diff --git a/.github/workflows/ca-container-system-service-test.yml b/.github/workflows/ca-container-system-service-test.yml index cc895d8ed05..0d562a6d8e1 100644 --- a/.github/workflows/ca-container-system-service-test.yml +++ b/.github/workflows/ca-container-system-service-test.yml @@ -79,6 +79,7 @@ jobs: - name: Create shared folders in PKI user's home directory run: | # create folders with default owner and permissions + docker exec pki ls -lR /home docker exec -u pkiuser pki mkdir /home/pkiuser/certs docker exec -u pkiuser pki mkdir /home/pkiuser/conf docker exec -u pkiuser pki mkdir /home/pkiuser/logs diff --git a/.github/workflows/ca-container-user-service-test.yml b/.github/workflows/ca-container-user-service-test.yml index fa5d0e80fe7..42707d2322e 100644 --- a/.github/workflows/ca-container-user-service-test.yml +++ b/.github/workflows/ca-container-user-service-test.yml @@ -81,6 +81,7 @@ jobs: # use fuse-overlayfs # https://github.com/containers/podman/issues/8705#issuecomment-744357805 + docker exec pki ls -lR /home docker exec -u pkiuser pki mkdir -p /home/pkiuser/.config/containers docker exec -i -u pkiuser pki tee /home/pkiuser/.config/containers/storage.conf << EOF [storage] diff --git a/Dockerfile b/Dockerfile index 88da0a058ed..01e1a16e7f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -100,6 +100,9 @@ RUN dnf install -y /tmp/RPMS/* \ && rm -rf /var/cache/dnf \ && rm -rf /tmp/RPMS +# Update home directory owner +RUN chown -R pkiuser.pkiuser /home/pkiuser + ################################################################################ FROM pki-runner AS pki-server diff --git a/docs/admin/acme/Configuring-ACME-Database.adoc b/docs/admin/acme/Configuring-ACME-Database.adoc new file mode 100644 index 00000000000..f5051bfbba4 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-Database.adoc @@ -0,0 +1,65 @@ += Configuring ACME Database = + +== Overview == + +This document describes the process to configure a database for ACME responder. +The database configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/database.conf`. + +The `pki-server acme-database-mod` can be used to configure the database via command-line. +If the command is invoked without any parameters, it will enter an interactive mode, for example: + +``` +$ pki-server acme-database-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql. + Database Type: ds + +Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). + Server URL [ldap://localhost.localdomain:389]: + +Enter the authentication type. Available types: BasicAuth, SslClientAuth. + Authentication Type [BasicAuth]: + +Enter the bind DN. + Bind DN [cn=Directory Manager]: + +Enter the bind password. + Bind Password [********]: + +Enter the base DN for the ACME subtree. + Base DN [dc=acme,dc=pki,dc=example,dc=com]: +``` + +If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. +If the command is invoked with other parameters, it will update the specified parameters. + +Some ACME configuration properties are stored in the database such that +all ACME responders in the cluster can be configured consistently. +By default the ACME responder will access the database directly +when retrieving or updating the ACME configuration properties, +which may increase the load on the database. +Some databases might provide an ACME configuration monitor to reduce the load on the database. + +== Configuring ACME with In-Memory Database == + +The ACME responder can be configured with an in-memory database. +See link:Configuring-ACME-with-InMemory-Database.adoc[Configuring ACME with In-Memory Database]. + +== Configuring ACME with DS Database == + +The ACME responder can be configured with a DS database. +See link:Configuring-ACME-with-DS-Database.adoc[Configuring ACME with DS Database]. + +== Configuring ACME with OpenLDAP Database == + +The ACME responder can be configured with an OpenLDAP database. +See link:Configuring-ACME-with-OpenLDAP-Database.adoc[Configuring ACME with OpenLDAP Database]. + +== Configuring ACME with PostgreSQL Database == + +The ACME responder can be configured with a PostgreSQL database. +See link:Configuring-ACME-with-PostgreSQL-Database.adoc[Configuring ACME with PostgreSQL Database]. diff --git a/docs/admin/acme/Configuring-ACME-Issuer.adoc b/docs/admin/acme/Configuring-ACME-Issuer.adoc new file mode 100644 index 00000000000..1be5ba66659 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-Issuer.adoc @@ -0,0 +1,53 @@ += Configuring ACME Issuer = + +== Overview == + +This document describes the process to configure an issuer for ACME responder. +The issuer configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/issuer.conf`. + +The `pki-server acme-issuer-mod` can be used to configure the issuer via command-line. +If the command is invoked without any parameters, it will enter an interactive mode, for example: + +``` +$ pki-server acme-issuer-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the certificate issuer. Available types: nss, pki. + Issuer Type: pki + +Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). + Server URL [https://localhost.localdomain:8443]: + +Enter the certificate nickname for client authentication. +This might be the CA agent certificate. +Enter blank to use basic authentication. + Client Certificate: + +Enter the username of the CA agent for basic authentication. +Enter blank if a CA agent certificate is used for client authentication. + Agent Username [caadmin]: + +Enter the CA agent password for basic authentication. +Enter blank if the password is already stored in a separate property file +or if a CA agent certificate is used for client authentication. + Agent Password [********]: + +Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). + Certificate Profile [acmeServerCert]: +``` + +If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. +If the command is invoked with other parameters, it will update the specified parameters. + +== Configuring PKI Issuer == + +The ACME responder can be configured to issue certificates using a PKI issuer. +See link:Configuring-ACME-with-PKI-Issuer.adoc[Configuring ACME with PKI Issuer]. + +== Configuring NSS Issuer == + +The ACME responder can be configured to issue certificates using a local NSS database. +See link:Configuring-ACME-with-NSS-Issuer.adoc[Configuring ACME with NSS Issuer]. diff --git a/docs/admin/acme/Configuring-ACME-Metadata.adoc b/docs/admin/acme/Configuring-ACME-Metadata.adoc new file mode 100644 index 00000000000..bd301740f8e --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-Metadata.adoc @@ -0,0 +1,33 @@ += Configuring ACME Metadata = + +== Overview == + +This document describes the process to configure ACME metadata. + +The metadata configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/metadata.conf`. +If the file does not exist, the server will use the default metadata configuration at +link:../../../base/acme/conf/metadata.conf[/usr/share/pki/acme/conf/metadata.conf]. + +== Configuring ACME Metadata == + +The `pki-server acme-metadata-mod` can be used to configure the metadata interactively. + +---- +$ pki-server acme-metadata-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the location of the terms of service. + Terms of Service [https://www.example.com/acme/tos.pdf]: + +Enter the location of the website. + Website [https://www.example.com]: + +Enter the CAA identities. + CAA Identities [example.com]: + +Enter true/false whether an external account is required. + External Account Required [false]: +---- diff --git a/docs/admin/acme/Configuring-ACME-Realm.adoc b/docs/admin/acme/Configuring-ACME-Realm.adoc new file mode 100644 index 00000000000..3f5785c0801 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-Realm.adoc @@ -0,0 +1,56 @@ += Configuring ACME Realm = + +== Overview == + +This document describes the process to configure a realm for ACME responder. +The realm configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/realm.conf`. + +The `pki-server acme-realm-mod` can be used to configure the realm via command-line. +If the command is invoked without any parameters, it will enter an interactive mode, for example: + +``` +$ pki-server acme-realm-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the realm. Available types: ds. + Database Type: ds + +Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). + Server URL [ldap://localhost.localdomain:389]: + +Enter the authentication type. Available types: BasicAuth, SslClientAuth. + Authentication Type [BasicAuth]: + +Enter the bind DN. + Bind DN [cn=Directory Manager]: + +Enter the bind password. + Bind Password [********]: + +Enter the base DN for the ACME users