Get an Account

An account is required that will authorize Certbot to request certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). through Keyfactor ACME. Keyfactor ACME in turn will be authorized to request enrollment through Keyfactor Command based on the configuration selected in the Keyfactor ACME configuration (see The Configure Command).

Note: A user must be issued an EAB key (see GET KeyManagement) before being able to register an ACME client and request a certificate.

To acquire an account, the user’s external account binding (EAB) values are passed through during the account request to establish trust for the account being created. The Keyfactor ACME server stores the new account JSON web key (jwk) with key id (kid) separately so it can verify subsequent request signatures. The external account binding blob submitted to the new account Keyfactor ACME API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server. is returned in the request.

Certbot has multiple parameters to specify differing options. The basic parameter A parameter or argument is a value that is passed into a function in an application. values you will need to add a certbot account for the Keyfactor ACME server are shown in Table 22: Recommended Certbot Parameters.

Table 22: Recommended Certbot Parameters

Parameter	Description
--eab- hmac- key	The secret generated by the Keyfactor ACME get key process (see GET KeyManagement). This can be retrieved using the API GET /KeyManagement method as well.
--eab-kid	The key generated by the Keyfactor ACME get key process (see GET KeyManagement). This can be retrieved using the API GET /KeyManagement method as well.
--server	The URL of the Keyfactor ACME server referencing the hostname or IP of the server and the virtual directory specified with the Keyfactor ACME configuration tool (see The Configure Command --virtualdirectory option). For example: https://acme93.keyexample.com/ACME
--standalone	Use standalone mode to make the request. This option assumes that no other web server is running on the server from which the Certbot request is issued. A miniature web server is started just for the duration of the request to satisfy Certbot's need for a web server.
REQUESTS_ CA_ BUNDLE= /etc/ssl /certs /ca-certificates.crt	Specify the location of the trusted root certificate on the Linux server by providing the environment variable before Certbot requests. Note: The file provided should be the one created by running update-ca-certificates using your CA chain certificates.

Example:

REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt certbot register --standalone --server https://acme93.keyexample.com --eab-kid 3195d433-b164-be71-4f9443fab652 --eab-hmac-key 79gzJ4nXcwtikaTD7Ea3XnLXvPYZTE7jmfXf_XaWNjE

Tip: If your Certbot installation has an existing account and you need to create a new one for some reason (e.g. re-install and create a new Keyfactor ACME database) you will need to delete the existing account. This is done by removing the folder at /etc/letsencrypt/accounts/ that has the domain name of your Keyfactor ACME server (e.g. /etc/letsencrypt/accounts/myserver.keyexample.com).

Figure 9: Keyfactor ACME Register certbot Account

To check your account, run the Keyfactor ACME configuration tool list command from the Keyfactor ACME server (see List Command Options):

Figure 10: Configuration Tool - List Command

The Keyfactor ACME database will be updated with the account values.

Version v25.1

On this page: