The ACME protocol (Automatic¬†Certificate Management Environment) is a¬†protocol to automate interactions between the¬†Certification Authorities¬†and the web server users, allowing the generation and¬†¬†deployment¬†of digital certificates in a simple and economic manner.
The ACME protocol¬†is a protocol maintained by the IETF and promoted by Internet Security Research¬†Group¬†that offers a¬†service of Certification¬†Authority free for the generation of digital certificates of type Domain¬†Validation.
This service called¬†Let’s Encrypt It is¬†generally associated with the protocol ACME.
The protocol ACME provides various mechanisms for the release of a digital certificate¬†for the¬†validation of domain dv. The mechanism usually used¬†is¬†called http¬†challenge in which:
- Created a private key is generated a CSR, certificate signing request¬†containing a valid domain name.
- The CSR is shipped to the service of CA¬†Let’s Encrypt.
- The CA asks to¬†publish in the¬†domain specified by CSR a file containing a key. This key must be reachable from a url¬†always indicated by service.
- Once the publication, the service of CA verifies the existence of the key.
- If the outcome¬†is¬†positive, the CA sends the certificate that can¬†be published.
HTTP Challenge,¬†Https://letsencrypt.org/how-it-works source
Figure¬†2¬†HTTP Challenge,¬†Https://letsencrypt.org/how-it-works source
LBL¬ģGlobal¬†Distributed Gateway as¬†ADC¬†terminator of SSL and SSL¬†offload¬†is located in an ideal position for the application of the Protocol ACME and HTTP Challenge.
Figure¬†3¬†HTTP Challenge with LBL ADC
In order to be able to take advantage of this feature you¬†must enable a rule to¬†rewrite.
The Rule intercepts requests for verification of the CA and respond with the correct key of the domain to validate.
In order to be able to take advantage of the functionality¬†of generation of digital certificates through the protocol ACME,¬†you¬†must enable the rule of¬†rewrite¬†LBLHttpAcmeChallengeCsr¬†in ADC module through which¬†it is¬†delivered the domain to validate.
Through the ADC menu¬†Settings¬†select¬†Rewrite¬†management and then¬†rewrite header rules.
Figure¬†4¬†ADC Settings -> Rewrite¬†manament¬†-> Rewrite Header Rules
Through the¬†search field, search for the rule LBLHttpAcmeChallengeCsr.
It is¬†sufficient to use “acme” as a filter.
Figure¬†5¬†Search for¬†LBLHttpAcmeChallengeCsr, using acme as a filter.
Select the rule¬†LBLHttpAcmeChallengeCsr¬†any form¬†template¬†and copy it in the form of balance that supplies services of the domain to validate.
At this point you should apply the rule to the module of balance.
Through the ADC menu¬†settings, select ADCs.
Enter the mask for patterning the ADC module
Open the Default panel¬†rewrite rules, in parameter¬†rewriteHeaderRules¬†add the rule¬†LBLHttpAcmeChallengeCsr.
Figure¬†7¬†Inserting the rule¬†LBLHttpAcmeChallengeCsr¬†in rules of¬†rewrite¬†of default of an ADC
Save the changes and¬†reinitialize¬†the ADC module using the link at the top right.
Figure¬†8¬†Signalling link of¬†salvatagggio¬†and¬†resetting
Through the menu select files and then the keystore.
Figure¬†9¬†Menu¬†Files->Keystores¬†to obtain the list of the¬†keystore¬†present
The view lists all the¬†keystore, containers of digital certificates.
Select the¬†¬†correct keystore and press the button to¬†editing.
For the editing you¬†must enter the password for the¬†keystore.
Figure¬†10¬†Enter the password for the¬†keystore.
To generate a new certificate press the new button
For the domain¬†validation¬†is¬†sufficient to insert in the field CN (common¬†name) the name of the domain.
Insert in the field alias password the same password you typed for the¬†keystore.
Figure¬†11¬†Creating a new certificate. CN and Alias password are mandatory
The new certificate¬†is¬†inserted in the¬†keystore.
The name of the issuer¬†of the certificate and the same as the name of the domain entered. The certificate is not¬†¬†yet signed by the CA.
Figure¬†12¬†Subject¬†and¬†Issuer¬†coincide in the certificates are not signed by the CA.
For the generation and sending of CSR¬†is¬†sufficient to select the certificate that you created and press the CSR Generation
Figure¬†13¬†Generating and Sending CSR TO¬†LET’S Encrypt¬†for the signature of the certificate
You¬†must enter the alias password for sending.
Figure¬†14¬†Inserting alias password
Figure¬†15¬†CSR occurred correctly.
Figure¬†16¬†The name of the issuer¬†corresponds to the name of the CA
Save the¬†keystore¬†through the¬†save button¬†to confirm the changes.