subtree. + Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]: + +Enter the base DN for the ACME groups subtree. + Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]: +``` + +If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. +If the command is invoked with other parameters, it will update the specified parameters. + +== Configuring ACME with In-Memory Realm == + +The ACME responder can be configured with an in-memory realm. +See link:Configuring-ACME-with-InMemory-Realm.adoc[Configuring ACME with In-Memory Realm]. + +== Configuring ACME with DS Realm == + +The ACME responder can be configured with a DS realm. +See link:Configuring-ACME-with-DS-Realm.adoc[Configuring ACME with DS Realm]. + +== Configuring ACME with PostgreSQL Realm == + +The ACME responder can be configured with a PostgreSQL realm. +See link:Configuring-ACME-with-PostgreSQL-Realm.adoc[Configuring ACME with PostgreSQL Realm]. diff --git a/docs/admin/acme/Configuring-ACME-Responder.adoc b/docs/admin/acme/Configuring-ACME-Responder.adoc new file mode 100644 index 00000000000..8009a8214b0 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-Responder.adoc @@ -0,0 +1,6 @@ += Configuring ACME Responder = + +* link:Configuring-ACME-Metadata.adoc[Configuring ACME Metadata] +* link:Configuring-ACME-Database.adoc[Configuring ACME Database] +* link:Configuring-ACME-Issuer.adoc[Configuring ACME Issuer] +* link:Configuring-ACME-Realm.adoc[Configuring ACME Realm] diff --git a/docs/admin/acme/Configuring-ACME-with-DS-Database.adoc b/docs/admin/acme/Configuring-ACME-with-DS-Database.adoc new file mode 100644 index 00000000000..f676ee7cdd4 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-DS-Database.adoc @@ -0,0 +1,91 @@ +# Configuring ACME with DS Database + +## Overview + +This document describes the process to configure ACME responder to use a DS database. +It assumes that the DS database has been installed as described in +link:../others/Creating_DS_instance.adoc[Creating DS instance]. + +## Initializing DS Database + +First, add the ACME DS schema by importing +link:../../../base/acme/database/ds/schema.ldif[/usr/share/pki/acme/database/ds/schema.ldif] with the following command: + +---- +$ ldapmodify -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/schema.ldif +---- + +Next, create the ACME DS indexes by importing +link:../../../base/acme/database/ds/index.ldif[/usr/share/pki/acme/database/ds/index.ldif] with the following command: + +---- +$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/index.ldif +---- + +**Note:** By default the `index.ldif` will use `userroot` as the DS backend. + +If necessary, the database can be reindexed by importing +link:../../../base/acme/database/ds/indextask.ldif[/usr/share/pki/acme/database/ds/indextask.ldif] with the following command: + +---- +$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/indextask.ldif +---- + +The progress of the reindex task can be monitored with the following command: + +---- +$ ldapsearch -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -b "cn=acme,cn=index,cn=tasks,cn=config" +---- + +Once the indexes are ready, create the ACME subtree by importing +link:../../../base/acme/database/ds/create.ldif[/usr/share/pki/acme/database/ds/create.ldif] with the following command: + +---- +$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/create.ldif +---- + +**Note:** By default the `create.ldif` will create the subtree under `dc=pki,dc=example,dc=com` which is mapped to `userroot` DS backend. + +## Configuring ACME Database + +A sample database configuration is available at +link:../../../base/acme/database/ds/database.conf[/usr/share/pki/acme/database/ds/database.conf]. + +To use the DS database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-database-mod --type ds \ + -DbindPassword=Secret.123 +---- + +Customize the database configuration as needed. In a standalone ACME deployment, the `database.conf` should look like the following: + +---- +class=org.dogtagpki.acme.database.DSDatabase +url=ldap://:389 +authType=BasicAuth +bindDN=cn=Directory Manager +bindPassword=Secret.123 +baseDN=dc=acme,dc=pki,dc=example,dc=com +---- + +In a shared CA and ACME deployment, the `database.conf` should look like the following: + +---- +class=org.dogtagpki.acme.database.DSDatabase +configFile=conf/ca/CS.cfg +baseDN=dc=acme,dc=pki,dc=example,dc=com +---- + +The DS database provides an ACME configuration monitor using search persistence. +It can be enabled with the following parameter: + +---- +monitor.enabled=true +---- diff --git a/docs/admin/acme/Configuring-ACME-with-DS-Realm.adoc b/docs/admin/acme/Configuring-ACME-with-DS-Realm.adoc new file mode 100644 index 00000000000..746cce3f921 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-DS-Realm.adoc @@ -0,0 +1,55 @@ +# Configuring ACME with DS Realm + +## Overview + +This document describes the process to configure ACME responder to use a DS database for authentication realm. +It assumes that the DS database has been installed as described in +link:../others/Creating_DS_instance.adoc[Creating DS instance]. + +## Initializing DS Realm + +Prepare subtrees for ACME users and groups in DS. +A sample LDIF file is available at link:../../../base/acme/realm/ds/create.ldif[/usr/share/pki/acme/realm/ds/create.ldif]. +This example uses `dc=acme,dc=pki,dc=example,dc=com` as the base DN. +Import the file with the following command: + +---- +$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ + -f /usr/share/pki/acme/realm/ds/create.ldif +---- + +A sample realm configuration is available at +link:../../../base/acme/realm/ds/realm.conf[/usr/share/pki/acme/realm/ds/realm.conf]. + +To use the DS realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-realm-mod --type ds \ + -DbindPassword=Secret.123 +---- + +Customize the realm configuration as needed. In a standalone ACME deployment, the `realm.conf` should look like the following: + +---- +class=org.dogtagpki.acme.realm.DSRealm +url=ldap://:389 +authType=BasicAuth +bindDN=cn=Directory Manager +bindPassword=Secret.123 +usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com +groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com +---- + +In a shared CA and ACME deployment, the `realm.conf` should look like the following: + +---- +class=org.dogtagpki.acme.realm.DSRealm +configFile=conf/ca/CS.cfg +usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com +groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com +---- + +## See Also + +* link:../../admin/acme/Managing_DS_Realm.adoc[Managing DS Realm] diff --git a/docs/admin/acme/Configuring-ACME-with-InMemory-Database.adoc b/docs/admin/acme/Configuring-ACME-with-InMemory-Database.adoc new file mode 100644 index 00000000000..e1c3c028866 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-InMemory-Database.adoc @@ -0,0 +1,25 @@ +# Configuring ACME with In-Memory Database + +## Overview + +This document describes the process to configure ACME responder to use an in-memory database. + +## Configuring ACME Database + +A sample in-memory database configuration is available at +link:../../../base/acme/database/in-memory/database.conf[/usr/share/pki/acme/database/in-memory/database.conf]. + +To use an in-memory database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command: + +---- +$ pki-server acme-database-mod --type in-memory +---- + +The `database.conf` should look like the following: + +``` +class=org.dogtagpki.acme.database.InMemoryDatabase +``` + +There are no parameters to configure for in-memory database. diff --git a/docs/admin/acme/Configuring-ACME-with-InMemory-Realm.adoc b/docs/admin/acme/Configuring-ACME-with-InMemory-Realm.adoc new file mode 100644 index 00000000000..bd533fe14b1 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-InMemory-Realm.adoc @@ -0,0 +1,25 @@ +# Configuring ACME with In-Memory Realm + +## Overview + +This document describes the process to configure ACME responder to use an in-memory realm. + +## Configuring ACME Realm + +A sample in-memory realm configuration is available at +link:../../../base/acme/realm/in-memory/realm.conf[/usr/share/pki/acme/realm/in-memory/realm.conf]. + +To use an in-memory realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command: + +---- +$ pki-server acme-realm-mod --type in-memory +---- + +The `realm.conf` should look like the following: + +``` +class=org.dogtagpki.acme.realm.InMemoryRealm +username=admin +password=Secret.123 +``` diff --git a/docs/admin/acme/Configuring-ACME-with-NSS-Issuer.adoc b/docs/admin/acme/Configuring-ACME-with-NSS-Issuer.adoc new file mode 100644 index 00000000000..223b43534bd --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-NSS-Issuer.adoc @@ -0,0 +1,39 @@ +# Configuring ACME with NSS Issuer + +## Overview + +This document describes the process to configure ACME responder +to issue certificates using a local NSS database. + +## Configuring ACME Issuer + +A sample NSS issuer configuration is available at +link:../../../base/acme/issuer/nss/issuer.conf[/usr/share/pki/acme/issuer/nss/issuer.conf]. + +To configure an NSS issuer, copy the sample `issuer.