Skip to main content

Using acme.sh to automate TLS/SSL certificate issuance and renewal

Summary


  1. Login to your Entrust Certificate Services (ECS) portal

  1. Click Administration > Advanced Settings. On the Settings navigation pane, select Auto-Installation > ACME.

  1. Click Add External Account Binding to create the EAB.

  1. Create a Friendly Name for the EAB. In the Extended Key Usage droplist, select the desired EKU, ex: ServerAndClientAuth, then click Next. Review the EAB Details for correctness, and when complete click Submit.

  1. Review the EAB Details for correctness, and when complete click Submit.

  1. Record the Key ID, MAC Key, and ACME URL values in a safe location. These will be required to configure the ACME client later. Note that the MAC Key cannot be viewed again once this window is closed.

Note: It is possible to examine the current certificate on the web server by using any web browser.

  1. Log onto the Apache Webserver, PuTTY or equivalent software

  1. Install the acme.sh client with the command:

  1. curl https://get.acme.sh | sh -s [email protected]

  1. Change to a root or admin account and register the new ACME account configuration with the command: acme.sh --register-account - ****.****@entrust.com --server https://acme.entrust.net/acme2/directory

  1. Now use the acme.sh command to issue/renew a certificate for Apache with the following command: acme.sh --apache --issue --domain entrustcertbot.testcertificates.com --server https://acme.entrust.net/acme2/directory --eab-kid 9Oz******** --eab-hmac-key d9Oc********************** --valid-to "+396d" --keylength 2048 --reloadcmd "systemctl restart httpd"

  1. Certificate was returned and Apache was Reload successfully

  1. Confirm that the new certificate is the expected Serial Number.  The certificate can also be examined in a web browser that has connected to the Apache hosted website using HTTPS. Using Posh-ACME for Windows to automate TLS/SSL certificate issuance and renewal