ACME Profile

This section details how to configure an ACME Profile.

Prerequisites

PKI Connector

How to configure ACME Profile

1. Log in to Horizon Administration Interface.

2. Access ACME Profile from the drawer or card: Protocols  ACME.

3. Click on Add ACME profile.

4. Fill in the mandatory fields.

ACME Profile Specific Configuration

General

  • Name* (string input):
    Enter a meaningful profile name. It must be unique for each profile. Horizon uses the name to identify the profile. As the name will be part of a URL, it is advisable to use only lower case letters and dashes.

  • Enable* (boolean):
    Indicates whether the profile is enabled or not. The default value is set to true.

  • PKI Connector (string select):
    Select a PKI connector previously created.

Validations

  • Validation Methods (select):
    Select the authorized ACME validation method(s) on the considered profile (HTTP-01 and/or TLS-ALPN-01 and/or DNS-01).

  • HTTP_01 validation port (int):
    HTTP port to perform the http-01 validation (only if HTTP-01 has been selected). The default value is set to 80.

  • TLS-ALPN_01 validation port (int):
    HTTPS port to perform the tls-alpn-01 validation (only if TLS-ALPN-01 has been selected). The default value is set to 443.

  • Challenge verification attempts* (int):
    Specify the number of times Horizon should try to validate an ACME challenge. The default value is set to 3.

  • Challenge verification retry delay* (finite duration):
    Specify the time duration Horizon should wait between two consecutive validations for the same challenge. The default value is set to 3 seconds.

  • Proxy (string select):
    Specify an HTTP proxy to use when performing http-01 or tls-alpn-01 validations.

  • Timeout* (finite duration):
    Specify the time duration Horizon should wait when performing http-01, tls-alpn-01 or dns-01 validations.

Max Certificate per Holder Policy

  • Maximum (int):
    When specified, define the maximum number of active certificates for a given holder.

  • Behavior (select):
    What behavior to have when the maximum number is reached:

    • revoke the previous certificates.

    • reject the current request.

  • Revocation reason (select):
    When the revoke behavior is selected, the revocation reason to revoke the certificate with.

Requests management

  • Authorized short name (boolean):
    Specify if using short name is authorized when requesting certificate. If set to yes, one verifiable FQDN must be requested for each specified short name. The default value is set to false.

  • Authorized empty contact (boolean):
    Specify if an ACME account can be registered without specifying a contact email address. Default to false.

  • Default contacts email (string input multiple):
    Specify a list of default contact email addresses when registering an ACME account with no specified contact email address.

  • Max DNS name (int):
    If specified, enforce the maximum number of requested DNS name(s).

Meta

  • Is required terms of service (boolean):
    Specify if explicitly agreeing to the terms of service is required when registering an ACME account. The default value is set to false.

  • Terms of service (string input):
    Specify an URL identifying the current terms of service.

  • Website (string input):
    Specify an HTTP or HTTPS URL locating a website providing more information about the ACME server.

  • CAA Identities (string input):
    The hostnames that the ACME server recognizes as referring to itself for the purposes of CAA record validation as defined in RFC6844.

Crypto policy

  • Default Key Type (select):
    Key Type that will be used by horizon-cli in certificate enrollment.

  • Authorized Key Types (multiselect):
    Key Types that can be used for enrollment. An empty value means no restrictions.

Common configuration for profiles

Languages

You can add more languages by clicking Add.

  • Language* (select):
    Select a language. Supported languages are:

    • en: English

    • fr: French

  • Display Name (string input):
    Enter a display name. This will be the localized name of this profile.

  • Description (string input):
    Enter a description. This will be displayed on the list view of the profiles.

You can delete Delete Language the localization.

Grading Policies

You can select grading policies that will grade your certificate for a quick overview of its quality. For more information about the inner working of the grading policies in Horizon, please refer to the grading rules page.

Workflows builder

Configure custom rights for actions on this profile.

1. Select an authorization level for each workflow.

Schema 2

  • Everyone:
    No authentication is required.

  • Authenticated:
    User has to be authenticated.

  • Authorized:
    User has to be authenticated and have an explicit authorizations.

2. Select an access level for identity providers.

You can remove the access level for an identity provider by clicking on 'x'.

Requests time to live

Configure the time your requests have before expiring.

After expiration, requests are stored for an additional 30 days. This can be changed using configuration files.

  • Enrollment request* (finite duration):
    Must be a valid finite duration. The default value is set to seven days.

  • Renewal request* (finite duration):
    Must be a valid finite duration. The default value is set to seven days.

