Summary
-
Login to your Entrust Certificate Services (ECS) portal
-
Click Administration > Advanced Settings. On the Settings navigation pane, select Auto-Installation > ACME.
-
Click Add External Account Binding to create the EAB.
-
Create a Friendly Name for the EAB. In the Extended Key Usage droplist, select the desired EKU, ex: ServerAndClientAuth, then click Next. Review the EAB Details for correctness, and when complete click Submit.
-
Review the EAB Details for correctness, and when complete click Submit.
-
Record the Key ID, MAC Key, and ACME URL values in a safe location. These will be required to configure the ACME client later. Note that the MAC Key cannot be viewed again once this window is closed.
Note: It is possible to examine the current certificate on the web server by using any web browser.
-
Log onto the Apache Webserver, PuTTY or equivalent software
-
Install the acme.sh client with the command:
-
curl https://get.acme.sh | sh -s [email protected]
-
Change to a root or admin account and register the new ACME account configuration with the command: acme.sh --register-account - ****.****@entrust.com --server https://acme.entrust.net/acme2/directory
-
Now use the acme.sh command to issue/renew a certificate for Apache with the following command: acme.sh --apache --issue --domain entrustcertbot.testcertificates.com --server https://acme.entrust.net/acme2/directory --eab-kid 9Oz******** --eab-hmac-key d9Oc********************** --valid-to "+396d" --keylength 2048 --reloadcmd "systemctl restart httpd"
-
Certificate was returned and Apache was Reload successfully
-
Confirm that the new certificate is the expected Serial Number. The certificate can also be examined in a web browser that has connected to the Apache hosted website using HTTPS. Using Posh-ACME for Windows to automate TLS/SSL certificate issuance and renewal