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-issuer-mod --type nss \ + -Dnickname=ca_signing +---- + +Customize the configuration as needed. The `issuer.conf` should look like the following: + +---- +class=org.dogtagpki.acme.issuer.NSSIssuer +nickname=ca_signing +---- + +The *nickname* parameter can be used to specify the nickname of the CA signing certificate. +The default value is *ca_signing*. + +The *extensions* parameter can be used to configure the certificate extensions for the issued certificates. +The default value is `/usr/share/pki/acme/issuer/nss/sslserver.conf`. +Sample extension configuration files are available at: + +* link:../../../base/acme/issuer/nss/sslserver.conf[/usr/share/pki/acme/issuer/nss/sslserver.conf] +* link:../../../base/acme/issuer/nss/ca_signing.conf[/usr/share/pki/acme/issuer/nss/ca_signing.conf] + +Customize the configuration as needed. +The format is based on link:https://www.openssl.org/docs/manmaster/man5/x509v3_config.html[OpenSSL x509v3_config]. diff --git a/docs/admin/acme/Configuring-ACME-with-OpenLDAP-Database.adoc b/docs/admin/acme/Configuring-ACME-with-OpenLDAP-Database.adoc new file mode 100644 index 00000000000..6adc7b174f6 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-OpenLDAP-Database.adoc @@ -0,0 +1,50 @@ +# Configuring ACME with OpenLDAP Database + +## Overview + +This document describes the process to configure ACME responder to use an OpenLDAP database. + +## Initializing OpenLDAP Database + +First, add the ACME OpenLDAP schema by importing +link:../../../base/acme/database/openldap/schema.ldif[/usr/share/pki/acme/database/openldap/schema.ldif] with the following command: + +---- +$ ldapadd -H ldapi:/// -Y EXTERNAL \ + -f /usr/share/pki/acme/database/openldap/schema.ldif +---- + +Next, prepare an LDIF file to create the ACME subtree. +A sample LDIF file is available at +link:../../../base/acme/database/openldap/create.ldif[/usr/share/pki/acme/database/openldap/create.ldif]. +This example uses `dc=acme,dc=pki,dc=example,dc=com` as the base DN. +Import the file with the following command: + +---- +$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Manager,dc=example,dc=com" -w Secret.123 \ + -f /usr/share/pki/acme/database/openldap/create.ldif +---- + +## Configuring ACME Database + +A sample database configuration is available at +link:../../../base/acme/database/openldap/database.conf[/usr/share/pki/acme/database/openldap/database.conf]. + +To use the OpenLDAP database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-database-mod --type openldap \ + -DbindPassword=Secret.123 +---- + +Customize the configuration as needed. The `database.conf` should look like the following: + +---- +class=org.dogtagpki.acme.database.OpenLDAPDatabase +url=ldap://:389 +authType=BasicAuth +bindDN=cn=Manager,dc=example,dc=com +bindPassword=Secret.123 +baseDN=dc=acme,dc=pki,dc=example,dc=com +---- diff --git a/docs/admin/acme/Configuring-ACME-with-PKI-Issuer.adoc b/docs/admin/acme/Configuring-ACME-with-PKI-Issuer.adoc new file mode 100644 index 00000000000..a2a488e2190 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-PKI-Issuer.adoc @@ -0,0 +1,56 @@ +# Configuring ACME with PKI Issuer + +## Overview + +This document describes the process to configure ACME responder +to issue certificates using a PKI issuer (i.e. CA). +It assumes that the CA has been installed as described in +link:../ca/Installing_CA.md[Installing CA]. + +## Configuring ACME Issuer + +A sample PKI issuer configuration is available at +link:../../../base/acme/issuer/pki/issuer.conf[/usr/share/pki/acme/issuer/pki/issuer.conf]. + +To configure a PKI issuer, copy the sample `issuer.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-issuer-mod --type pki \ + -Dusername=caadmin \ + -Dpassword=Secret.123 +---- + +Customize the configuration as needed. The `issuer.conf` should look like the following: + +---- +class=org.dogtagpki.acme.issuer.PKIIssuer +url=https://:8443 +profile=acmeServerCert +username=caadmin +password=Secret.123 +---- + +The *url* parameter is used to specify the PKI issuer location. + +The *profile* parameter is used to specify the certificate profile to use. + +To use client certificate authentication, specify the client certificate nickname in the *nickname* parameter. + +To use basic authentication, specify the username in the *username* parameter +and the password in the *password* parameter. + +## Configuring CA authority + +PKI issuer can direct ACME enrollment requests to the specific CA authority. +The authority can be specified either by using its ID or LDAP DN as part of the +`issuer.conf` with `authority-id` or `authority-dn` parameters. These +parameters can also be added with the following command: + +---- +$ pki-server acme-issuer-mod --type pki \ + -Dauthority-id=some-ID +---- + +By default PKI issuer does not pass any authority ID or LDAP DN, meaning the +request would be handled by the main CA. diff --git a/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Database.adoc b/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Database.adoc new file mode 100644 index 00000000000..36c3cc61199 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Database.adoc @@ -0,0 +1,51 @@ +# Configuring ACME with PostgreSQL Database + +## Overview + +This document describes the process to configure ACME responder to use a PostgreSQL database. + +## Initializing PostgreSQL Database + +First, prepare a database (e.g. `acme`) and a user (e.g. `acme`) to access the database. +Verify the database connection with the following command: + +---- +$ psql -h $HOSTNAME -d acme -U acme +---- + +Next, install PostgreSQL JDBC driver in `/usr/share/pki/server/common/lib`, for example: + +---- +$ dnf install postgresql-jdbc +$ ln -s /usr/share/java/postgresql-jdbc/postgresql.jar /usr/share/pki/server/common/lib +---- + +## Configuring ACME Database + +A sample PostgreSQL database configuration is available at +link:../../../base/acme/database/postgresql/database.conf[/usr/share/pki/acme/database/postgresql/database.conf]. + +To use the PostgreSQL database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-database-mod --type postgresql \ + -Dpassword=Secret.123 +---- + +The `database.conf` should look like the following: + +---- +class=org.dogtagpki.acme.database.PostgreSQLDatabase +url=jdbc:postgresql://:5432/acme +user=acme +password=Secret.123 +---- + +The PostgreSQL database provides a mechanism to monitor ACME configuration periodically. +It can be enabled with the following parameters: + +---- +monitor.enabled=true +monitor.interval=5 # minutes +---- diff --git a/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc b/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc new file mode 100644 index 00000000000..36374488403 --- /dev/null +++ b/docs/admin/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc @@ -0,0 +1,47 @@ +# Configuring ACME with PostgreSQL Realm + +## Overview + +This document describes the process to configure ACME responder to use a PostgreSQL realm. + +## Initializing PostgreSQL Realm + +First, prepare a database (e.g. `acme`) and a user (e.g. `acme`) to access the database. +Verify the database connection with the following command: + +---- +$ psql -h $HOSTNAME -d acme -U acme +---- + +Next, install PostgreSQL JDBC driver in `/usr/share/pki/server/common/lib`, for example: + +---- +$ dnf install postgresql-jdbc +$ ln -s /usr/share/java/postgresql-jdbc/postgresql.jar /usr/share/pki/server/common/lib +---- + +## Configuring ACME Realm + +A sample PostgreSQL realm configuration is available at +link:../../../base/acme/realm/postgresql/realm.conf[/usr/share/pki/acme/realm/postgresql/realm.conf]. + +To use the PostgreSQL realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, +or execute the following command to customize some of the parameters: + +---- +$ pki-server acme-realm-mod --type postgresql \ + -Dpassword=Secret.123 +---- + +The `realm.conf` should look like the following: + +---- +class=org.dogtagpki.acme.realm.PostgreSQLRealm +url=jdbc:postgresql://:5432/acme +user=acme +password=Secret.123 +---- + +## See Also + +* link:../../admin/acme/Managing_PostgreSQL_Realm.adoc[Managing