ACME Server
The ACME Server implements the Automated Certificate Management Environment (ACME) protocol as defined in RFC8555. It provides a standardized way for clients to automatically obtain and renew certificates from the CA Service, with support for post-quantum cryptography.
Key Features
- Implements the ACME v2 protocol for automated certificate management.
- Interacts with the CA Service to issue certificates signed with post-quantum cryptography.
- Supports JWS validation using RSA, ECDSA, and EdDilithium2 keys.
- Requires a PostgreSQL database for state management (accounts, orders, challenges).
- Supports configurable TLS client authentication, including CRL checks.
- Supports OCSP stapling for its own TLS certificate.
- Includes testing hooks (
SKIP_DB,SKIP_CA,TLS_CLIENT_AUTH) for easier development and testing.
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/directory | GET | Returns the ACME directory object with URLs for all endpoints |
/acme/new-nonce | HEAD/GET | Provides a new nonce value for use in subsequent requests |
/acme/new-account | POST | Creates a new ACME account |
/acme/new-order | POST | Creates a new certificate order |
/acme/challenge/{token} | POST | Responds to a challenge to prove control of an identifier |
/acme/finalize/{orderId} | POST | Finalizes an order by submitting a CSR |
/acme/cert/{orderId} | POST | Downloads the issued certificate |
/acme/revoke-cert | POST | Revokes a certificate |
/healthz | GET | Health check endpoint |
/readyz | GET | Readiness check endpoint |
Configuration
The ACME Server is configured primarily through environment variables:
| Variable | Description | Default |
|---|---|---|
PORT_ACME / ADDR | Listen address for the service | :4000 |
DATABASE_URL | PostgreSQL connection string | Required |
GODEBUG | Set to tls13kem=1 to activate hybrid KEM (X25519+MLKEM768) | tls13kem=0 |
TLS_CLIENT_AUTH | Controls TLS client authentication mode (none, request, etc.) | require_and_verify |
SKIP_DB | Skip database initialization (for testing) | false |
SKIP_CA | Use a self-signed certificate instead of requesting from CA Service | false |
KEY_DIR | Directory to store/load cryptographic keys and certificates | keys |
CA_SIGN_URL | URL of the CA's CSR signing endpoint | https://localhost:5000/sign |
CA_CRL_URL | URL to fetch the Certificate Revocation List from the CA | https://localhost:5000/crl |
CA_OCSP_URL | URL of the CA's OCSP responder | https://localhost:5000/ocsp |
Database Setup
The ACME Server requires a PostgreSQL database for storing account information, orders, and challenges. You need to create the database and run the migrations before starting the server:
# Create the database (example) createdb acme_server # Run migrations psql "postgres://user:pass@localhost:5432/acme_server" -f acme-server/migrations/0001_create_acme_tables.up.sqlACME Client Integration
The ACME Server can be used with any ACME client that supports the ACME v2 protocol. Here are some examples:
Certbot
certbot certonly \ --server https://acme.example.com:4000/directory \ --standalone \ -d example.comacme.sh
acme.sh --issue \ --server https://acme.example.com:4000/directory \ -d example.com \ --standaloneNote that while the ACME Server supports post-quantum cryptography, most ACME clients currently only support classical cryptography. The server will still issue certificates signed with EdDilithium2, but the client authentication will use classical algorithms.
Next Steps
Now that you understand the ACME Server, you might want to explore:
- CA Service: Learn about the CA Service that issues certificates.
- Signing Service: Understand how to sign artifacts with quantum-resistant signatures.
- API Endpoints: Review the API endpoints provided by each service.