “acme” as a filter.
Figure 5 Search for LBLHttpAcmeChallengeCsr, using acme as a filter.
Select the rule LBLHttpAcmeChallengeCsr any form template and copy it in the form of balance that supplies services of the domain to validate.
At this point you should apply the rule to the module of balance.
Through the ADC menu settings, select ADCs.
Figure 6 ADC Settings -> ADCs
Enter the mask for patterning the ADC module
Open the Default panel rewrite rules, in parameter rewriteHeaderRules add the rule LBLHttpAcmeChallengeCsr.
Figure 7 Inserting the rule LBLHttpAcmeChallengeCsr in rules of rewrite of default of an ADC
Save the changes and reinitialize the ADC module using the link at the top right.
Figure 8 Signalling link of salvatagggio and resetting
Through the menu select files and then the keystore.
Figure 9 Menu Files->Keystores to obtain the list of the keystore present
The view lists all the keystore, containers of digital certificates.
Select the correct keystore and press the button to editing.
For the editing you must enter the password for the keystore.
Figure 10 Enter the password for the keystore.
To generate a new certificate press the new button
For the domain validation is sufficient to insert in the field CN (common name) the name of the domain.
Insert in the field alias password the same password you typed for the keystore.
Figure 11 Creating a new certificate. CN and Alias password are mandatory
The new certificate is inserted in the keystore.
The name of the issuer of the certificate and the same as the name of the domain entered. The certificate is not yet signed by the CA.
Figure 12 Subject and Issuer coincide in the certificates are not signed by the CA.
For the generation and sending of CSR is sufficient to select the certificate that you created and press the CSR Generation
Figure 13 Generating and Sending CSR TO LET’S Encrypt for the signature of the certificate
You must enter the alias password for sending.
Figure 14 Inserting alias password
The certificate is signed.
Figure 15 CSR occurred correctly.
Figure 16 The name of the issuer corresponds to the name of the CA
Save the keystore through the save button to confirm the changes.