PostgreSQL Realm] diff --git a/docs/installation/acme/Configuring-ACME-Metadata.adoc b/docs/installation/acme/Configuring-ACME-Metadata.adoc index 2341b42c074..9cf05650e39 100644 --- a/docs/installation/acme/Configuring-ACME-Metadata.adoc +++ b/docs/installation/acme/Configuring-ACME-Metadata.adoc @@ -1,37 +1 @@ -# Configuring ACME Metadata - -## Overview - -This document describes the process to configure ACME metadata. - -The metadata configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/metadata.conf`. -If the file does not exist, the server will use the default metadata configuration at -link:../../../base/acme/conf/metadata.conf[/usr/share/pki/acme/conf/metadata.conf]. - -## Configuring ACME Metadata - -The `pki-server acme-metadata-mod` can be used to configure the metadata interactively. - ----- -$ pki-server acme-metadata-mod -The current value is displayed in the square brackets. -To keep the current value, simply press Enter. -To change the current value, enter the new value. -To remove the current value, enter a blank space. - -Enter the location of the terms of service. - Terms of Service [https://www.example.com/acme/tos.pdf]: - -Enter the location of the website. - Website [https://www.example.com]: - -Enter the CAA identities. - CAA Identities [example.com]: - -Enter true/false whether an external account is required. - External Account Required [false]: ----- - -## See Also - -* link:Installing_PKI_ACME_Responder.md[Installing PKI ACME Responder] +This page has been moved to link:../../admin/acme/Configuring-ACME-Metadata.adoc[Configuring-ACME-Metadata.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-DS-Database.adoc b/docs/installation/acme/Configuring-ACME-with-DS-Database.adoc index 50fde7a63be..cb0dd3ad102 100644 --- a/docs/installation/acme/Configuring-ACME-with-DS-Database.adoc +++ b/docs/installation/acme/Configuring-ACME-with-DS-Database.adoc @@ -1,95 +1 @@ -# Configuring ACME with DS Database - -## Overview - -This document describes the process to configure ACME responder to use a DS database. -It assumes that the DS database has been installed as described in -link:../others/Creating_DS_instance.adoc[Creating a directory server instance and adding base entries] - -## Initializing DS Database - -First, add the ACME DS schema by importing -link:../../../base/acme/database/ds/schema.ldif[/usr/share/pki/acme/database/ds/schema.ldif] with the following command: - ----- -$ ldapmodify -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -f /usr/share/pki/acme/database/ds/schema.ldif ----- - -Next, create the ACME DS indexes by importing -link:../../../base/acme/database/ds/index.ldif[/usr/share/pki/acme/database/ds/index.ldif] with the following command: - ----- -$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -f /usr/share/pki/acme/database/ds/index.ldif ----- - -**Note:** By default the `index.ldif` will use `userroot` as the DS backend. - -If necessary, the database can be reindexed by importing -link:../../../base/acme/database/ds/indextask.ldif[/usr/share/pki/acme/database/ds/indextask.ldif] with the following command: - ----- -$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -f /usr/share/pki/acme/database/ds/indextask.ldif ----- - -The progress of the reindex task can be monitored with the following command: - ----- -$ ldapsearch -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -b "cn=acme,cn=index,cn=tasks,cn=config" ----- - -Once the indexes are ready, create the ACME subtree by importing -link:../../../base/acme/database/ds/create.ldif[/usr/share/pki/acme/database/ds/create.ldif] with the following command: - ----- -$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -f /usr/share/pki/acme/database/ds/create.ldif ----- - -**Note:** By default the `create.ldif` will create the subtree under `dc=pki,dc=example,dc=com` which is mapped to `userroot` DS backend. - -## Configuring ACME Database - -A sample database configuration is available at -link:../../../base/acme/database/ds/database.conf[/usr/share/pki/acme/database/ds/database.conf]. - -To use the DS database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-database-mod --type ds \ - -DbindPassword=Secret.123 ----- - -Customize the database configuration as needed. In a standalone ACME deployment, the `database.conf` should look like the following: - ----- -class=org.dogtagpki.acme.database.DSDatabase -url=ldap://:389 -authType=BasicAuth -bindDN=cn=Directory Manager -bindPassword=Secret.123 -baseDN=dc=acme,dc=pki,dc=example,dc=com ----- - -In a shared CA and ACME deployment, the `database.conf` should look like the following: - ----- -class=org.dogtagpki.acme.database.DSDatabase -configFile=conf/ca/CS.cfg -baseDN=dc=acme,dc=pki,dc=example,dc=com ----- - -The DS database provides an ACME configuration monitor using search persistence. -It can be enabled with the following parameter: - ----- -monitor.enabled=true ----- - -## See Also - -* link:Configuring_ACME_Database.md[Configuring ACME Database] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-DS-Database.adoc[Configuring-ACME-with-DS-Database.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc b/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc index 973bf374c24..7a0aa917975 100644 --- a/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc +++ b/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc @@ -1,56 +1 @@ -# Configuring ACME with DS Realm - -## Overview - -This document describes the process to configure ACME responder to use a DS database for authentication realm. -It assumes that the DS database has been installed as described in -link:../others/Creating_DS_instance.adoc[Creating a directory server instance and adding base entries] - -## Initializing DS Realm - -Prepare subtrees for ACME users and groups in DS. -A sample LDIF file is available at link:../../../base/acme/realm/ds/create.ldif[/usr/share/pki/acme/realm/ds/create.ldif]. -This example uses `dc=acme,dc=pki,dc=example,dc=com` as the base DN. -Import the file with the following command: - ----- -$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \ - -f /usr/share/pki/acme/realm/ds/create.ldif ----- - -A sample realm configuration is available at -link:../../../base/acme/realm/ds/realm.conf[/usr/share/pki/acme/realm/ds/realm.conf]. - -To use the DS realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-realm-mod --type ds \ - -DbindPassword=Secret.123 ----- - -Customize the realm configuration as needed. In a standalone ACME deployment, the `realm.conf` should look like the following: - ----- -class=org.dogtagpki.acme.realm.DSRealm -url=ldap://:389 -authType=BasicAuth -bindDN=cn=Directory Manager -bindPassword=Secret.123 -usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com -groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com ----- - -In a shared CA and ACME deployment, the `realm.conf` should look like the following: - ----- -class=org.dogtagpki.acme.realm.DSRealm -configFile=conf/ca/CS.cfg -usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com -groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com ----- - -## See Also - -* link:Configuring_ACME_Realm.md[Configuring ACME Realm] -* link:../../admin/acme/Managing_DS_Realm.adoc[Managing DS Realm] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-DS-Realm.adoc[Configuring-ACME-with-DS-Realm.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-InMemory-Database.adoc b/docs/installation/acme/Configuring-ACME-with-InMemory-Database.adoc index cf1ac595e8d..7b66429745f 100644 --- a/docs/installation/acme/Configuring-ACME-with-InMemory-Database.adoc +++ b/docs/installation/acme/Configuring-ACME-with-InMemory-Database.adoc @@ -1,29 +1 @@ -# Configuring ACME with In-Memory Database - -## Overview - -This document describes the process to configure ACME responder to use an in-memory database. - -## Configuring ACME Database - -A sample in-memory database configuration is available at -link:../../../base/acme/database/in-memory/database.conf[/usr/share/pki/acme/database/in-memory/database.conf]. - -To use an in-memory database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command: - ----- -$ pki-server acme-database-mod --type in-memory ----- - -The `database.conf` should look like the following: - -``` -class=org.dogtagpki.acme.database.InMemoryDatabase -``` - -There are no parameters to configure for in-memory database. - -## See Also - -* link:Configuring_ACME_Database.md[Configuring ACME Database] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-InMemory-Database.adoc[Configuring-ACME-with-InMemory-Database.