ACME

Prerequisites

  • An ACME directory URL.

  • If required by your ACME provider, External Account Binding credentials.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

8. Fill all mandatory fields:

  • Endpoint* (string input):
    Fill in the ACME directory url. It often ends in /directory.

  • Account Key Type* (select):
    The key type to use for the ACME account that will be created on the directory. Using rsa or ecdsa is recommended, depending on your ACME provider.

  • Account Email (string input):
    Fill in the email to associate with the account. It will be used at the ACME provider’s discretion, to inform on certificate status.

  • External Account Binding (select):
    Select Login credentials containing the External Account Binding (EAB) Key ID as login and the EAB Key as password if your provider requires EAB.

  • Rotate Account (boolean):
    Activate this if you wish to recreate the account associated with this connector (not needed if no account was yet created). This allows to rotate the account key if required.

9. Click on the next button.

Domain dictionary configuration

Domain dictionaries are available to configure domain-specific dictionary keys. These will only be available when creating the DNS record to validate the specified domain. For CloudFlare, this should contain the zone id for example.

  • Domain* (string input):
    Define the domain for which the dictionary is available.

    • Key* (string input):
      The dictionary key to use in the REST trigger.

    • Value* (string input):
      The value associated with the key.

10. Click on the next button.

DNS Record Creation REST Call

This REST request needs to create the TXT DNS record in your DNS Provider

Available dictionary keys:

  • record: the expected name of the DNS record

  • digest: the challenge value (content of the DNS record)

  • domain: the domain the notification is trying to validate. This is for informational purpose only (comments, …​)

  • The domain dictionary defined above for this domain is also available

REST Configuration

  • HTTP Method and URL*: (select & string input)
    Choose the HTTP method and the destination URL for your notification. The URL is a template string and can contain keys for parametrization.

  • Proxy: (select)
    Define a proxy for this REST API call.

  • Timeout* (finite duration):
    Connection timeout when executing the REST API call. Must be a valid finite duration.

  • Accepted response HTTP code* (multiselect | input):
    Response codes meaning the REST call was a success. If another one is received, a failure will be logged.

  • Authentication type and credentials* (select & select):
    Choose the authentication type and the credentials to perform the authentication. Custom authentication allows the credentials values to be accessible in headers.

  • Headers (input string & input string):
    Choose the header name and value. Header values are template strings and can contain keys for parametrization.

  • Body* (string input):
    Enter the REST body. It is a template string and can contain keys for parametrization.

11. Click on the next button.

DNS Record Deletion REST Call

This REST request needs to delete the TXT DNS record if needed

Available dictionary keys:

  • The json response from the creation is available

  • The domain dictionary defined above for this domain is also available

REST Configuration

  • HTTP Method and URL*: (select & string input)
    Choose the HTTP method and the destination URL for your notification. The URL is a template string and can contain keys for parametrization.

  • Proxy: (select)
    Define a proxy for this REST API call.

  • Timeout* (finite duration):
    Connection timeout when executing the REST API call. Must be a valid finite duration.

  • Accepted response HTTP code* (multiselect | input):
    Response codes meaning the REST call was a success. If another one is received, a failure will be logged.

  • Authentication type and credentials* (select & select):
    Choose the authentication type and the credentials to perform the authentication. Custom authentication allows the credentials values to be accessible in headers.

  • Headers (input string & input string):
    Choose the header name and value. Header values are template strings and can contain keys for parametrization.

  • Body* (string input):
    Enter the REST body. It is a template string and can contain keys for parametrization.

11. Click on the save button.

When saving the connector, the account will be created. If the configuration is incorrect, this step could fail.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the ACME connector.