Versions Compared

Old Version 28

changes.mady.by.user Carmelo Pellegrino

Saved on

compared with

New Version 29

changes.mady.by.user Nicole Harris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Finally, Enterprise Admins can assign the Client Authentication Approver role to members. While no approvals are required for IGTF client authentication certificates, since they are issued automatically, these approvers will still have visibility into all certificate requests submitted within their Enterprise.

How do I use ACME? 

There are two options for using ACME with HARICA

Enterprise AdminAvailable in all accounts TLS OVinstead of ACME challenges, the validations in CertManager (in the list of domains) are used(sub)domains both with include and exclude configurable in CertManager
Enterprise User  (End Users)Can be switched on manually (see below)TLS DVuser must always do an ACME challenge (http or dns) for domain validationall domains within the Enterprise

A domain MUST have been added to the Enterprise before ACME can be used for that domain. 

ACME for Enterprise Admins

Enterprise Admins can create EAB (External Account Binding) credentials that can be used for specific domains. It is then possible to skip domain validation in your ACME client.

  • Go to “Enterprise” → “Admin” and then select the “ACME” tab at the top:

Image Added


  • Accounts can be created with "Create+". The friendly name is here intended to help you identify the account more easily in the list: 

Image Added

  • Once the account is created, you need to define the scope of domains. To do this, select the account and go to the "Domains" tab:

Image Added

  • After this, use the EAB credentials under "Details" in your favorite ACME client or communicate them via a secure channel to the administrator who will be working with them. 

ACME for End Users

This is an additional implementation of ACME, which has functionally similar to Let's Encrypt: end users are given access (with a personal HMAC key) to an ACME server on which they can request certificates, as long as they can perform DCV during the ACME transaction.

  • Enabling is done once by an Enterprise Admin via Enterprise → Admin → select Enterprise → Click on the organization under "Legal Name" → press the "tags" button at the top right (picture of a label). There the switch for #ACME-Personal can be turned on:

Harica_CertManager_-_Enterprises.jpegImage Added


  • This will make a new ACME button available to all users in the left menu to manage ACME accounts. When using Personal ACME, a DNS-01 or HTTP-01 challenge must be performed for each certificate and the HMAC key must be specified.