ACME Protocol
Learn about ACME protocol and how to enroll the certificate.
What is ACME Protocol
Automated Certificate Management Environment (ACME) protocol is a new PKI enrollment standard used by several PKI servers such as Let’s Encrypt. The Let’s encrypt certificate allows for free usage of Web server certificates in SRX Series Firewalls, and this can be used in Juniper Secure Connect and J-Web. The Junos OS automatically re-enroll Let’s Encrypt certificates on occurance of every 25 days.
The ACME protocol allows the enrollment of certificates from Let’s Encrypt server or ACME enabled servers. The SRX Series Firewalls enrolls the certificates from Let’s Encrypt server and Juniper Secure Connect validates the certificates without copying and downloading any CA certificates.
When using Let’s Encrypt, ensure that the Let’s Encrypt server is able to resolve the domain name to the IP address of the SRX Series Firewall interface as shown in Figure 1. It must be able to reach the SRX Series Firewall interface on TCP port 80. During the certificate enrollment, the SRX Series Firewall will temporarily allow this incoming request automatically. If your SRX Series Firewall or an intermediate firewall or a router is blocking the TCP port 80, certificate enrollment will fail.
Limitations
ACME specification - The dns-01 and external account binding are not supported.
ACME cannot be used when J-Web listen to port 80
Wildcard certificate is not supported such as
*.mydomain.com, instead you can enroll multiple dns names.
Enroll Local Certificate Using Let’s Encrypt Server
This example shows how to enroll the local certificate using Let's Encrypt.
Specify the CA profile.
content_copy zoom_out_map[edit] user@host# set security pki ca-profile ISRG_Root_X1 ca-identity ISRG_Root_X1 user@host# set security pki ca-profile ISRG_Root_X1 revocation-check disable user@host# set security pki ca-profile Lets_Encrypt ca-identity Lets_Encrypt user@host# set security pki ca-profile Lets_Encrypt enrollment url https://acme-v02.api.letsencrypt.org/directory
Commit the configuration.
content_copy zoom_out_map[edit] user@host# commit
Load the CA certificate.
content_copy zoom_out_map[edit] user@host> request security pki ca-certificate load ca-profile ISRG_Root_X1 filename ISRG_Root_X1.pem
Create ACME key ID.
content_copy zoom_out_map[edit] user@host> request security pki generate-key-pair size 2048 type rsa acme-key-id mydomain
Preparing enrollment of local certificate.
content_copy zoom_out_map[edit] user@host> request security pki generate-key-pair size 2048 type rsa certificate-id service-mydomain
Enroll a certificate with one domain name.
content_copy zoom_out_map[edit] user@host> request security pki local-certificate enroll acme acme-key-id mydoamin certificate-id service-mydomain ca-profile Lets_Encrypt domain-name jweb.mydomain.com email jweb@acmejnpr.net letsencrypt-enrollment yes terms-of-service agree
Enroll a certificate with multiple domain names.
content_copy zoom_out_map[edit] user@host> request security pki local-certificate enroll acme acme-key-id mydomain certificate-id service-mydomain ca-profile Lets_Encrypt domain-name jweb.mydomain.com,remote-acess.mydomain.com email jweb@acmejnpr.net letsencrypt-enrollment yes terms-of-service agree
Once the enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.
Manual Re-Enroll Local Certificate
To re-enroll a local certificate online:
Initiate the re-enrollment request.
content_copy zoom_out_map[edit] user@host> request security pki local-certificate re-enroll acme acme-key-id mydomain certificate-id serice-mydomain ca-profile Lets_Encrypt re-generate-keypair
Once the re-enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.
