Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ACME Protocol

Learn about ACME protocol and how to enroll the certificate.

What is ACME Protocol

Automated Certificate Management Environment (ACME) protocol is a new PKI enrollment standard used by several PKI servers such as Let’s Encrypt. The Let’s encrypt certificate allows for free usage of Web server certificates in SRX Series Firewalls, and this can be used in Juniper Secure Connect and J-Web. The Junos OS automatically re-enroll Let’s Encrypt certificates on occurance of every 25 days.

The ACME protocol allows the enrollment of certificates from Let’s Encrypt server or ACME enabled servers. The SRX Series Firewalls enrolls the certificates from Let’s Encrypt server and Juniper Secure Connect validates the certificates without copying and downloading any CA certificates.

When using Let’s Encrypt, ensure that the Let’s Encrypt server is able to resolve the domain name to the IP address of the SRX Series Firewall interface as shown in Figure 1. It must be able to reach the SRX Series Firewall interface on TCP port 80. During the certificate enrollment, the SRX Series Firewall will temporarily allow this incoming request automatically. If your SRX Series Firewall or an intermediate firewall or a router is blocking the TCP port 80, certificate enrollment will fail.

Figure 1: Name Resolution for Let's EncryptName Resolution for Let's Encrypt

Limitations

  • ACME specification - The dns-01 and external account binding are not supported.

  • ACME cannot be used when J-Web listen to port 80

  • Wildcard certificate is not supported such as *.mydomain.com, instead you can enroll multiple dns names.

Enroll Local Certificate Using Let’s Encrypt Server

This example shows how to enroll the local certificate using Let's Encrypt.

  1. Specify the CA profile.

  2. Commit the configuration.

  3. Load the CA certificate.

  4. Create ACME key ID.

  5. Preparing enrollment of local certificate.

  6. Enroll a certificate with one domain name.

    Enroll a certificate with multiple domain names.

  7. Once the enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.

Manual Re-Enroll Local Certificate

To re-enroll a local certificate online:

  1. Initiate the re-enrollment request.

  2. Once the re-enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.

Delete ACME Account

To delete the ACME account:

  1. Delete the ACME account.

    You can delete the ACME account key only if the ACME is activated or created by the enrollment.