Register an Account

An account is required that will authorize Certbot to request certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). through Keyfactor ACME. Keyfactor ACME in turn will be authorized to request enrollment through Keyfactor Command based on the settings selected in the Keyfactor ACME configuration. (For Windows installs, see The Configure Command for container installs, see Helm Chart Customization.)

Note:  A user must be issued an EAB key (see GET KeyManagement) before being able to register an ACME client and request a certificate.

To acquire an account, the user’s external account binding (EAB) values are passed through during the account request to establish trust for the account being created. The Keyfactor ACME server stores the new account JSON Web Key (JWK) with key id (kid) separately so it can verify subsequent request signatures. The EAB blob submitted to the new account Keyfactor ACME APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. is returned in the request.

Certbot has multiple parameters to specify differing options. The basic parameterClosed A parameter or argument is a value that is passed into a function in an application. values you will need to add a Certbot account for the Keyfactor ACME server are shown in Table 40: Recommended Certbot Parameters.

Table 40: Recommended Certbot Parameters

Parameter Description
--eab- hmac- key The secret generated by the Keyfactor ACME get key process (see GET KeyManagement). This can be retrieved using the API GET /KeyManagement method as well.
--eab-kid

The key generated by the Keyfactor ACME get key process (see GET KeyManagement). This can be retrieved using the API GET /KeyManagement method as well.
--server

The URL of the Keyfactor ACME server referencing the hostname or IP of the server and the virtual directory specified during Keyfactor ACME configuration. For example:

https://acme93.keyexample.com/ACME
--standalone Use standalone mode to make the request. This option assumes that no other web server is running on the server from which the Certbot request is issued. A miniature web server is started just for the duration of the request to satisfy Certbot's need for a web server.
REQUESTS_ CA_ BUNDLE= /etc/ssl /certs /ca-certificates.crt

Specify the location of the trusted root certificate on the Linux server by providing the environment variable before Certbot requests.

Note:  The file provided should be the one created by running update-ca-certificates using your CA chain certificates.

Example:

Copy 
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt certbot register --standalone --server https://acme93.keyexample.com/ACME --eab-kid 3195d433-b164-be71-4f9443fab652 --eab-hmac-key 79gzJ4nXcwtikaTD7Ea3XnLXvPYZTE7jmfXf_XaWNjE

The Keyfactor ACME database will be updated with the account values.

Tip:  If your Certbot installation has an existing account and you need to create a new one for some reason (e.g. re-install and create a new Keyfactor ACME database) you will need to delete the existing account. This is done by removing the folder at /etc/letsencrypt/accounts/ that has the domain name of your Keyfactor ACME server (e.g. /etc/letsencrypt/accounts/myserver.keyexample.com).

Figure 15: Keyfactor ACME Register certbot Account

To check your account:

Figure 16: Configuration Tool - List Command