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-InMemory-Realm.adoc b/docs/installation/acme/Configuring-ACME-with-InMemory-Realm.adoc index 410cfcc21bd..ae25032e79c 100644 --- a/docs/installation/acme/Configuring-ACME-with-InMemory-Realm.adoc +++ b/docs/installation/acme/Configuring-ACME-with-InMemory-Realm.adoc @@ -1,29 +1 @@ -# Configuring ACME with In-Memory Realm - -## Overview - -This document describes the process to configure ACME responder to use an in-memory realm. - -## Configuring ACME Realm - -A sample in-memory realm configuration is available at -link:../../../base/acme/realm/in-memory/realm.conf[/usr/share/pki/acme/realm/in-memory/realm.conf]. - -To use an in-memory realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command: - ----- -$ pki-server acme-realm-mod --type in-memory ----- - -The `realm.conf` should look like the following: - -``` -class=org.dogtagpki.acme.realm.InMemoryRealm -username=admin -password=Secret.123 -``` - -## See Also - -* link:Configuring_ACME_Realm.md[Configuring ACME Realm] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-InMemory-Realm.adoc[Configuring-ACME-with-InMemory-Realm.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-NSS-Issuer.adoc b/docs/installation/acme/Configuring-ACME-with-NSS-Issuer.adoc index dba12c5dd18..888fea692ea 100644 --- a/docs/installation/acme/Configuring-ACME-with-NSS-Issuer.adoc +++ b/docs/installation/acme/Configuring-ACME-with-NSS-Issuer.adoc @@ -1,43 +1 @@ -# Configuring ACME with NSS Issuer - -## Overview - -This document describes the process to configure ACME responder -to issue certificates using a local NSS database. - -## Configuring ACME Issuer - -A sample NSS issuer configuration is available at -link:../../../base/acme/issuer/nss/issuer.conf[/usr/share/pki/acme/issuer/nss/issuer.conf]. - -To configure an NSS issuer, copy the sample `issuer.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-issuer-mod --type nss \ - -Dnickname=ca_signing ----- - -Customize the configuration as needed. The `issuer.conf` should look like the following: - ----- -class=org.dogtagpki.acme.issuer.NSSIssuer -nickname=ca_signing ----- - -The *nickname* parameter can be used to specify the nickname of the CA signing certificate. -The default value is *ca_signing*. - -The *extensions* parameter can be used to configure the certificate extensions for the issued certificates. -The default value is `/usr/share/pki/acme/issuer/nss/sslserver.conf`. -Sample extension configuration files are available at: - -* link:../../../base/acme/issuer/nss/sslserver.conf[/usr/share/pki/acme/issuer/nss/sslserver.conf] -* link:../../../base/acme/issuer/nss/ca_signing.conf[/usr/share/pki/acme/issuer/nss/ca_signing.conf] - -Customize the configuration as needed. -The format is based on link:https://www.openssl.org/docs/manmaster/man5/x509v3_config.html[OpenSSL x509v3_config]. - -## See Also - -* link:Configuring_ACME_Issuer.md[Configuring ACME Issuer] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-NSS-Issuer.adoc[Configuring-ACME-with-NSS-Issuer.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-OpenLDAP-Database.adoc b/docs/installation/acme/Configuring-ACME-with-OpenLDAP-Database.adoc index d313d274460..e46825a2875 100644 --- a/docs/installation/acme/Configuring-ACME-with-OpenLDAP-Database.adoc +++ b/docs/installation/acme/Configuring-ACME-with-OpenLDAP-Database.adoc @@ -1,54 +1 @@ -# Configuring ACME with OpenLDAP Database - -## Overview - -This document describes the process to configure ACME responder to use an OpenLDAP database. - -## Initializing OpenLDAP Database - -First, add the ACME OpenLDAP schema by importing -link:../../../base/acme/database/openldap/schema.ldif[/usr/share/pki/acme/database/openldap/schema.ldif] with the following command: - ----- -$ ldapadd -H ldapi:/// -Y EXTERNAL \ - -f /usr/share/pki/acme/database/openldap/schema.ldif ----- - -Next, prepare an LDIF file to create the ACME subtree. -A sample LDIF file is available at -link:../../../base/acme/database/openldap/create.ldif[/usr/share/pki/acme/database/openldap/create.ldif]. -This example uses `dc=acme,dc=pki,dc=example,dc=com` as the base DN. -Import the file with the following command: - ----- -$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Manager,dc=example,dc=com" -w Secret.123 \ - -f /usr/share/pki/acme/database/openldap/create.ldif ----- - -## Configuring ACME Database - -A sample database configuration is available at -link:../../../base/acme/database/openldap/database.conf[/usr/share/pki/acme/database/openldap/database.conf]. - -To use the OpenLDAP database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-database-mod --type openldap \ - -DbindPassword=Secret.123 ----- - -Customize the configuration as needed. The `database.conf` should look like the following: - ----- -class=org.dogtagpki.acme.database.OpenLDAPDatabase -url=ldap://:389 -authType=BasicAuth -bindDN=cn=Manager,dc=example,dc=com -bindPassword=Secret.123 -baseDN=dc=acme,dc=pki,dc=example,dc=com ----- - -## See Also - -* link:Configuring_ACME_Database.md[Configuring ACME Database] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-OpenLDAP-Database.adoc[Configuring-ACME-with-OpenLDAP-Database.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-PKI-Issuer.adoc b/docs/installation/acme/Configuring-ACME-with-PKI-Issuer.adoc index f90c55f7196..e3cf12fa099 100644 --- a/docs/installation/acme/Configuring-ACME-with-PKI-Issuer.adoc +++ b/docs/installation/acme/Configuring-ACME-with-PKI-Issuer.adoc @@ -1,60 +1 @@ -# Configuring ACME with PKI Issuer - -## Overview - -This document describes the process to configure ACME responder -to issue certificates using a PKI issuer (i.e. CA). -It assumes that the CA has been installed as described in -link:../ca/Installing_CA.md[Installing CA]. - -## Configuring ACME Issuer - -A sample PKI issuer configuration is available at -link:../../../base/acme/issuer/pki/issuer.conf[/usr/share/pki/acme/issuer/pki/issuer.conf]. - -To configure a PKI issuer, copy the sample `issuer.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-issuer-mod --type pki \ - -Dusername=caadmin \ - -Dpassword=Secret.123 ----- - -Customize the configuration as needed. The `issuer.conf` should look like the following: - ----- -class=org.dogtagpki.acme.issuer.PKIIssuer -url=https://:8443 -profile=acmeServerCert -username=caadmin -password=Secret.123 ----- - -The *url* parameter is used to specify the PKI issuer location. - -The *profile* parameter is used to specify the certificate profile to use. - -To use client certificate authentication, specify the client certificate nickname in the *nickname* parameter. - -To use basic authentication, specify the username in the *username* parameter -and the password in the *password* parameter. - -## Configuring CA authority - -PKI issuer can direct ACME enrollment requests to the specific CA authority. -The authority can be specified either by using its ID or LDAP DN as part of the -`issuer.conf` with `authority-id` or `authority-dn` parameters. These -parameters can also be added with the following command: - ----- -$ pki-server acme-issuer-mod --type pki \ - -Dauthority-id=some-ID ----- - -By default PKI issuer does not pass any authority ID or LDAP DN, meaning the -request would be handled by the main CA. - -## See Also - -* link:Configuring_ACME_Issuer.md[Configuring ACME Issuer] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-PKI-Issuer.adoc[Configuring-ACME-with-PKI-Issuer.