Home Knowledge Base Protocols ACME HTTP and DNS Validation Guide

ACME HTTP and DNS Validation Guide

Introduction

SecureW2 leverages the Automated Certificate Management Environment (ACME) protocol to enable server authentication using digital certificates. This approach allows organizations to automatically issue and renew certificates for client devices, ensuring secure access to internal applications.

To streamline the issuance of server certificates, the ACME (Domain Validation) Server Certificate Enrollment Token has been introduced. As part of this implementation, a component called the ACME Proxy has been developed. The ACME Proxy is installed between the ACME client and the ACME server in the customer’s network. It receives client requests and forwards them to the appropriate API to perform validation operations through HTTP or DNS lookups.

This document provides instructions for configuring the ACME (Domain Validation) Server Certificate Enrollment in the JoinNow Management Portal.

Prerequisites

The following prerequisites are required to set up the ACME (Domain Validation) Server Certificate Enrollment with JoinNow.

  1. An active subscription with JoinNow PKI Ultimate or APEX/Guardian/Campus subscription.
  2. An ACME client is required to enroll and renew server certificates.

Configuring SecureW2

The following are the high-level configuration steps for ACME (Domain Validation) Server Certificate Enrollment in the JoinNow Management Portal.

  1. Creating a Device Management Platform.
  2. Creating a Certificate Template.
  3. Policy Management.

Creating a Device Management Platform

To create an ACME (Domain Validation) Server Certificate Enrollment Token, perform the following steps.

  1. Navigate to Integration Hub > Device Management Platforms
  2. Click Add.
  3. In the Name and Description fields, enter the name and a suitable description for the device management platform.
  4. From the Type drop-down list, select ACME (Domain Validation) Server Certificate Enrollment Token to validate domain ownership and prevent misuse during server certificate enrollment. The Authorization Type is then displayed as Forwarder.
  5. Click Save. A .csv file containing the API secret is downloaded.

Creating a Certificate Template

A certificate template defines a predefined set of parameters and rules that determine how digital certificates are generated and what information they contain. In automated certificate issuance systems, such as those using the ACME protocol, templates can include variables (for example, ${/auth/san/dnsname}) that are dynamically replaced with values obtained during the certificate request or enrollment process.

To create a certificate template, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Scroll to the Certificate Templates section and click Add Certificate Template.
  4. In the Basic section, enter the name of the certificate template in the Name field.
  5. In the Subject and DNS fields, enter ${/auth/san/dnsname}
  6. In the Extended Key Usage section, under the Use Certificate For list, select Server Authentication.
  7. Retain the default values in the template.
  8. Click Save.

Policy Management

This section describes the policies that must be configured in JoinNow for the ACME (Domain Validation) Server Certificate Enrollment Token.

  1. Policy Workflows
  2. Device Role Policy
  3. Enrollment Policy

Policy Workflow

To configure a Policy Workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. From the Core Provider drop-down list, select the Device Managed Platform Token created earlier.
  9. Click Update.

Device Role Policy

The Device Role Policy maps the device management platform in JoinNow to facilitate device attestation. To create a device role policy, follow these steps:

  1. Navigate to Policy Management > Device Role.
  2. Click Add Device Role Policy.
  3. In the Basic tab, enter a name and a suitable description for the Device Role Policy in the Name and Description fields.
  4. Click Save. The page refreshes, and the Conditions tab opens.
  5. Click the Conditions tab.
  6. From the Identity drop-down, select the ACME (Domain Validation) Server Certificate Enrollment Token created in the Creating a Device Management Platform section.
  7. Click Update.

Enrollment Policy

An Enrollment Policy defines the client certificate template and Certificate Issuer to be used for each Policy Workflow. It leverages the segmentation established in the Policy Workflow to ensure the appropriate client certificate template is issued for each workflow. For example, an administrator can create a separate Enrollment Policy for each department, such as Finance, Marketing, or Sales, based on the Policy Workflows, and assign a specific certificate type to each department based on business requirements.

