acme_certificate account_key* support for sectigo CA
54 views
Skip to first unread message
Victor Olivo
Jul 16, 2020, 6:39:41 PM7/16/20
to Ansible Project
Hello,
sectigo is my SSL provider and they support the ACME protocol and I'd like to leverage the acme_certificate module; however, Sectigo seems to use and HMAC key for authentication rather than RSA keys. is it possible to use an HMAC key with the set of acme_* modules for CAs such as sectigo? thanks much for any help!
-vic
Felix Fontein
Jul 17, 2020, 5:46:07 AM7/17/20
to ansible...@googlegroups.com
Hi,
you also need a RSA/ECC account key for Sectigo (that's a ACME
requirement they can't change). The HMAC key is used for External
Account Binding, to link the ACME account (associated to the RSA/ECC
key) to the Sectigo account. According to RFC8555
(https://tools.ietf.org/html/rfc8555#section-7.3.4, External Account
Binding requires a MAC key and a key identifier, which are needed
during account registration.
I didn't yet have time to look at that more closely, but I'm interested
in implementing support for that eventually. (Test mini test CA we are
using in CI, Pebble, now also supports External Account Binding, so we
can even test it before trying it out with a real account :) )
I've created an issue
(https://github.com/ansible-collections/community.crypto/issues/89) to
track this.
If you want to use the acme_* modules right now, you need to use a
different ACME client (which supports External Account Binding) to
create an ACME account at Sectigo that's associated to your Sectigo
account, and export the ACME account key (will be an RSA or an ECC
private key) in PEM format. Then you can use the acme_* modules with
that account.
(Please note that I don't have access to a Sectigo account, so I cannot
test whether the modules work fine with Sectigo's ACME implementation.
So it could be that other things go wrong.)
Cheers,
Felix
requirement they can't change). The HMAC key is used for External
Account Binding, to link the ACME account (associated to the RSA/ECC
key) to the Sectigo account. According to RFC8555
(https://tools.ietf.org/html/rfc8555#section-7.3.4, External Account
Binding requires a MAC key and a key identifier, which are needed
during account registration.
I didn't yet have time to look at that more closely, but I'm interested
in implementing support for that eventually. (Test mini test CA we are
using in CI, Pebble, now also supports External Account Binding, so we
can even test it before trying it out with a real account :) )
I've created an issue
(https://github.com/ansible-collections/community.crypto/issues/89) to
track this.
If you want to use the acme_* modules right now, you need to use a
different ACME client (which supports External Account Binding) to
create an ACME account at Sectigo that's associated to your Sectigo
account, and export the ACME account key (will be an RSA or an ECC
private key) in PEM format. Then you can use the acme_* modules with
that account.
(Please note that I don't have access to a Sectigo account, so I cannot
test whether the modules work fine with Sectigo's ACME implementation.
So it could be that other things go wrong.)
Cheers,
Felix
Felix Fontein
Aug 9, 2020, 10:54:33 AM8/9/20
to ansible...@googlegroups.com
Hi,
> > sectigo is my SSL provider and they support the ACME protocol and
> > I'd like to leverage the acme_certificate module; however, Sectigo
> > seems to use and HMAC key for authentication rather than RSA keys.
> > is it possible to use an HMAC key with the set of acme_* modules
> > for CAs such as sectigo? thanks much for any help!
if you're still interested in this, I started implementing External
> > sectigo is my SSL provider and they support the ACME protocol and
> > I'd like to leverage the acme_certificate module; however, Sectigo
> > seems to use and HMAC key for authentication rather than RSA keys.
> > is it possible to use an HMAC key with the set of acme_* modules
> > for CAs such as sectigo? thanks much for any help!
Account Binding for acme_account in
https://github.com/ansible-collections/community.crypto/pull/100.
Cheers,
Felix
Reply all
Reply to author
Forward
0 new messages