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Database.adoc b/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Database.adoc index c53c3ad44ee..cd7b99f03c0 100644 --- a/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Database.adoc +++ b/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Database.adoc @@ -1,55 +1 @@ -# Configuring ACME with PostgreSQL Database - -## Overview - -This document describes the process to configure ACME responder to use a PostgreSQL database. - -## Initializing PostgreSQL Database - -First, prepare a database (e.g. `acme`) and a user (e.g. `acme`) to access the database. -Verify the database connection with the following command: - ----- -$ psql -h $HOSTNAME -d acme -U acme ----- - -Next, install PostgreSQL JDBC driver in `/usr/share/pki/server/common/lib`, for example: - ----- -$ dnf install postgresql-jdbc -$ ln -s /usr/share/java/postgresql-jdbc/postgresql.jar /usr/share/pki/server/common/lib ----- - -## Configuring ACME Database - -A sample PostgreSQL database configuration is available at -link:../../../base/acme/database/postgresql/database.conf[/usr/share/pki/acme/database/postgresql/database.conf]. - -To use the PostgreSQL database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-database-mod --type postgresql \ - -Dpassword=Secret.123 ----- - -The `database.conf` should look like the following: - ----- -class=org.dogtagpki.acme.database.PostgreSQLDatabase -url=jdbc:postgresql://:5432/acme -user=acme -password=Secret.123 ----- - -The PostgreSQL database provides a mechanism to monitor ACME configuration periodically. -It can be enabled with the following parameters: - ----- -monitor.enabled=true -monitor.interval=5 # minutes ----- - -## See Also - -* link:Configuring_ACME_Database.md[Configuring ACME Database] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-PostgreSQL-Database.adoc[Configuring-ACME-with-PostgreSQL-Database.adoc]. diff --git a/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc b/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc index b239d6e5cff..5b896829c62 100644 --- a/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc +++ b/docs/installation/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc @@ -1,48 +1 @@ -# Configuring ACME with PostgreSQL Realm - -## Overview - -This document describes the process to configure ACME responder to use a PostgreSQL realm. - -## Initializing PostgreSQL Realm - -First, prepare a database (e.g. `acme`) and a user (e.g. `acme`) to access the database. -Verify the database connection with the following command: - ----- -$ psql -h $HOSTNAME -d acme -U acme ----- - -Next, install PostgreSQL JDBC driver in `/usr/share/pki/server/common/lib`, for example: - ----- -$ dnf install postgresql-jdbc -$ ln -s /usr/share/java/postgresql-jdbc/postgresql.jar /usr/share/pki/server/common/lib ----- - -## Configuring ACME Realm - -A sample PostgreSQL realm configuration is available at -link:../../../base/acme/realm/postgresql/realm.conf[/usr/share/pki/acme/realm/postgresql/realm.conf]. - -To use the PostgreSQL realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder, -or execute the following command to customize some of the parameters: - ----- -$ pki-server acme-realm-mod --type postgresql \ - -Dpassword=Secret.123 ----- - -The `realm.conf` should look like the following: - ----- -class=org.dogtagpki.acme.realm.PostgreSQLRealm -url=jdbc:postgresql://:5432/acme -user=acme -password=Secret.123 ----- - -## See Also - -* link:Configuring_ACME_Realm.md[Configuring ACME Realm] -* link:../../admin/acme/Managing_PostgreSQL_Realm.adoc[Managing PostgreSQL Realm] +This page has been moved to link:../../admin/acme/Configuring-ACME-with-PostgreSQL-Realm.adoc[Configuring-ACME-with-PostgreSQL-Realm.adoc]. diff --git a/docs/installation/acme/Configuring_ACME_Database.md b/docs/installation/acme/Configuring_ACME_Database.md index afebf05fb3a..d2b64236b37 100644 --- a/docs/installation/acme/Configuring_ACME_Database.md +++ b/docs/installation/acme/Configuring_ACME_Database.md @@ -1,70 +1 @@ -Configuring ACME Database -========================= - -## Overview - -This document describes the process to configure a database for ACME responder. -The database configuration is located at /var/lib/pki/pki-tomcat/conf/acme/database.conf. - -The `pki-server acme-database-mod` can be used to configure the database via command-line. -If the command is invoked without any parameters, it will enter an interactive mode, for example: - -``` -$ pki-server acme-database-mod -The current value is displayed in the square brackets. -To keep the current value, simply press Enter. -To change the current value, enter the new value. -To remove the current value, enter a blank space. - -Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql. - Database Type: ds - -Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). - Server URL [ldap://localhost.localdomain:389]: - -Enter the authentication type. Available types: BasicAuth, SslClientAuth. - Authentication Type [BasicAuth]: - -Enter the bind DN. - Bind DN [cn=Directory Manager]: - -Enter the bind password. - Bind Password [********]: - -Enter the base DN for the ACME subtree. - Base DN [dc=acme,dc=pki,dc=example,dc=com]: -``` - -If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. -If the command is invoked with other parameters, it will update the specified parameters. - -Some ACME configuration properties are stored in the database such that -all ACME responders in the cluster can be configured consistently. -By default the ACME responder will access the database directly -when retrieving or updating the ACME configuration properties, -which may increase the load on the database. -Some databases might provide an ACME configuration monitor to reduce the load on the database. - -## Configuring ACME with In-Memory Database - -The ACME responder can be configured with an in-memory database. -See [Configuring ACME with In-Memory Database](Configuring-ACME-with-InMemory-Database.adoc). - -## Configuring ACME with DS Database - -The ACME responder can be configured with a DS database. -See [Configuring ACME with DS Database](Configuring-ACME-with-DS-Database.adoc). - -## Configuring ACME with OpenLDAP Database - -The ACME responder can be configured with an OpenLDAP database. -See [Configuring ACME with OpenLDAP Database](Configuring-ACME-with-OpenLDAP-Database.adoc). - -## Configuring ACME with PostgreSQL Database - -The ACME responder can be configured with a PostgreSQL database. -See [Configuring ACME with PostgreSQL Database](Configuring-ACME-with-PostgreSQL-Database.adoc). - -## See Also - -* [Installing PKI ACME Responder](Installing_PKI_ACME_Responder.md) +This page has been moved to [Configuring-ACME-Database.adoc](Configuring-ACME-Database.adoc). diff --git a/docs/installation/acme/Configuring_ACME_Issuer.md b/docs/installation/acme/Configuring_ACME_Issuer.md index 6d898f1d99b..1b178230d90 100644 --- a/docs/installation/acme/Configuring_ACME_Issuer.md +++ b/docs/installation/acme/Configuring_ACME_Issuer.md @@ -1,58 +1 @@ -Configuring ACME Issuer -======================= - -## Overview - -This document describes the process to configure an issuer for ACME responder. -The issuer configuration is located at /var/lib/pki/pki-tomcat/conf/acme/issuer.conf. - -The `pki-server acme-issuer-mod` can be used to configure the issuer via command-line. -If the command is invoked without any parameters, it will enter an interactive mode, for example: - -``` -$ pki-server acme-issuer-mod -The current value is displayed in the square brackets. -To keep the current value, simply press Enter. -To change the current value, enter the new value. -To remove the current value, enter a blank space. - -Enter the type of the certificate issuer. Available types: nss, pki. - Issuer Type: pki - -Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). - Server URL [https://localhost.localdomain:8443]: - -Enter the certificate nickname for client authentication. -This might be the CA agent certificate. -Enter blank to use basic authentication. - Client Certificate: - -Enter the username of the CA agent for basic authentication. -Enter blank if a CA agent certificate is used for client authentication. - Agent Username [caadmin]: - -Enter the CA agent password for basic authentication. -Enter blank if the password is already stored in a separate property file -or if a CA agent certificate is used for client authentication. - Agent Password [********]: - -Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). - Certificate Profile [acmeServerCert]: -``` - -If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. -If the command is invoked with other parameters, it will update the specified parameters. - -## Configuring PKI Issuer - -The ACME responder can be configured to issue certificates using a PKI issuer. -See [Configuring ACME with PKI Issuer](Configuring-ACME-with-PKI-Issuer.adoc). - -## Configuring NSS Issuer - -The ACME responder can be configured to issue certificates using a local NSS database. -See [Configuring ACME with NSS Issuer](Configuring-ACME-with-NSS-Issuer.adoc). - -## See Also - -* [Installing PKI ACME Responder](Installing_PKI_ACME_Responder.md) +This page has been moved to [Configuring-ACME-Issuer.adoc](Configuring-ACME-Issuer.adoc). diff --git a/docs/installation/acme/Configuring_ACME_Realm.md b/docs/installation/acme/Configuring_ACME_Realm.md index 3260c69d3d1..f2b58dc03f7 100644 --- a/docs/installation/acme/Configuring_ACME_Realm.md +++ b/docs/installation/acme/Configuring_ACME_Realm.md @@ -1,61 +1 @@ -Configuring ACME Realm -====================== - -## Overview - -This document describes the process to configure a realm for ACME responder. -The realm configuration is located at /var/lib/pki/pki-tomcat/conf/acme/realm.conf. - -The `pki-server acme-realm-mod` can be used to