ACME with acme4j

ENTERPRISE This is an EJBCA Enterprise feature.

The following covers how to install and use the ACME client acme4j.

For general information on ACME (Automatic Certificate Management Environment), see ACME.

acme4j is a Java client for ACME that helps to connect to an ACME server and perform all necessary steps to manage certificates. For more information, refer to acme4j on GitHub.

acme4j comes with an example project implementing a test client. Only a small update of the original acme4j code to accept the ACME server URL and, optionally, to enroll certificates for IP identifiers enables integration with EJBCA for testing purposes (see org.shredzone.acme4j.example.ClientTest - Usage: ClientTest <URL> <domain/Ip> [<domain/Ip>] ...). See attachment acme4j-example-2.14-jar-with-dependencies.jar and ClientTest.java.

The following instructions refer to the acme4j-example-2.14-jar-with-dependencies.jar for convenience. Please take a look at acme4j client implementation or get more information at acme4j on GitHub.

Installation and Operation

Supported Versions

EJBCA Enterprise supports acme4j version 2.11 or higher.

The latest version tested with EJBCA Enterprise is acme4j 2.14.

Download

Download or install from the GitHub repository: acme4j on GitHub.

Supported Features

The following highlights supported features:

  • acme4j supports EJBCA approvals for ACME account management.

  • acme4j supports certificate enrollment for IP identifiers.

  • acme4j supports pre-authorization

  • acme4j supports EAB (External Account Bindings) as specified in RFC 8555 section 7.3.4, as well as with public key or certificate.

Prerequisites

acme4j requires JRE8 or higher.

Installation

See acme4j on GitHub.

Testing EJBCA ACME with acme4j 2.14 example client

acme4j is a Java-based ACME client library requiring JDK8+. It can manage ACME accounts as well as certificates for multiple identifiers, supporting IPv4 and IPv6 identifiers and more.

See usage with java -jar acme4j-example-2.14-jar-with-dependencies.jar

If no account exists, a new account is created. The acme4j sample client generates the account key (user.key), domain key (domain.key) and CSR (domain.csr) in the same directory where it was launched.

Example to enroll a certificate with CN=localhost and SAN=dnsName=localhost.


acme4j EJBCA Test Client

java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -jar acme4j-example-2.14-jar-with-dependencies.jar https://localhost:8442/ejbca/acme/directory localhost

Example to enroll a certificate with CN=localhost and SAN=dnsName=localhost,ipAddress=127.0.0.1.
acme4j EJBCA Test Client

java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -jar acme4j-example-2.14-jar-with-dependencies.jar https://localhost:8442/ejbca/acme/directory localhost 127.0.0.1

Example to enroll a certificate with CN=2002:c0a8:0164::c0a8:0164 (=192.168.1.100) and SAN=dnsName=domain.host,ipAddress=2002:c0a8:0164::c0a8:0164.
acme4j EJBCA Test Client

java -Djavax.net.ssl.trustStore=$EJBCA_HOME/p12/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -jar acme4j-example-2.14-jar-with-dependencies.jar https://[0:0:0:0:0:0:0:1]:8442/ejbca/acme/directory 2002:c0a8:0164::c0a8:0164 domain.host

Keep in mind that you need to run your application server with IPv6. Wildfly14 can be operated either with IPv4 or IPv6 only.