This section describes the information required to configure ACMEv2 clients to enroll for a certificate using Certificate Enrollment Gateway. For information about using your ACMEv2 client, see the documentation for your ACMEv2 client.
Enrollment URL for ACMEv2 clients
ACMEv2 clients must use one of the following URLs to communicate with Certificate Enrollment Gateway.
Default ACMEv2 enrollment URL
When External Account Binding is disabled, all ACMEv2 clients must use the following URL:
https://<CEG-server>/acme/<tenant-ID>/<CA-ID>/<profile-ID>/directoryWhere:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certification Authority (CA) defined in CA Gateway that will issue certificates to the ACMEv2 endpoint.<profile-ID>is the profile ID defined in CA Gateway that defines the certificate type issued to the ACMEv2 client. For Entrust PKI as a Service, the profile ID is one of the following- privatessl-tls-client-server
- privatessl-tls-server
- privatessl-tls-client.
For example:
https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directoryACMEv2 Request URL for an External Account Binding credential
When External Account Binding is enabled, each External Account Binding credential will have its own URL. For example:
https://<hostname>/acme/ceg/Agu-fwShl2jDXsMYe4Ti3w/0mj615kbbkkb/directoryWhere <hostname> is the hostname or IP address of the Certificate Enrollment Gateway server. For example:
https://cegserver.example.com/acme/ceg/Agu-fwShl2jDXsMYe4Ti3w/0mj615kbbkkb/directoryFor details about managing External Account Binding credentials, see Managing External Account Binding credentials.
Supported algorithms for CSRs
When an ACMEv2 client requests a certificate, the CSR (certificate signing requests) must use an algorithm supported by Certificate Enrollment Gateway.
The ACMEv2 service of the Certificate Enrollment Gateway supports the following algorithms for CSRs (certificate signing requests):
- RSA-2048, RSA-3072, RSA-4096
- EC P-256, EC P-384, EC P-521
Adding the CA certificate chain to the ACMEv2 client
ACMEv2 clients must trust the CA certificate chain for the Cryptographic Security Platform cluster’s TLS certificate. The cluster’s TLS certificate secures Certificate Enrollment Gateway’s TLS traffic. If ACMEv2 clients do not trust the CA certificate chain, the clients will fail to establish a secure TLS connection to Certificate Enrollment Gateway.
While some ACMEv2 clients may allow insecure TLS connections, you should avoid these connections for security reasons.
See your ACMEv2 client documentation for instructions about adding certificates to the ACMEv2 client.
Supported validation methods
During enrollment, ACMEv2 clients must pass one of the following validation methods:
Method | Required configuration |
|---|---|
DNS-01 | Certificate Enrollment Gateway and the ACMEv2 client must point to the same DNS server. Certificate Enrollment Gateway must be able to query for DNS TXT records generated by the ACMEv2 client. |
HTTP‑01 | Certificate Enrollment Gateway must resolve the hostname of the FQDN in the CSR. The hostname must resolve to the IP address of the ACMEv2 client. The ACMEv2 client must listen on port 80 to use HTTP-01 validation. |
About CSRs with an empty Subject DN
Some ACMEv2 clients may send a CSR with an empty Subject DN. However, certificates issued by Entrust Certificate Authority instances will have a non-empty Subject DN. If an ACMEv2 client sends a CSR with an empty Subject DN, Certificate Enrollment Gateway will use the first Subject Alternative Name value in the CSR as the Subject DN.
Certificate Enrollment Gateway will not modify the Subject DN in the CSR. Certificate Enrollment Gateway will send the CSR unaltered to CA Gateway for processing, and send the Subject DN separately as a CA Gateway request parameter.