Comments (4)
Hi Daniel! I'm sorry, but I don't know other CAs supporting it yet. This is why the support for RFC 8823 is still experimental in acme4j. It's mainly tested against the RFC via unit tests, but not field tested yet.
I will let this issue open for a while. Maybe someone knows other CAs offering S/MIME certs via ACME protocol?
from acme4j.
Thanks for your quick feedback!
You could test against -> https://acme.castle.cloud/
If you have DKIM setup for your domain, this should be easy to test against.
They have a staging and production environment.
Their implementation does only support e-mail challenges from what it looks like.
Registering an account worked with a ECDSA key.
The interesting part is how you would use this in production.
The ACME account should be handled by the server including the communication with the CA.
But the request flow show start on the email client.
- User requests a certificate
- Client creates private key and CSR
- Client sends CSR to server
- Server starts an ACME request with CA for user's e-mail address
- CA provides challenge
- Server waits for the challenge to arrive for the user and replies with the token
- Server waits until the challenge is valid...
- Sends CSR on behalf of the user
- Retrieves certificate and returns it to client
- Client merges private key and certificate chain
Server needs to make sure the client provides it's identity as reliable way.
Usually this isn't a problem, because clients have to authenticate against their mail server anyhow.
For a small environment without a corporate e-mail server the client could do all the operations and hold the ACME account. But for a corporate environment, this would be the flow I would want to implement.
But this would require CAs supporting it.
from acme4j.
@Daniel-Nashed For small environments, you could run your own ACME CA (server-side and client-side (older binaries)). Run the software using node.js. There is a docker container (https://hub.docker.com/r/platynum/certification-authority) providing this service, too. The documentation is a little bit hidden, but please find it here: Setup ACME S/MIME CA.
from acme4j.
Thanks for the tip! I am mainly interested in production use.
And I working on another ACME client product --> HCL Domino CertMgr
But as long there is no widely trusted official CA (free or commercial), I can't implement it.
We have all the components in place like own DKIM implementation, full ACME client implementation.
The only missing component would be adding the challenge and intercepting the incoming messages.
Nice to meet another ACME developer virtually!
I should test our ACME client against your ACME server!
Also it would be a good test bed for S/MIME in future!
from acme4j.
Related Issues (20)
- Getting urn:ietf:params:acme:error:unauthorized in http-01 challenge HOT 2
- Intermediate certificate required. Unable to get issuer certificate. HOT 6
- RFC8823: acme4j response does not match CA expectation HOT 8
- [Feature request / acme4j-smime] Add support for S/MIME validation HOT 16
- Create order failing with AcmeServerException without any exception message HOT 2
- Getting Unable to get local issuer certificate HOT 3
- Android: order is valid however certificate chain is not correctly downloaded HOT 19
- Allow to set a complete X500Name to CSRBuilder in addition to the single set-methods HOT 5
- [Feature request / acme4j] Allow to access delegations HOT 1
- Remove service loader mechanism HOT 3
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Can only parse traditional files HOT 2
- Unable to update account message HOT 6
- [Question] How to generate .pfx or .p12 (KeyStore) file? HOT 7
- Recovery from - Too many certificates already issued for exact set of domains HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.