mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: <! wiki title: External Account Binding
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
6 <! wiki title: External Account Binding
grindsa edited this page 2025-12-30 06:22:30 +00:00
Table of Contents

External Account Binding

External Account Binding (EAB) allows an ACME account to use authorizations granted to an external, non-ACME account. This enables acme2certifier to handle issuance scenarios that cannot yet be fully automated, such as issuing Extended Validation (EV) certificates.

To enable EAB, the Certificate Authority (CA) operator must provide both the ACME client and acme2certifier with a Key Identifier (kid) and a MAC key (mac_key). These credentials authenticate NewAccount requests.

kid and mac_key are loaded into acme2certifier via a plugin-based mechanism. By default, two plugins are available in the example/eab_handler directory.

Key identifiers are included in reports generated by the Housekeeping class.

By deafault acme2certifier validates, during each ACME transaction, whether the EAB credentials used to create the ACME account remain valid. If this check fails, acme2certifier stops processing the transaction. This check can be disabled by the configuration option eabkid_check_disable in a<me_srv.cfg.

[EABhandler]
...
eabkid_check_disable: True

File Handler

The eab_file_handler.py script allows kid and mac_key to be loaded from a CSV file. To activate this handler, configure the EABhandler section in acme_srv.cfg as follows:

[EABhandler]
eab_handler_file: examples/eab_handler/file_handler.py
key_file: examples/eab_handler/key_file.csv

The key_file must be in CSV format, with kid in the first column and mac_key (Base64 encoded) in the second column:

eab_kid,eab_mac
keyid_00,bWFjXz...Aw
keyid_01,bWFjXz...Ax
keyid_02,bWFjXz...Ay
keyid_03,bWFjXz...Az

JSON Handler

The eab_json_handler.py script allows kid and mac_key (Base64 encoded) to be loaded from a JSON file. To activate this handler, configure the EABhandler section in acme_srv.cfg as follows:

[EABhandler]
eab_handler_file: examples/eab_handler/json_handler.py
key_file: examples/eab_handler/key_file.json

The key_file should contain key-value pairs in JSON format:

{
  "keyid_00": "bWFjXz...Aw",
  "keyid_01": "bWFjXz...Ax",
  "keyid_02": "bWFjXz...Ay",
  "keyid_03": "bWFjXz...Az"
}

Keyfile Verification

To check the consistency of the keyfile, use the tools/eab_chk.py utility:

usage: eab_chk.py [-h] -c CONFIGFILE [-d] [-v] [-vv] [-k KEYID | -s]

eab_chk.py - verify eab keyfile

options:
  -h, --help            show this help message and exit
  -c CONFIGFILE, --configfile CONFIGFILE
                        configfile
  -d, --debug           debug mode
  -v, --verbose         verbose
  -vv, --veryverbose    show enrollment profile
  -k KEYID, --keyid KEYID
                        keyid to filter
  -s, --summary         summary

Example usage:

python /var/www/acme2certifier/tools/eab_chk.py -c /var/www/acme2certifier/acme_srv/acme_srv.cfg -v

Example output:

Summary: 4 entries in key_file
keyid_00: bWFjXz...Aw
keyid_01: bWFjXz...Ax
keyid_02: bWFjXz...Ay
keyid_03: bWFjXz...Az

Creating a Custom EAB Handler

Creating a custom EAB handler is straightforward. You need to create a handler.py file containing an EABhandler class with a mac_key_get method to look up the mac_key based on a given kid.

The allowed_domains_check method is optional and can be used to customize the allowed_domainlist_check() function.

The skeleton_eab_handler.py provides a template for creating a custom handler.

Below is an example of the class structure:

class EABhandler(object):
    """EAB file handler"""

    def __init__(self, logger=None):
        self.logger = logger
        self.key = None

    def __enter__(self):
        """Makes EABhandler a Context Manager"""
        if not self.key_file:
            self._config_load()
        return self

    def __exit__(self, *args):
        """Close the connection at the end of the context"""

    def _config_load(self):
        """Load additional configuration parameters from acme_srv.cfg"""
        self.logger.debug("EABhandler._config_load()")
        config_dic = load_config(self.logger, "EABhandler")
        if "key" in config_dic["EABhandler"]:
            self.key = config_dic["EABhandler"]["key"]
        self.logger.debug("EABhandler._config_load() ended")

    def allowed_domains_check(self, csr, value) -> str:
        """Check allowed domains"""
        self.logger.debug("EABhandler.allowed_domains_check(%s, %s)", csr, value)
        error = None  # Return an error message if applicable
        return error

    def mac_key_get(self, kid=None):
        """Check external account binding"""
        self.logger.debug("EABhandler.mac_key_get({})".format(kid))
        mac_key = None  # Implement logic to look up the mac_key
        return mac_key