diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 58 | 
1 files changed, 29 insertions, 29 deletions
| @@ -1,29 +1,6 @@ -Requesting new Certificate Issuance with the ACME protocol generally -works as follows: - -  1. Generate a Certificate Signing Request.  This requires access to -     the private part of the server key. -  2. Issue an issuance request against the ACME server. -  3. Answer the ACME Identifier Validation Challenges.  The challenge -     type "http-01" requires a webserver to listen on port 80 for each -     address for which an authorization request is issued; if there is -     no running webserver, root privileges are required to bind against -     port 80 and to install firewall rules to temporarily open the port. -  4. Install the certificate (after verification) and restart the -     service.  This usually requires root access as well. - -Steps 1,3,4 need to be run on the host for which an authorization -request is issued.  However the the issuance itself (step 2) could be -done from another machine.  Furthermore, each ACME command (step 2), as -well as the key authorization token in step 3, need to be signed using -an account key.  The account key can be stored on another machine, or -even on a smartcard. - -_______________________________________________________________________ - -letsencrypt is a tiny ACME client written with process isolation and -minimal privileges in mind.  It is divided into four components, each -with its own executable: +lacme is a small ACME client written with process isolation and minimal +privileges in mind.  It is divided into four components, each with its +own executable:    * A process to manage the account key and issue SHA-256 signatures      needed for each ACME command.  (This process binds to a UNIX-domain @@ -56,11 +33,34 @@ with its own executable:  Consult the manuals for more information. -    https://guilhem.org/man/letsencrypt.1.html -    https://guilhem.org/man/letsencrypt-accountd.1.html +    https://guilhem.org/man/lacme.1.html +    https://guilhem.org/man/lacme-accountd.1.html + +_______________________________________________________________________ + +Requesting new Certificate Issuance with the ACME protocol generally +works as follows: + +  1. Generate a Certificate Signing Request.  This requires access to +     the private part of the server key. +  2. Issue an issuance request against the ACME server. +  3. Answer the ACME Identifier Validation Challenges.  The challenge +     type "http-01" requires a webserver to listen on port 80 for each +     address for which an authorization request is issued; if there is +     no running webserver, root privileges are required to bind against +     port 80 and to install firewall rules to temporarily open the port. +  4. Install the certificate (after verification) and restart the +     service.  This usually requires root access as well. + +Steps 1,3,4 need to be run on the host for which an authorization +request is issued.  However the the issuance itself (step 2) could be +done from another machine.  Furthermore, each ACME command (step 2), as +well as the key authorization token in step 3, need to be signed using +an account key.  The account key can be stored on another machine, or +even on a smartcard.  _______________________________________________________________________ -letsencrypt is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and +lacme is Copyright© 2016 Guilhem Moulin ⟨guilhem@fripost.org⟩, and  licensed for use under the GNU General Public License version 3 or  later.  See ‘COPYING’ for specific terms and distribution information. | 