  • Revocation request* (finite duration):
    Must be a valid finite duration. The default value is set to seven days.

  • Update request* (finite duration):
    Must be a valid finite duration. The default value is set to seven days.

  • Migration request* (finite duration):
    Must be a valid finite duration. The default value is set to seven days.

  • Recover request (finite duration):
    Enabled on escrow: Must be a valid finite duration. The default value is set to seven days.

Owner-related permissions

These permissions apply to the owners of a certificate (team or owner). An owner can always request the following actions, but this permission allows them to perform the action without validation.

  • Revoke (boolean):
    Grant self revoke permission. The default value is set to false.

  • Revoke (pop) (boolean):
    Grant self revoke permission with owner being determined by Proof of Possession. This is used by horizon-cli. The default value is set to false.

  • Update (boolean):
    Grant self update permission. The default value is set to false.

  • Update (pop) (boolean):
    Grant self update permission with owner being determined by Proof of Possession. This is used by horizon-cli. The default value is set to false.

Constraints

  • Allowed email domains (string input):
    Enter a valid regular expression that the inputted emails should match. This includes RFC822NAME and UPN SANs as well as the contact email

    This matches the domain of the email, not including anything before @.

  • Allowed DNS domains (string input):
    Enter a valid regular expression that the inputted domain should match.

CSR Data Mapping

1. Click on Add to add a mapping.

2. Select a field and enter a value.

You can delete Delete mapping the CSR Data Mapping.

Certificate Template

This section details how to define a custom structure for the fields subject DN, SAN & extensions of the requested certificate in order to match the configuration on the PKI side.

Defining a template will use the CSR to fill the available field. A CSR with unexpected fields will be rejected. Using a template also disables CSR Data Mapping.

Subject DN composition

You can add more elements by clicking Add.

  • Element* (select):
    Select an attribute from the elements list.

  • Mandatory (boolean):
    Should the element be mandatory. The default value is set to false.

  • Editable by requester (boolean):
    Tells whether the element should be editable by the requester. The default value is set to false.

  • Editable by approver (boolean):
    Tells whether the element should be editable by the approver. The default value is set to false.

  • Default value (string input):
    Set a default value to the element.

  • Regex (regex):
    Enter a regular expression that the element should match.

  • Computation rule (Computation rule input):
    Set the value of this element to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

You can remove an element by clicking the delete button Delete Connector or reorder (drag and drop) Reorder DN the Subject DN template.

When a template is defined, at least one mandatory Common Name must be added to the DN Elements.

SAN composition

You can add more elements by clicking Add.

  • Element* (select):
    Select an attribute from the element list.

  • Editable by requester (boolean):
    Tells whether the element should be editable by the requester. The default value is set to false.

  • Editable by approver (boolean):
    Tells whether the element should be editable by the approver. The default value is set to false.

  • Minimum (int):
    The minimum number of value that this SAN must have.

  • Maximum (int):
    The maximum number of value that this SAN must have.

  • Regex (regex):
    Enter a regular expression that the element should match.

  • Computation rule (Computation rule input):
    Set the value of this element to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

You can remove an element by clicking the delete button Delete Connector or reorder (drag and drop) Reorder SAN the SAN template.

Extensions

You can add more elements by clicking Add.

  • Element* (select):
    Select an attribute from the elements list.

  • Mandatory (boolean):
    Should the element be mandatory. The default value is set to false.

  • Editable by requester (boolean):
    Tells whether the element should be editable by the requester. The default value is set to false.

  • Editable by approver (boolean):
    Tells whether the element should be editable by the approver. The default value is set to false.

  • Default value (string input):
    Set a default value to the element.

  • Computation rule (Computation rule input):
    Set the value of this element to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

You can remove an element by clicking the delete button Delete Connector or reorder (drag and drop) Reorder Extension the Extensions template.

When adding a SAN, a DN element or an Extension and making it mandatory, make sure to either give it a default value or a computation rule or make it editable, otherwise the template will be unusable.

Certificate Metadata

This section details how to define a custom structure for the labels, ownership policy and technical metadata, allowing certificates to hold rich information.

Labels

You can add more labels by clicking Add.

  • Name (select):
    Select a preexisting label.

  • Mandatory (boolean):
    Should the label be mandatory. The default value is set to false.

  • Editable by requester (boolean):
    Tells whether the label should be editable by the requester. The default value is set to false.

  • Editable by approver (boolean):
    Tells whether the label should be editable by the approver. The default value is set to false.

