Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Examples - Use ACME clients with Certificate Manager

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Dec 11, 2023 by Ylva AnderssonVersion comment
17 min read

This article describes how to use Certbot and Kubernetes cert-manager as ACME clients with Smart ID Certificate Manager (CM). 

Examples using Certbot

Values used in this example that you need to replace to different in your setup:

Parameter

Example value

Description

Parameter

Example value

Description

--server

https://host.example.com/pgwy/acme/directory

This URL points to the Protocol Gateway installation that should act as ACME server.

--email

ca-admin@example.com

Change to a valid email adress for your organisation

--eab-kid

keyID: "1"

The pre-registration keyid described in Example: ACME configuration in Protocol Gateway

--eab-hmac-key

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway





This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \ --agree-tos \ --email ca-admin@example.com \ --domain example.com \ --server https://host.example.com/pgwy/acme/directory





This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \ --agree-tos \ --email ca-admin@example.com \ --domain example.com \ --server https://host.example.com/pgwy/acme/directory \ --eab-kid certbot-kid-1 \ --eab-hmac-key lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk



Example using Kubernetes.io and Cert-manager.io 

This example is based on the documentation here: https://cert-manager.io/docs/configuration/acme/ 

The CM installation and the Kubernetes cluster need to have connectivity with each other and an Ingress handler should be installed on the Kubernetes cluster. This example will use traefik. That requirement is needed for the ACME HTTP01 solver, if no such network connection is possible but the CM install could reach the DNS server you can use the DNS01 solver instead, read https://cert-manager.io/docs/configuration/acme/dns01/ for more information.

The following prerequisites apply for this example:



Example: ACME configuration in Protocol Gateway

Values used in this example that you need to replace to different in your setup:

Parameter

Example value

Description

Parameter

Example value

Description

server

https://host.example.com/pgwy/acme/directory

This URL points to the Protocol Gateway installation that should act as ACME server.

email

ca-admin@example.com

Change to a valid email adress for your organisation

name

test-demo-cm.example.com

Example DNS name that a certificate shall be issued to.

keyID

keyID: "1"

The pre-registration keyid described in Example: ACME configuration in Protocol Gateway.

secret

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway.







CI/CD tool integration based on ACME clients

For continuous integration and continuous delivery tools (CI/CD tools) integration based on ACME clients, see the links for information:

Related information



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions