aboutsummaryrefslogtreecommitdiffstats
path: root/lacme.8.md
diff options
context:
space:
mode:
Diffstat (limited to 'lacme.8.md')
-rw-r--r--lacme.8.md18
1 files changed, 18 insertions, 0 deletions
diff --git a/lacme.8.md b/lacme.8.md
index 3852b13..6218d36 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -435,6 +435,21 @@ Examples
$ sudo lacme newOrder
$ sudo lacme revokeCert /path/to/service.crt
+Automatic renewal can be scheduled via [`crontab`(5)] or
+[`systemd.timer`(5)]. In order to avoid deploying a single account key
+onto multiple nodes and/or dealing with multiple account keys, one can
+install a single [`lacme-accountd`(1)] instance on a dedicated host,
+generate a single account key there (and keep it well), and set the
+following in the [`[accountd]` section](#accountd-section):
+
+ command = ssh -T lacme@account.example.net lacme-accountd
+
+If the user running `lacme` can connect to `lacme@account.example.net`
+using (passwordless) key authentication, this setting will spawn a
+remote [`lacme-accountd`(1)] and use it to sign [ACME] requests.
+Further hardening can be achieved my means of [`authorized_keys`(5)]
+restrictions.
+
See also
========
@@ -448,3 +463,6 @@ See also
[`x509v3_config`(5ssl)]: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
[`genpkey`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-genpkey.html
[`req`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-req.html
+[`crontab`(5)]: https://linux.die.net/man/5/crontab
+[`systemd.timer`(5)]: https://www.freedesktop.org/software/systemd/man/systemd.timer.html
+[`authorized_keys`(5)]: https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT