acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries:
- acme_srv/*.py - a bunch of classes implementing ACME server functionality based on rfc8555
- ca_handler.py - interface towards CA server. The intention of this library is to be modular that an adaption to other CA servers should be straight forward. As of today the following handlers are available:
E - Certificte Enrollment, R - Certificte Revocation, P - EAB Profiling | E | R | P |
---|---|---|---|
DigiCert® CertCentral | ✅ | ✅ | ✅ |
Entrust ECS Enterprise | ✅ | ✅ | ✅ |
EJBCA | ✅ | ✅ | ✅ |
Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL | ❌ | ❌ | ✅ |
Generic CMPv2 protocol handler | ✅ | ❌ | ❌ |
Generic EST protocol handler | ✅ | ❌ | ❌ |
Insta ActiveCMS | ✅ | ✅ | ✅ |
Microsoft Certificate Enrollment Web Services | ✅ | ❌ | ✅ |
Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM | ✅ | ❌ | ✅ |
NetGuard Certificate Lifecycle Manager | ✅ | ✅ | ❌ |
NetGuard Certificate Manager/Insta Certifier | ✅ | ✅ | ✅ |
Openssl | ✅ | ✅ | ❌ |
OpenXPKI | ✅ | ✅ | ❌ |
XCA | ✅ | ✅ | ✅ |
acme2dfn (external; ACME proxy for the German research network's PKI | ✅ | ❌ | ❌ |
For more up-to-date information and further documentation, please visit the project's home page at: https://github.com/grindsa/acme2certifier
Release notes and ChangLog can be found at https://github.com/grindsa/acme2certifier/releases
Following acme-clients are used for regular testing of server functionality
Other clients are on my list for later testing. In case you are bored, feel free to test other ACME clients and raise issues if something does not work as expected.
Command-line parameters used for testing
I am not a professional developer. Keep this in mind while laughing about my code and don’t forget to send patches.
- ACME v2 RFC 8555 compliant server implementation including
- Support RFC 8737: TLS Application‑Layer Protocol Negotiation (ALPN) Challenge Extension
- Support RFC 8738: Certificates for IP addresses
- Support draft-ietf-acme-ari-02 and draft-ietf-acme-ari-01: Renewal Information (ARI) Extension
- Support TNAuthList identifiers: TNAuthList profile of ACME Authority Token
- Support tkauth-01 ACME Challenges Using an Authority Token
- Certificate polling and Call backs from CA servers. These calls are not standardized but important to use acme2certifier together with classical enterprise CA
Following challenge types are supported:
Additional functionality will be added over time. If you are badly missing a certain feature please raise an issue to let me know.
The proxy can run either as plain wsgi-script on either apache or nginx or as django project. Running acme2certifier as django project allows to use other database backends than SQLite.
The fastest and most convenient way to install acme2certifier is to use docker containers. There are ready made images available at dockerhub and ghcr.io as well as instructions to build your own container. In addition rpm packages for AlmaLinux/CentOS Stream/Redhat EL 9 and deb packages for Ubuntu 22.04 will be provided with every release.
- acme2certifier in Github container repository
- acme2certifier repository at hub.docker.com
- rpm package installation on Alma Linux 9
- deb package installation Ubuntu 22.04
- Instructions to build your own container
- Installation as wsgi-script running on apache2 (Ubuntu 22.04)
- Installation as wsgi-script running on NGINX (Ubuntu 22.04)
- Installation as wsgi-script running on NGINX (Alma Linux 9)
SBOMs for all containers will be automatically created during build process and stored in my SBOM repository
Please read CONTRIBUTING.md for details on my code of conduct, and the process for submitting pull requests. Please note that I have a life besides programming. Thus, expect a delay in answering.
I use SemVer for versioning. For the versions available, see the tags on this repository.
This project is licensed under the GPLv3 - see the LICENSE file for details