ACME Protocol
Understanding ACME Protocol
Automated Certificate Management Environment (ACME) protocol is a new PKI enrollment standard used by several PKI servers such as Let’s Encrypt. The Let’s encrypt certificate allows for free usage of Web server certificates in SRX Series Firewalls, and this can be used in Juniper Secure Connect and J-Web. The Junos OS automatically re-enroll Let’s Encrypt certificates on occurance of every 25 days.
The ACME protocol allows the enrollment of certificates from Let’s Encrypt server or ACME enabled servers. The SRX Series Firewalls enrolls the certificates from Let’s Encrypt server and Juniper Secure Connect validates the certificates without copying and downloading any CA certificates.
When using Let’s Encrypt, ensure that the Let’s Encrypt server is able to resolve the domain name to the IP address of the SRX Series Firewall interface as shown in Figure 1. It must be able to reach the SRX Series Firewall interface on TCP port 80. During the certificate enrollment, the SRX Series Firewall will temporarily allow this incoming request automatically. If your SRX Series Firewall or an intermediate firewall or a router is blocking the TCP port 80, certificate enrollment will fail.
Limitations
-
ACME specification - The dns-01 and external account binding are not supported.
-
ACME cannot be used when J-Web listen to port 80
-
Wildcard certificate is not supported such as
*.mydomain.com, instead you can enroll multiple dns names.
Enroll Local Certificate Using Let’s Encrypt Server
This example shows how to enroll the local certificate using Let's Encrypt.
-
Specify the CA profile.
[edit] user@host# set security pki ca-profile ISRG_Root_X1 ca-identity ISRG_Root_X1 user@host# set security pki ca-profile ISRG_Root_X1 revocation-check disable user@host# set security pki ca-profile Lets_Encrypt ca-identity Lets_Encrypt user@host# set security pki ca-profile Lets_Encrypt enrollment url https://acme-v02.api.letsencrypt.org/directory
-
Commit the configuration.
[edit] user@host# commit
-
Load the CA certificate.
[edit] user@host> request security pki ca-certificate load ca-profile ISRG_Root_X1 filename ISRG_Root_X1.pem
-
Create ACME key ID.
[edit] user@host> request security pki generate-key-pair size 2048 type rsa acme-key-id mydomain
-
Preparing enrollment of local certificate.
[edit] user@host> request security pki generate-key-pair size 2048 type rsa certificate-id service-mydomain
-
Enroll a certificate with one domain name.
[edit] user@host> request security pki local-certificate enroll acme acme-key-id mydoamin certificate-id service-mydomain ca-profile Lets_Encrypt domain-name jweb.mydomain.com email jweb@acmejnpr.net letsencrypt-enrollment yes terms-of-service agree
Enroll a certificate with multiple domain names.
[edit] user@host> request security pki local-certificate enroll acme acme-key-id mydomain certificate-id service-mydomain ca-profile Lets_Encrypt domain-name jweb.mydomain.com,remote-acess.mydomain.com email jweb@acmejnpr.net letsencrypt-enrollment yes terms-of-service agree
-
Once the enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.
Manual Re-Enroll Local Certificate
To re-enroll a local certificate online:
-
Initiate the re-enrollment request.
[edit] user@host> request security pki local-certificate re-enroll acme acme-key-id mydomain certificate-id serice-mydomain ca-profile Lets_Encrypt re-generate-keypair
-
Once the re-enrollment is finished the issued certificate will be loaded in certificate-id service-mydomian.
Delete ACME Account
To delete the ACME account:
-
Delete the ACME account.
[edit] user@host> clear security pki acme account acme-key-id mydomain ca-profile Lets_Encrypt
You can delete the ACME account key only if the ACME is activated or created by the enrollment.