ACME with acme4j
ENTERPRISE This is an EJBCA Enterprise feature.
The following covers how to install and use the ACME client acme4j.
For general information on ACME (Automatic Certificate Management Environment), see ACME.
acme4j is a Java client for ACME that helps to connect to an ACME server and perform all necessary steps to manage certificates. For more information, refer to acme4j on GitHub.
Installation and Operation
Supported Versions
EJBCA Enterprise supports acme4j version 2.1.11 or higher.
The latest version tested with EJBCA Enterprise is acme4j 2.1.12.
Download
Download or install from the GitHub repository: acme4j on GitHub.
Supported Features
The following highlights supported features:
acme4j supports EJBCA approvals for ACME account management.
acme4j supports certificate enrollment for IP identifiers.
acme4j supports EAB (External Account Bindings) as specified in RFC 8555 section 7.3.4, as well as with public key or certificate.
Prerequisites
acme4j requires JRE8 or higher.
Installation
After you have downloaded acme4j JAR files and their dependencies into a single directory, you can invoke the test client pointing the classpath to this directory (-cp './*').
java -cp
'./*'
[...] org.shredzone.acme4j.example.ClientTestEjbca https:
//localhost:8442/ejbca/acme/directory <domain>
The following displays a sample of an explicit classpath showing the required dependencies.
java -cp ./acme4j-client-
2.11
.jar:./acme4j-example-
2.11
-SNAPSHOT.jar:./acme4j-it-
2.11
.jar:./acme4j-utils-
2.11
.jar:./bcprov-jdk15on-
168
.jar:./bcpkix-jdk15on-
168
.jar:./slf4j-api-
2.0
.
0
-alpha1.jar:./slf4j-simple-
2.0
.
0
-alpha1.jar
EJBCA ACME with acme4j 2.1.1 or Higher
acme4j is a Java-based ACME client library requiring JDK8+. It can manage ACME accounts as well as certificates for multiple identifiers, supporting IPv4 and IPv6 identifiers.
acme4j comes with an example project implementing a test client. A small update to accept the ACME server URL and, optionally, to enroll certificates for IP identifiers enables integration with EJBCA (see org.shredzone.acme4j.example.ClientTestEjbca - Usage: ClientTest URL <domain/Ip>...). All identifiers are written into the SAN of the resulting certificate, the first identifier is written into the CN as well. If no account exists, a new account is created.
Example to enroll a certificate with CN=localhost and SAN=dnsName=localhost.
acme4j EJBCA Test Client
java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit org.shredzone.acme4j.example.ClientTestEjbca https:
//localhost:8442/ejbca/acme/directory localhost
Example to enroll a certificate with CN=localhost and SAN=dnsName=localhost,ipAddress=127.0.0.1.
acme4j EJBCA Test Client
java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit org.shredzone.acme4j.example.ClientTestEjbca https:
//localhost:8442/ejbca/acme/directory localhost 127.0.0.1
Example to enroll a certificate with CN=2002:c0a8:0164::c0a8:0164 (=192.168.1.100) and SAN=dnsName=domain.host,ipAddress=2002:c0a8:0164::c0a8:0164.
acme4j EJBCA Test Client
java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit org.shredzone.acme4j.example.ClientTestEjbca https:
//[0:0:0:0:0:0:0:1]:8442/ejbca/acme/directory 2002:c0a8:0164::c0a8:0164 domain.host
Keep in mind that you need to run your application server with IPv6. Wildfly14 can be operated with IPv4 or IPv6 only.