You can use the following commands to register an account as well as generate a new certificate or revoke an existing one.
certbot register --server https://acme.cisco.com/acme/directory --eab-kid <account id> --eab-hmac-key <external account binding key>
certbot certonly --standalone --server https://acme.cisco.com/acme/directory -d <domain>
certbot revoke --server https://acme.cisco.com/acme/directory --cert-name <domain>
Your account ID can be found in the regr.json file in the account directory (/accounts/acme.cisco.com/acme/directory/<hash>). The account directory is located in the config directory if specified or the /etc/letsencrypt directory if not.
You can use certbot show_account --server https://acme.cisco.com/acme/directory to show your account details. If you used --config-dir to register your account, you will need to use it here.
You must run these commands with root privileges or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Certbot defaults to ECDSA keys in later versions. This will result in an error if you elected to use RSA keys. You can add --key-type rsa to specify a RSA key rather than the ECDSA key.
DocumentationCert-Manager can be used with YAML or ansible to automate certificate issuance in Kubernetes clusters. Below are the values the different variables should have to interact with our ACME server.
Server: https://acme.cisco.com/acme/directory
Note: Cert-Manager will by default point to the Let's Encrypt server unless you specify Cisco's ACME server.
Email: A CEC email or a valid Cisco mailer associated with appropriate team
External Account Binding keyID: An account id given by the Cisco ACME team to link your acme account to you
External Account Binding key: A key given by the Cisco ACME team to link your acme account to you
Account Information: You can use the following command to find your account ID for support cases. Please look for the issuer.status.acme.uri to find your unique account url.
kubectl describe issuer <cluser issuer name>
Clients that use Terraform to issue certificates and interact with our ACME server should take precautions to prevent accidental account deactivation.
Account deactivation is a part of the lifecycle for ACME terraform clients. However, with certain precautions, clients can avoid accidentally deactivating their account.
Please add the following module to your project:
lifecycle {
prevent_destroy = true
}
With the Terraform ACME provider, you can use one of two methods to find your account information.
You can output the registration module's attributes, the id or registration_url, to the console when terraform plan or apply is ran.
You can use terraform show -json to show the secrets associated with the terraform state.
The Cisco ACME team does not give configuration advice in terms of ACME Clients, but there are some key elements to using our ACME implementation
You must allow network traffic to and from our ACME server and your domain server(s) to issue certificates.
You must point your ACME client to our ACME server: https://acme.cisco.com/acme/directory
Ensure that the contact you use is either a CEC email or a valid Cisco mailer associated with appropriate team
For all other ACME clients, please refer to the documentation for that client to find the account information for support cases.
Cisco ACME