configure the realm via command-line. -If the command is invoked without any parameters, it will enter an interactive mode, for example: - -``` -$ pki-server acme-realm-mod -The current value is displayed in the square brackets. -To keep the current value, simply press Enter. -To change the current value, enter the new value. -To remove the current value, enter a blank space. - -Enter the type of the realm. Available types: ds. - Database Type: ds - -Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). - Server URL [ldap://localhost.localdomain:389]: - -Enter the authentication type. Available types: BasicAuth, SslClientAuth. - Authentication Type [BasicAuth]: - -Enter the bind DN. - Bind DN [cn=Directory Manager]: - -Enter the bind password. - Bind Password [********]: - -Enter the base DN for the ACME users subtree. - Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]: - -Enter the base DN for the ACME groups subtree. - Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]: -``` - -If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type. -If the command is invoked with other parameters, it will update the specified parameters. - -## Configuring ACME with In-Memory Realm - -The ACME responder can be configured with an in-memory realm. -See [Configuring ACME with In-Memory Realm](Configuring-ACME-with-InMemory-Realm.adoc). - -## Configuring ACME with DS Realm - -The ACME responder can be configured with a DS realm. -See [Configuring ACME with DS Realm](Configuring-ACME-with-DS-Realm.adoc). - -## Configuring ACME with PostgreSQL Realm - -The ACME responder can be configured with a PostgreSQL realm. -See [Configuring ACME with PostgreSQL Realm](Configuring-ACME-with-PostgreSQL-Realm.adoc). - -## See Also - -* [Installing PKI ACME Responder](Installing_PKI_ACME_Responder.md) +This page has been moved to [Configuring-ACME-Realm.adoc](Configuring-ACME-Realm.adoc). diff --git a/docs/installation/acme/Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc b/docs/installation/acme/Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc new file mode 100644 index 00000000000..ebed4a9eb9e --- /dev/null +++ b/docs/installation/acme/Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc @@ -0,0 +1,264 @@ += Installing ACME Responder using PKI Server ACME CLI = + +== Overview == + +This document describes the process to install an ACME responder on a PKI server that already has a CA subsystem using `pki-server acme` commands. + +In general `pki-server acme` commands provide a more flexible way compared to link:Installing-ACME-Responder-using-pkispawn.adoc[`pkispawn`] for installing ACME responder. +If there is a problem during installation, usually only the failing step needs to be fixed, then the installation can be resumed. + +== Prerequisites == + +This document assumes that the following DS service is available to use as ACME database and ACME realm: + +* URL: `ldap://ds.example.com:3389` +* Bind DN: `cn=Directory Manager` +* Bind password: `Secret.123` + +It also assumes that the following CA service is available to use as ACME issuer: + +* URL: `https://pki.example.com:8443` +* Username: `caadmin` +* Password: `Secret.123` + +== Creating ACME Responder == + +To create ACME responder in PKI server execute the following command: + +---- +$ pki-server acme-create +---- + +The command will create the initial configuration files in `/var/lib/pki/pki-tomcat/conf/acme` folder. + +== Setting Up ACME Metadata == + +To configure ACME metadata: + +---- +$ pki-server acme-metadata-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the location of the terms of service. + Terms of Service [https://www.example.com/acme/tos.pdf]: + +Enter the location of the website. + Website [https://www.example.com]: + +Enter the CAA identities. + CAA Identities [example.com]: + +Enter true/false whether an external account is required. + External Account Required [false]: +---- + +See also link:../../admin/acme/Configuring-ACME-Metadata.adoc[Configuring ACME Metadata]. + +== Setting Up ACME Database == + +To configure ACME database: + +---- +$ pki-server acme-database-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql. + Database Type: ds + +Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). + Server URL [ldap://localhost.localdomain:389]: ldap://ds.example.com:3389 + +Enter the authentication type. Available types: BasicAuth, SslClientAuth. + Authentication Type [BasicAuth]: + +Enter the bind DN. + Bind DN [cn=Directory Manager]: + +Enter the bind password. + Bind Password [********]: Secret.123 + +Enter the base DN for the ACME subtree. + Base DN [dc=acme,dc=pki,dc=example,dc=com]: +---- + +To import the DS schema for ACME database: + +---- +$ ldapmodify \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/schema.ldif +---- + +To create the DS indexes for ACME database: + +---- +$ ldapadd \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/index.ldif +---- + +To create the DS subtrees for ACME database: + +---- +$ ldapadd \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/create.ldif +---- + +See also link:../../admin/acme/Configuring-ACME-Database.adoc[Configuring ACME Database]. + +== Setting up ACME Issuer == + +To configure ACME issuer: + +---- +$ pki-server acme-issuer-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the certificate issuer. Available types: nss, pki. + Issuer Type: pki + +Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). + Server URL [https://localhost.localdomain:8443]: https://pki.example.com:8443 + +Enter the certificate nickname for client authentication. +This might be the CA agent certificate. +Enter blank to use basic authentication. + Client Certificate: + +Enter the username of the CA agent for basic authentication. +Enter blank if a CA agent certificate is used for client authentication. + Agent Username [caadmin]: + +Enter the CA agent password for basic authentication. +Enter blank if the password is already stored in a separate property file +or if a CA agent certificate is used for client authentication. + Agent Password [********]: Secret.123 + +Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). + Certificate Profile [acmeServerCert]: +---- + +See also link:../../admin/acme/Configuring-ACME-Issuer.adoc[Configuring ACME Issuer]. + +== Setting Up ACME Realm == + +To configure the ACME realm: + +---- +$ pki-server acme-realm-mod +The current value is displayed in the square brackets. +To keep the current value, simply press Enter. +To change the current value, enter the new value. +To remove the current value, enter a blank space. + +Enter the type of the realm. Available types: ds. + Database Type: ds + +Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389). + Server URL [ldap://localhost.localdomain:389]: ldap://ds.example.com:3389 + +Enter the authentication type. Available types: BasicAuth, SslClientAuth. + Authentication Type [BasicAuth]: + +Enter the bind DN. + Bind DN [cn=Directory Manager]: + +Enter the bind password. + Bind Password [********]: Secret.123 + +Enter the base DN for the ACME users subtree. + Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]: + +Enter the base DN for the ACME groups subtree. + Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]: +---- + +To create DS subtrees for ACME realm: + +---- +$ ldapadd \ + -H ldap://$HOSTNAME \ + -x -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/realm/ds/create.ldif +---- + +See also link:../../admin/acme/Configuring-ACME-Realm.adoc[Configuring ACME Realm]. + +== Deploying ACME Responder == + +Once everything is ready, deploy the ACME responder with the following command: + +---- +$ pki-server acme-deploy +---- + +The command will create a deployment descriptor at `/var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml`. + +The server will start the ACME responder automatically in a few seconds. +It is not necessary to restart PKI server. + +== Verifying ACME Responder == + +To verify that the ACME responder is running, execute the following command: + +---- +$ curl -s -k https://pki.example.com:8443/acme/directory | python -m json.tool +{ + "meta": { + "caaIdentities": [ + "example.com" + ], + "externalAccountRequired": false, + "termsOfService": "https://www.example.com/acme/tos.pdf", + "website": "https://www.example.com" + }, + "newAccount": "https://pki.example.com:8443/acme/new-account", + "newNonce": "https://pki.example.com:8443/acme/new-nonce", + "newOrder": "https://pki.example.com:8443/acme/new-order", + "revokeCert": "https://pki.example.com:8443/acme/revoke-cert" +} +---- + +== Undeploying ACME Responder == + +To undeploy the ACME responder execute the following