ACME SSLCertificate

Back

The ACME protocol (Automatic Certificate Management Environment) is a protocol to automate interactions between the Certification Authorities and the web server users, allowing the generation and  deployment of digital certificates in a simple and economic manner.

The ACME protocol is a protocol maintained by the IETF and promoted by Internet Security Research Group that offers a service of Certification Authority free for the generation of digital certificates of type Domain Validation.

This service called¬†Let’s Encrypt It is[1]¬†generally associated with the protocol ACME.

The protocol ACME provides various mechanisms for the release of a digital certificate for the validation of domain dv. The mechanism usually used is called http challenge in which:

  • Created a private key is generated a CSR, certificate signing request¬†containing a valid domain name.
  • The CSR is shipped to the service of CA¬†Let’s Encrypt.
  • The CA asks to¬†publish in the¬†domain specified by CSR a file containing a key. This key must be reachable from a url¬†always indicated by service.
  • Once the publication, the service of CA verifies the existence of the key.
  • If the outcome¬†is¬†positive, the CA sends the certificate that can¬†be published.

Requesting challenges to validate example.com

Figure 1

HTTP Challenge, Https://letsencrypt.org/how-it-works source

Requesting authorization to act for example.com

Figure 2 HTTP Challenge, Https://letsencrypt.org/how-it-works source

LBL GDG and ACME

LBL¬ģGlobal¬†Distributed Gateway as¬†ADC¬†terminator of SSL and SSL¬†offload¬†is located in an ideal position for the application of the Protocol ACME and HTTP Challenge.

Figure 3 HTTP Challenge with LBL ADC

In order to be able to take advantage of this feature you must enable a rule to rewrite.

The Rule intercepts requests for verification of the CA and respond with the correct key of the domain to validate.

LBL CSR ACME Setup.

In order to be able to take advantage of the functionality of generation of digital certificates through the protocol ACME, you must enable the rule of rewrite LBLHttpAcmeChallengeCsr in ADC module through which it is delivered the domain to validate.

Through the ADC menu Settings select Rewrite management and then rewrite header rules.

Figure 4 ADC Settings -> Rewrite manament -> Rewrite Header Rules

 

Through the search field, search for the rule LBLHttpAcmeChallengeCsr.

It is¬†sufficient to use “acme” as a filter.

Figure 5 Search for LBLHttpAcmeChallengeCsr, using acme as a filter.

Select the rule LBLHttpAcmeChallengeCsr any form template and copy it in the form of balance that supplies services of the domain to validate.

At this point you should apply the rule to the module of balance.

Through the ADC menu settings, select ADCs.

Figure 6 ADC Settings -> ADCs

Enter the mask for patterning the ADC module

Open the Default panel rewrite rules, in parameter rewriteHeaderRules add the rule LBLHttpAcmeChallengeCsr.

Figure 7 Inserting the rule LBLHttpAcmeChallengeCsr in rules of rewrite of default of an ADC

Save the changes and reinitialize the ADC module using the link at the top right.

Figure 8 Signalling link of salvatagggio and resetting

Generation SSL certificate

Through the menu select files and then the keystore.

Figure 9 Menu Files->Keystores to obtain the list of the keystore present

The view lists all the keystore, containers of digital certificates.

Select the  correct keystore and press the button to editing.

For the editing you must enter the password for the keystore.

Figure 10 Enter the password for the keystore.

To generate a new certificate press the new button

For the domain validation is sufficient to insert in the field CN (common name) the name of the domain.

Insert in the field alias password the same password you typed for the keystore.

Figure 11 Creating a new certificate. CN and Alias password are mandatory

The new certificate is inserted in the keystore.

The name of the issuer of the certificate and the same as the name of the domain entered. The certificate is not  yet signed by the CA.

Figure 12 Subject and Issuer coincide in the certificates are not signed by the CA.

For the generation and sending of CSR is sufficient to select the certificate that you created and press the CSR Generation

Figure¬†13¬†Generating and Sending CSR TO¬†LET’S Encrypt¬†for the signature of the certificate

You must enter the alias password for sending.

Figure 14 Inserting alias password

The certificate is signed.

Figure 15 CSR occurred correctly.

Figure 16 The name of the issuer corresponds to the name of the CA

Save the keystore through the save button to confirm the changes.