To create an Enrollment policy, follow these steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Select the Conditions tab.
  7. From the Role list, select the policy workflow you created earlier.
  8. From the Device Role drop-down list, select the device role created in the Device Role Policy section.
  9. Select the Settings tab.
  10. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA created for ACME.
  11. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating a Certificate Template section).
  12. From the Revoke Certificate drop-down list, select Automatically. In the adjacent Using field, enter ${/template/san/dns}.
  13. Click Update.

JoinNow ACME Forwarder Setup

The ACME Proxy is available for download from the JoinNow Management Portal. It can be accessed by navigating to General > Downloads > Enrollment Gateway > ACME Proxy.zip.

Configuring JoinNow ACME Forwarder on Windows

To set up JoinNow ACME Forwarder on Windows, follow these steps:

  1. Run the acme_forwarder-1.0.0-x86_64 Windows installer and wait for the installation to complete.
  2. In Windows, search for ACME Forwarder CLI and open it.
  3. To open and modify the configuration file for the ACME Forwarder tool, run the following command: acme_forwarder_cli edit-config
  4. The config.toml file opens, allowing you to configure the parameters according to your business requirements.
  5. For environments that use a local DNS server, set the DNS mode to custom. For example:
  6. To store a secure API secret, run the following command: acme_forwarder_cli set-secret
  7. To apply configuration changes, restart the ACME Forwarder service by running the following command: acme_forwarder_cli start|stop|status

Install JoinNow ACME Forwarder on a Linux DEB-based system (Ubuntu/Debian)

To configure the JoinNow ACME Forwarder on a Linux DEB-based system, perform the following steps:

  1. On your Linux system, run the acme-forwarder_1.0.0_amd64.deb package and wait for the installation to complete.
  2. In the Linux terminal, enter the following command to install the package: sudo dpkg -i acme-forwarder_1.0.0_amd64.deb
  3. To open and modify the configuration file for the ACME Forwarder tool, run the following command: sudo acme_forwarder_cli edit-config. This command launches the GNU Nano text editor with the /etc/sw2/acme_forwarder/config.toml file, allowing you to configure the parameters as per your business requirements.
  4. To store a secure API secret, run the following command: sudo acme_forwarder_cli set-secret
  5. To apply configuration changes, restart the ACME Forwarder service by running the following command:sudo acme_forwarder_cli stop && sudo acme_forwarder_cli start
  6. Logs are stored in the /var/log/sw2/acme_forwarder directory.

Install JoinNow ACME Forwarder on a Linux RPM-Based System

To set up JoinNow ACME Forwarder on a Linux RPM-Based System, follow these steps:

  1. On your Linux system, run the acme-forwarder-1.0.0-1.amd64.rpm package and wait for the installation to complete.
  2. In the Linux terminal, enter the following command to install the package: sudo dnf install acme-forwarder-1.0.0-1.amd64.rpm
  3. To open and modify the configuration file for the ACME Forwarder tool, run the following command: sudo acme_forwarder_cli edit-config. This command launches the GNU Nano text editor with the /etc/sw2/acme_forwarder/config.toml file, allowing you to configure the parameters as per your business requirements.
  4. To store a secure API secret, run the following command: sudo acme_forwarder_cli set-secret
  5. To apply configuration changes, restart the ACME Forwarder service by running the following command: sudo acme_forwarder_cli stop && sudo acme_forwarder_cli start
  6. Logs are stored in the /var/log/sw2/acme_forwarder directory.

Enrollment Using ACME Forwarder

Windows IIS Server (Using Win-ACME Client)

This section explains how to perform enrollment with the win-acme ACME client.

The example below demonstrates this configuration using Win-ACME with http-01 on a Windows IIS server.

Enhanced Event:

To view the events, navigate to Data Monitoring > Enhanced Events. The following page is displayed.

The example below demonstrates the configuration using Win-ACME with DNS on a Windows IIS server.

Enhanced Event:

More Protocols Explainers