command: + +---- +$ pki-server acme-undeploy +---- + +The command will remove the deployment descriptor at `/var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml`. + +The server will stop the ACME responder automatically in a few seconds. +It is not necessary to restart PKI server. + +To restart the ACME responder, execute `pki-server acme-deploy` again. + +== Removing ACME Responder == + +To remove the ACME responder execute the following command: + +---- +$ pki-server acme-remove +---- + +== See Also == + +* link:../../manuals/man8/pki-server-acme.8.md[pki-server-acme(8)] diff --git a/docs/installation/acme/Installing-ACME-Responder-using-pkispawn.adoc b/docs/installation/acme/Installing-ACME-Responder-using-pkispawn.adoc new file mode 100644 index 00000000000..e22000eb6af --- /dev/null +++ b/docs/installation/acme/Installing-ACME-Responder-using-pkispawn.adoc @@ -0,0 +1,117 @@ += Installing ACME Responder using pkispawn = + +== Overview == + +This document describes the process to install an ACME responder on a PKI server that already has a CA subsystem using `pkispawn` command. + +In general `pkispawn` provides a simpler way compared to link:Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc[`pki-server acme`] for installing ACME responder. +If there is a problem during installation, the entire process might need to be restarted. + +== Prerequisites == + +This document assumes that the following DS service is available to use as ACME database and ACME realm: + +* URL: `ldap://ds.example.com:3389` +* Bind DN: `cn=Directory Manager` +* Bind password: `Secret.123` + +It also assumes that the following CA service is available to use as ACME issuer: + +* URL: `https://pki.example.com:8443` +* Username: `caadmin` +* Password: `Secret.123` + +== Setting Up ACME Database == + +To import the DS schema for ACME database: + +---- +$ ldapmodify \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/schema.ldif +---- + +To create the DS indexes for ACME database: + +---- +$ ldapadd \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/index.ldif +---- + +To create the DS subtrees for ACME database: + +---- +$ ldapadd \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/database/ds/create.ldif +---- + +== Setting Up ACME Realm == + +To create the DS subtrees for ACME realm: + +---- +$ ldapadd \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -f /usr/share/pki/acme/realm/ds/create.ldif +---- + +== Installing ACME Responder == + +To create and deploy ACME responder in PKI server execute the following command: + +---- +$ pkispawn \ + -f /usr/share/pki/server/examples/installation/acme.cfg \ + -s ACME \ + -D acme_database_url=ldap://ds.example.com:3389 \ + -D acme_issuer_url=https://pki.example.com:8443 \ + -D acme_realm_url=ldap://ds.example.com:3389 +---- + +The configuration files will be available in `/var/lib/pki/pki-tomcat/conf/acme` folder. + +See also link:../../admin/acme/Configuring-ACME-Responder.adoc[Configuring ACME Responder]. + +== Verifying ACME Responder == + +To verify that the ACME responder is running, execute the following command: + +---- +$ curl -s -k https://pki.example.com:8443/acme/directory | python -m json.tool +{ + "meta": { + "caaIdentities": [ + "example.com" + ], + "externalAccountRequired": false, + "termsOfService": "https://www.example.com/acme/tos.pdf", + "website": "https://www.example.com" + }, + "newAccount": "https://pki.example.com:8443/acme/new-account", + "newNonce": "https://pki.example.com:8443/acme/new-nonce", + "newOrder": "https://pki.example.com:8443/acme/new-order", + "revokeCert": "https://pki.example.com:8443/acme/revoke-cert" +} +---- + +== Removing ACME Responder == + +To undeploy and remove the ACME responder execute the following command: + +---- +$ pkidestroy -s ACME +---- + +== See Also == + +* link:../../manuals/man8/pkispawn.8.md[pkispawn(8)] diff --git a/docs/installation/acme/Installing-ACME-Responder.adoc b/docs/installation/acme/Installing-ACME-Responder.adoc new file mode 100644 index 00000000000..885454617b8 --- /dev/null +++ b/docs/installation/acme/Installing-ACME-Responder.adoc @@ -0,0 +1,20 @@ += Installing ACME Responder = + +== Overview == + +This document describes the process to install an ACME responder on a PKI server that already has a CA subsystem. +It assumes that the CA was installed with the default instance name (i.e. `pki-tomcat`). + +== Installation Procedure == + +There are two ways to install the ACME responder: + +* link:Installing-ACME-Responder-using-pkispawn.adoc[Installing ACME Responder using pkispawn] +* link:Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc[Installing ACME Responder using pki-server acme CLI] + + +== See Also == + +* link:../ca/Installing_CA.md[Installing CA] +* link:../../admin/acme/Managing_PKI_ACME_Responder.md[Managing ACME Responder] +* link:../../user/acme/Using_PKI_ACME_Responder.md[Using ACME Responder] diff --git a/docs/installation/acme/Installing_ACME_Responder.md b/docs/installation/acme/Installing_ACME_Responder.md index 68856ea09fb..2263c21e922 100644 --- a/docs/installation/acme/Installing_ACME_Responder.md +++ b/docs/installation/acme/Installing_ACME_Responder.md @@ -1 +1 @@ -This page has been moved to [Installing_PKI_ACME_Responder.md](Installing_PKI_ACME_Responder.md). +This page has been moved to [Installing-ACME-Responder.adoc](Installing-ACME-Responder.adoc). diff --git a/docs/installation/acme/Installing_PKI_ACME_Responder.md b/docs/installation/acme/Installing_PKI_ACME_Responder.md index 90efab6cabe..2263c21e922 100644 --- a/docs/installation/acme/Installing_PKI_ACME_Responder.md +++ b/docs/installation/acme/Installing_PKI_ACME_Responder.md @@ -1,95 +1 @@ -Installing PKI ACME Responder -============================= - -## Overview - -This document describes the process to install an ACME responder on a PKI server that already has a CA subsystem. -It assumes that the CA was [installed](../ca/Installing_CA.md) with the default instance name (i.e. pki-tomcat). - -## Installing PKI ACME Responder - -To install PKI ACME responder RPM package, execute the following command: - -``` -$ dnf install pki-acme -``` - -To create PKI ACME responder in a PKI server instance, execute the following command: - -``` -$ pki-server acme-create -``` - -The command will create the initial configuration files in `/var/lib/pki/pki-tomcat/conf/acme` folder. - -## Configuring ACME Responder - -To configure the ACME responder, see the following documents: - -* [Configuring ACME Metadata](Configuring-ACME-Metadata.adoc) -* [Configuring ACME Database](Configuring_ACME_Database.md) -* [Configuring ACME Issuer](Configuring_ACME_Issuer.md) -* [Configuring ACME Realm](Configuring_ACME_Realm.md) - -## Deploying ACME Responder - -Once everything is ready, deploy the ACME responder with the following command: - -``` -$ pki-server acme-deploy -``` - -The command will create a deployment descriptor at `/var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml`. - -The server will start the ACME responder automatically in a few seconds. -It is not necessary to restart PKI server. - -To verify that the ACME responder is running, execute the following command: - -``` -$ curl -s -k https://$HOSTNAME:8443/acme/directory | python -m json.tool -{ - "meta": { - "caaIdentities": [ - "example.com" - ], - "externalAccountRequired": false, - "termsOfService": "https://www.example.com/acme/tos.pdf", - "website": "https://www.example.com" - }, - "newAccount": "https://:8443/acme/new-account", - "newNonce": "https://:8443/acme/new-nonce", - "newOrder": "https://:8443/acme/new-order", - "revokeCert": "https://:8443/acme/revoke-cert" -} -``` - -## Undeploying ACME Responder - -To undeploy the ACME responder, execute the following command: - -``` -$ pki-server acme-undeploy -``` - -The command will remove the deployment descriptor at `/var/lib/pki/pki-tomcat/conf/Catalina/localhost/acme.xml`. - -The server will stop the ACME responder automatically in a few seconds. -It is not necessary to restart PKI server. - -To restart the ACME responder, execute `pki-server acme-deploy` again. - -## Removing ACME Responder - -To remove the ACME responder completely from the server, execute the following command: - -``` -$ pki-server acme-remove -``` - -## See Also - -* [Installing CA](../ca/Installing_CA.md) -* [Managing PKI ACME Responder](../../admin/acme/Managing_PKI_ACME_Responder.md) -* [Using PKI ACME Responder](../../user/acme/Using_PKI_ACME_Responder.md) -* [pki-server-acme(8)](../../manuals/man8/pki-server-acme.8.md) +This page has been moved to [Installing-ACME-Responder.adoc](Installing-ACME-Responder.adoc).