Skip to main content

How to use ACME to install SSL/TLS certificates in Entrust Certificate Services (Apache)

User-added image

ACME is an open protocol that is used to request and manage SSL certificates. Entrust supports ACME to enable the auto-generation and installation of our SSL certificates onto Web servers on Linux and UNIX operating systems. Auto-generation and installation is much quicker and easier than having an administrator perform these tasks manually.

Entrust's ACME implementation is in five parts:

Step 1: Enable the ACME server and obtain the ACME URL

Step 2: Set up the ACME client (Certbot)

Step 3: Generate a certificate request

Step 4: Edit and approve the certificate request

Step 5: Generate and install the certificate

Follow the steps below to auto-generate and install a certificate using ACME.

Step 1: Enable the ACME server and obtain the ACME URL

1. Ensure you are logged in to Certificate Services as a Super Administrator. Only Super Administrators can change the ACME options.

2. From the main menu, click Administration > ACME Settings.

3. If prompted to log in, enter your grid card values, soft token response, or text message authentication code in the field(s) provided.

4. Select the Enable ACME check box.

5. Next to ACME URL, click  to copy the URL to the clipboard, or write it down. This is the URL of the ACME server specific to your account. This server is run by Entrust.

6. Click Update.

You have now enabled the ACME server and obtained the ACME URL that is specific to your account.

Step 2: Set up the ACME client (Certbot)

1. On the UNIX or Linux computer where you need the SSL certificate, install an ACME client such as Certbot, available at https://certbot.eff.org.

2. For more on Certbot, read its documentation at https://certbot.org/docs.

3. Although many other ACME clients are available, this help assumes you are using Certbot.

Step 3: Generate a certificate request

1. In the ACME client, request a certificate. In Certbot, the command looks similar to the following:

certbot --server <Entrust_URL> -t -m <webadmin_email> -d <domain>

where:

● --server <Entrust_URL> indicates the URL of the ACME server that you copied or wrote down in a previous step. ● (optional) -t indicates you want to use the text output instead of the curses user interface (UI). The text output can be easier to read on some terminals.

-m <admin_email> indicates the email address of the ACME client (Certbot) administrator. This individual will receive an email when the certificate request has been approved through Certificate Services.

● -d <domain> is the Web server domain to be protected by the certificate.

Example:

root@www:~/certbot# --server https://www.entrust.net/acme/api/v1/
directory/LP2-IAO7-8Y2R -t
--email [email protected] -d www.example.com

Note: For more information on Certbot commands, see https://certbot.eff.org/docs.

2. If you see this message...

Incomplete authorizations

...you can safely ignore it. It means that your certificate request has been received and is pending approval by Entrust. The ACME client sees this pending request as an incomplete domain authorization. When you run the ACME client again after the request is approved, the message goes away.

3. If you see this message...

IMPORTANT NOTES:
–  If you lose your account credentials, you can recover through e-mails sent to [email protected].
–  Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.

...read the notes. These notes only appear the first time you run the Certbot command.

You have now generated a certificate request and sent it to Entrust Certificate Services.

Step 4: Edit and approve the certificate request

1. In Certificate Services, do the following:

2. From the main menu, select Manage > Certificates.

3. If prompted to log in, enter your grid card values, soft token response, or text message authentication code in the field(s) provided.

4. Click the Pending Certificate Requests tab.

5. Find the ACME certificate request. ACME requests are distinguished by the term [ACME] in the Tracking Info column.

6. In the certificate's Action column, select Approve.

A set of tabs appears where you can change or add information.

Note: If you make changes on these tabs, consider communicating them with your Web server administrator.

7. (Optional.) Under the Certificate Details tab:

a. Add or change information in the Certificate Type, Certificate Expiry, Organization, Organizational Unit, Signing Algorithm, Extended Key Usage, or Intel AMT Support field.

b. The Domain Name cannot be changed.

c.  Click next to each field for more information.

d. Click Next.

8. Under the Additional Information tab:

e. Under the Requester Name and Requester Phone fields, add the ACME client administrator's name and phone number, if they are not already filled in.

f. Optionally, under Additional Emails, add more email addresses. The approval notification will be sent to these email addresses, in addition to the Requester Email address.

g. Optionally, add or change the information in the other fields, as required.

h. Click Next.

9. (Optional.) Under the Subject Alternative Names tab, review the information.

10.  Click Next.

11.  (Optional.) Under the Website Security tab, enable a SiteLock scan on one of the domains you specified.

12.  When you have reviewed all tabs, click Next.

The following message appear:

User-added image

13.  Click Yes.

An email is sent out indicating that the certificate request has been approved. The email is sent to the ACME client administrator as well as anyone else listed on the Additional Information tab.

You are now ready to generate and install the certificate.

Step 5: Generate and install the certificate

1. On the ACME client, run the client again to generate and install the certificate into the Web server. In Certbot, the command is the same one as before.

The command looks similar to the following:

certbot --server <Entrust_URL> -t -m <webadmin_email> -d <domain>

Example:

root@www:~/certbot# --server https://www.entrust.net/acme/api/v1/
directory/LP2-IAO7-8Y2R -t
-m [email protected] -d www.example.com

The ACME client communicates with the ACME server. The ACME server generates the certificate and sends it back to the ACME client. The ACME client installs it to the correct location in your Web server.

In Certbot, the following message appears:

---------------------------------------
Congratulations! You have successfully enabled https://www.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
-----------------------------------------
IMPORTANT NOTES:
–  Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert will expire on 2017-09-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
–  If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

The domain specified in the certificate is now protected by the certificate.

To renew an ACME certificate, consult your ACME client documentation. If you're using Certbot, the instructions are here: https://certbot.eff.org/docs/using.html#renewing-certificates

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:

Sunday 8:00 PM ET to Friday 8:00 PM ET

North America (toll free): 1-866-267-9297

Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088