  • Default value (string input):
    Set a default value to the label.

  • Label value restriction

    • Whitelist (string input multiple):
      The label value will have to be in the whitelist. Open the popup, enter the label value and press "enter" to add this value to the accepted value list. An empty whitelist means no restriction.

    • Suggestions (string input multiple):
      Add suggestions that will be displayed to the user. The user will be able to choose one of these values or enter its own. Open the popup, enter your suggestions and press enter to add this value to the suggestions. An empty suggestions list means no restriction.

    • Regex (regex):
      The label value will have to match the regex. Open the popup, enter the regular expression and click on the submit button to set the regex. An empty regex means no restrictions.

  • Computation rule (Computation rule input):
    Set the value of this label to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

You can delete Delete label or reorder (drag and drop) Reorder label the label template.

Ownership policy

  • Owner

    • Mandatory (boolean):
      Specify if the certificate’s owner is mandatory when submitting a request.

    • Editable by requester (boolean):
      Specify if the certificate’s owner can be overridden by the requester when submitting a request.

    • Editable by approver (boolean):
      Specify if the certificate’s owner can be overridden by the requester when approving a request.

    • Computation rule (Computation rule input):
      Set the value of the owner to the value of the evaluated computation rule. This value will override any other value including the user input.

  • Contact email

    • Mandatory (boolean):
      Specify if the certificate’s contact email is mandatory when submitting a request.

    • Editable by requester (boolean):
      Specify if the certificate’s contact email can be overridden by the requester when submitting a request.

    • Editable by approver (boolean):
      Specify if the certificate’s contact email can be overridden by the requester when approving a request.

    • Default contact email (string input):
      Set a default contact email. This value must comply with the contact email restriction.

    • Contact email restriction

      • Whitelist (string input multiple):
        The contact email will have to be in the whitelist. Open the popup, enter the email and press "enter" to add this value to the accepted whitelist. An empty whitelist means no restriction.

      • Regex (regex):
        The contact email will have to match the regex. Open the popup, enter the regular expression and click on the submit button to set the regex. An empty regex means no restrictions.

    • Computation rule (Computation rule input):
      Set the value of the contact email to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

  • Team

    • Mandatory (boolean):
      Specify if the certificate’s team is mandatory when submitting a request.

    • Editable by requester (boolean):
      Specify if the certificate’s team can be overridden by the requester when submitting a request.

    • Editable by approver (boolean):
      Specify if the certificate’s team can be overridden by the requester when approving a request.

    • Default team (string input):
      Set a default team. This value must comply with the team restriction.

    • Team restriction

      • Whitelist (string input multiple):
        The team will have to be in the whitelist. Enter the team and press "enter" to add this value to the accepted whitelist. An empty whitelist means no restriction.

      • Regex (regex):
        The team will have to match the regex. Open the popup, enter the regular expression and click on the submit button to set the regex. An empty regex means no restrictions.

    • Computation rule (Computation rule input):
      Set the value of the team to the value of the evaluated computation rule. This value will override any other value including the user input and the default value.

Metadata policy (overridable metadata)

These metadata are technical metadata. They are used by Horizon or Third party connectors, updating them should be done with utmost care.
Metadata edition is not allowed on enroll.
Metadata edition is not available via the User Interface. It must be changed with API, using horizon-cli.

You can allow the override of technical metadata by clicking Add.

  • Metadata* (select):
    Select a metadata.

  • Editable by requester (boolean):
    Tells whether the metadata is editable by the requester. The default value is set to false.

  • Editable by approver (boolean):
    Tells whether the metadata is editable by the approver. The default value is set to false.

You can delete Delete metadata policy a metadata policy. This will not delete the metadata but will make it non editable.

Notifications

This section details how to configure notifications on certificate and request lifecycle events.

Certificate lifecycle notifications

Notifications are sent when one of the following event is triggered by a certificate:

Enrollment

Revocation

Expire

Update

Migrate

Renew

Select a preexisting email, REST or groupware notification to associate it with an event.

Request lifecycle notifications

Notifications are sent when one of the following event is triggered by an Enroll/Revocation/Update/Migrate/Renew request:

Submit

Cancel

Revoke

Approve

Pending

Select a preexisting email, REST or groupware notification to associate it with an event.

Submit request events are not triggered when the user has the permission to perform the action directly.

5. Click on the save button.

You can edit Edit ACME Profile, duplicate Edit ACME Profile or delete Delete ACME Profile the ACME Profile.

You won’t be able to delete an ACME Profile if it is referenced somewhere else.