Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Domino V12 ACME for company CAs using smallstep

Daniel Nashed  17 October 2020 08:46:26

The Let's Encrypt CA only works for web servers exposed to the internet (or at least public Domains in combination with your providers DNS).
But the smallstep CA does now support the ACME protocol (RFC 8555) -- which is the underlying standard used by Let's Encrypt.
I was looking for a way to deploy internal web server test certificates for my lab and ran into this.
The whole setup took me like 10 minutes and it just works!

https://github.com/smallstep/certificates

Here is the main entry point for their documentation to ACME support--> https://github.com/smallstep/certificates/blob/master/docs/acme.md
The project is pretty interesting and well done! Beside web server certificates it does also support client certs for SSH etc.
You can run it inside your company as a CA or sub-CA and it works with Domino V12 Let's Encrypt.

I just took the Domino V12 October Early Access Docker image and configured it to use smallstep over ACME..
[You find the full documentation for Domino V12 certmgr here --> https://help.hcltechsw.com/domino/earlyaccess/secu_le_using_certificate_manager.html]

The smallstep CA is also available as a Docker image and very easy to deploy --> https://github.com/smallstep/certificates/blob/master/docs/docker.md
You just need to add a provisioner for the ACME protocol --> https://github.com/smallstep/certificates/blob/master/docs/provisioners.md#acme

I just took one of my existing Domino servers and moved it to Docker on the same machine by pointing the local volumes to a new Docker containers running the current Domino V12 code drop.

It just works !!  -  the only small limitation I found so far is the missing certificate revocation for the ACME protocol -- which the Domino certmgr supports since the October code drop.

On the Domino side you just create a new ACME account document pointing to your smallstep ACME directory URL.


Image:Domino V12 ACME for company CAs using smallstep

With that you are ready to issue your first certificates selecting your local smallstep CA...


Image:Domino V12 ACME for company CAs using smallstep


Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]