ACME

Prerequisites

  • An ACME directory URL.

  • If required by your ACME provider, External Account Binding credentials.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

8. Fill all mandatory fields:

  • Endpoint* (string input):
    Fill in the ACME directory url. It often ends in /directory.

  • Account Key Type* (select):
    The key type to use for the ACME account that will be created on the directory. Using rsa or ecdsa is recommended, depending on your ACME provider.

  • Account Email (string input):
    Fill in the email to associate with the account. It will be used at the ACME provider’s discretion, to inform on certificate status.

  • External Account Binding (select):
    Select Login credentials containing the External Account Binding (EAB) Key ID as login and the EAB Key as password if your provider requires EAB.

  • Rotate Account (boolean):
    Activate this if you wish to recreate the account associated with this connector (not needed if no account was yet created). This allows to rotate the account key if required.

  • DNS Provider* (select):
    Select the DNS provider that will expose the ACME challenge. The following steps will change according to the selected provider.

9. Click on the next button.

  • Manual

  • Nameshield

Domain dictionary configuration

Domain dictionaries are available to configure domain-specific dictionary keys. These will only be available when creating the DNS record to validate the specified domain. For CloudFlare, this should contain the zone id for example.

  • Domain* (string input):
    Define the domain for which the dictionary is available.

    • Key* (string input):
      The dictionary key to use in the REST trigger.

    • Value* (string input):
      The value associated with the key.

10. Click on the next button.

DNS Record Creation REST Call

This REST request needs to create the TXT DNS record in your DNS Provider

Available dictionary keys:

  • record: the expected name of the DNS record

  • digest: the challenge value (content of the DNS record)

  • domain: the domain the notification is trying to validate. This is for informational purpose only (comments, …​)

  • The domain dictionary defined above for this domain is also available

  • For each call after the first one, the response dictionary is available. It is prefixed with the trigger index and the type. If the info.comment is available in the response dictionary, it will be available in all subsequent calls in the set.1.info.comment key.

REST Configuration

  • HTTP Method and URL*: (select & string input)
    Choose the HTTP method and the destination URL for your notification. The URL is a template string and can contain keys for parametrization.

  • Proxy: (select)
    Define a proxy for this REST API call.

  • Timeout* (finite duration):
    Connection timeout when executing the REST API call. Must be a valid finite duration.

  • Accepted response HTTP code* (multiselect | input):
    Response codes meaning the REST call was a success. If another one is received, a failure will be logged.

  • Authentication type and credentials* (select & select):
    Choose the authentication type and the credentials to perform the authentication. Custom authentication allows the credentials values to be accessible in headers.

  • Headers (input string & input string):
    Choose the header name and value. Header values are template strings and can contain keys for parametrization.

  • Body* (string input):
    Enter the REST body. It is a template string and can contain keys for parametrization.

11. Click on the next button.

DNS Record Deletion REST Call

This REST request needs to delete the TXT DNS record if needed

Available dictionary keys:

  • The domain dictionary defined above for this domain is also available

  • For each call, the creation triggers response dictionaries , as well as the previous deletion response are available. It is prefixed with the trigger index and the type. If the info.comment is available in the first deletion call response dictionary, it will be available in all subsequent calls in the unset.1.info.comment key.

REST Configuration

  • HTTP Method and URL*: (select & string input)
    Choose the HTTP method and the destination URL for your notification. The URL is a template string and can contain keys for parametrization.

  • Proxy: (select)
    Define a proxy for this REST API call.

  • Timeout* (finite duration):
    Connection timeout when executing the REST API call. Must be a valid finite duration.

  • Accepted response HTTP code* (multiselect | input):
    Response codes meaning the REST call was a success. If another one is received, a failure will be logged.

  • Authentication type and credentials* (select & select):
    Choose the authentication type and the credentials to perform the authentication. Custom authentication allows the credentials values to be accessible in headers.

  • Headers (input string & input string):
    Choose the header name and value. Header values are template strings and can contain keys for parametrization.

  • Body* (string input):
    Enter the REST body. It is a template string and can contain keys for parametrization.

11. Click on the save button.

Response dictionary

When receiving a response, its body is made available in the dictionary, depending on the response type.

If the response is valid JSON, it is parsed and made available. For example if the response was:

{
  "id": "dns_id",
  "info": {
    "type": "txt",
    "comment": "some comment"
  }
}

The id, info.type and info.comment keys are available.

If the response is not valid JSON, the whole body content is available in the body key.

Nameshield DNS configuration

  • Environment* (select):
    Select the Nameshield environment to target.

  • Nameshield credentials* (select):
    Select API Token credentials containing the API key to authenticate against the Nameshield API.

  • Timeout* (finite duration):
    Timeout to request the Nameshield APIs. Must be a valid Finite Duration.

10. Click on the save button.

When saving the connector, the account will be created. If the configuration is incorrect, this step could fail.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the ACME connector.