Custom ACME server

tdemeyer · April 27, 2021, 12:47pm

Hi, Certify FAQ says:
*“Certify The Web is a GUI to manage, request and renew certificates from Let’s Encrypt and other popular (or custom) certificate authorities who support the ACME (Automated Certificate Management Environment) standard.”

I am interested in the “custom certificate authorities” part, as we are running our own ACME server on the internal network.

However I cannot find explanations on how to define a custom CA in the program…

So, some help is appreciated …

webprofusion · April 27, 2021, 1:06pm

Hi, thanks it’s not yet documented as it’s a test feature but you can enable the CA editor in Settings > UI Settings > Certificate Authority Editor, then in Settings > Certificate Authorities you can click Edit Certificate Authorities and use that to add a new certificate authority.

The URL you enter is the full URL to the /directory endpoint of the ACME CA. If the CA doesn’t have a staging API you can use the production API endpoint as the staging value (you may also be able to leave that blank, I forget whether that’s required currently).

You can then create a new account with the certificate authority (New Account), then when you create a new managed certificate you can choose Certificate > Advanced >Certificate Authority to change the default certificate authority.

webprofusion · April 27, 2021, 1:07pm

p.s. which CA software are you trying to use? It’s interesting to know which products people have tried so we know it’s compatible.

tdemeyer · April 27, 2021, 2:03pm

We are running smallstep’s step-ca ( Run Your Own Private Certificate Authority & ACME Server | Smallstep Blog)

Using Windows Acmev2 client (WACS) on the client side. This is perfect for our IIS infrastructure, but it lacks some post-install functionalities (eg: I want to use our own acme certs on our PRTG monitoring infrastructure…)

webprofusion · April 28, 2021, 2:37am

Cool, yes I’ve tested the app with smallstep in the past so that should be ok. Note as well as using the CA editor UI you can also manually edit C:\ProgramData\Certify\ca.json then restart the Certify Service (and UI). Here is my test config for a smallstep CA, most of the fields don’t really apply and the important bit is pointing to the CA directory URL:

  {
    "Id": "smallstep-01",
    "APIType": "ACME_V2",
    "SupportedFeatures": [
      "DOMAIN_SINGLE",
      "DOMAIN_MULTIPLE_SAN",
      "DOMAIN_WILDCARD"
    ],
    "Title": "SmallStep.AcmeServer",
    "Description": "Smallstep CA ACME Server",
    "WebsiteUrl": "https://certifytheweb.com/",
    "PrivacyPolicyUrl": "https://www.certifytheweb.com/",
    "TermsAndConditionsUrl": "https://www.certifytheweb.com/",
    "ProductionAPIEndpoint": "https://localhost:8443/acme/acme/directory",
    "StagingAPIEndpoint": "https://localhost:8443/acme/acme/directory",
    "IsEnabled": true,
    "IsCustom": true,
    "SANLimit": 100,
    "RequiresEmailAddress": false,
    "RequiresExternalAccountBinding": false,
    "AllowUntrustedTls": false,
    "EabInstructions": null
  },

webprofusion · April 28, 2021, 2:38am

… and let me know if you have any other questions

tdemeyer · April 28, 2021, 8:39am

There was no ca.json in folder C:\ProgramData\Certify. So I created the file manually. Unfortunatly, after restarting the service and the GUI, there was no option to select the added CA…

webprofusion · April 28, 2021, 8:52am

Sorry I was just assuming you’d use the editor UI, I should have said that file was just an example of the settings and only gets created after you have use the CA editor. That example was not a complete file, it’s a JSON array and you’d at least need the square brackets:

[
{
    "Id": "smallstep-01",
    "APIType": "ACME_V2",
    "SupportedFeatures": [
      "DOMAIN_SINGLE",
      "DOMAIN_MULTIPLE_SAN",
      "DOMAIN_WILDCARD"
    ],
    "Title": "SmallStep.AcmeServer",
    "Description": "Smallstep CA ACME Server",
    "WebsiteUrl": "https://certifytheweb.com/",
    "PrivacyPolicyUrl": "https://www.certifytheweb.com/",
    "TermsAndConditionsUrl": "https://www.certifytheweb.com/",
    "ProductionAPIEndpoint": "https://localhost:8443/acme/acme/directory",
    "StagingAPIEndpoint": "https://localhost:8443/acme/acme/directory",
    "IsEnabled": true,
    "IsCustom": true,
    "SANLimit": 100,
    "RequiresEmailAddress": false,
    "RequiresExternalAccountBinding": false,
    "AllowUntrustedTls": false,
    "EabInstructions": null
  }
]

webprofusion · April 28, 2021, 8:55am

Or just use the editor UI, the only settings that really matter are the Endpoint Urls and you will need to allow untrusted tls if the endpoint is https and is not using an actual trusted cert.

tdemeyer · April 28, 2021, 9:19am

OK, this may sound as a very stupid question to you, but where can I find the “editor UI”? I clicked all possible tab’s in the front-end application, but cannot find an option to add ca’s…

tdemeyer · April 28, 2021, 9:21am

OK, forget above… Adding the square brackets did the trick

webprofusion · April 28, 2021, 12:23pm

For info though the CA editor is under Settings > Certificate Authorities you can click Edit Certificate Authorities (because it’s experimental you have to enable it first using Settings > UI Settings > Certificate Authority Editor).

tdemeyer · April 29, 2021, 6:58am

Found it! (stupid me )

Got it working fine on IIS machines