Cisco ACME requires external account binding credentials to register an account. Each set of external account binding credentials can only be used to register one ACME account.
The Key ID is also referred to as the account ID. This will be the account ID associated with your account and should be included in any support case.
The EAB Key is a one-time use key used to authenticate your account registration request. You can only rotate this value as long as you haven't registered asymmetric keys with your account.
You can utilize RunOn to create and manage accounts. For more information on how to use RunOn, please reference the RunOn Certificate Management Documentation.
If you have issues using RunOn, please submit our onboarding questionnaire to have an account manually provisioned for you.
You can use the following commands to register an account as well as generate a new certificate or revoke an existing one.
certbot register --server https://acme.cisco.com/acme/directory --eab-kid <account id>--eab-hmac-key <external account binding key>
certbot certonly --standalone --server https://acme.cisco.com/acme/directory -d <domain>
certbot revoke --server https://acme.cisco.com/acme/directory --cert-name <domain>
Your account ID can be found in the regr.json file in the account directory (/accounts/<server name>/acme/directory/<hash>). The account directory is located in the config directory if specified or the /etc/letsencrypt directory if not.
You can use certbot show_account --server https://acme.cisco.com/acme/directory to show your account details. If you used --config-dir to register your account, you will need to use it here.
You must run these commands with root privileges or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Certbot defaults to ECDSA keys in later versions. This will result in an error if you elected to use RSA keys.
Cert-Manager can be used with YAML or ansible to automate certificate issuance in Kubernetes clusters. Below are the values the different variables should have to interact with our ACME server.
https://acme.cisco.com/acme/directory
Note: Cert-Manager will by default point to the Let's Encrypt server unless you specify Cisco's ACME server.
A CEC email or a valid Cisco mailer associated with appropriate team
An account id given by the Cisco ACME team to link your acme account to you
A key given by the Cisco ACME team to link your acme account to you
You can use the following command to find your account ID for support cases. Please look for the issuer.status.acme.uri to find your unique account url.
kubectl describe issuer <cluser issuer name>
Clients that use Terraform to issue certificates and interact with our ACME server should take precautions to prevent accidental account deactivation.
Account deactivation is a part of the lifecycle for ACME terraform clients. However, with certain precautions, clients can avoid accidentally deactivating their account.
Please add the following module to your project:
lifecycle {
prevent_destroy = true
}
With the Terraform ACME provider, you can use one of two methods to find your account information.
You can output the registration module's attributes, the id or registration_url, to the console when terraform plan or apply is ran.
You can use terraform show -json to show the secrets associated with the terraform state.
The Cisco ACME team does not give configuration advice in terms of ACME Clients, but there are some key elements to using our ACME implementation
You must allow network traffic to and from our ACME server and your domain server(s) to issue certificates.
You must point your ACME client to our ACME server: https://acme.cisco.com/acme/directory
Ensure that the contact you use is either a CEC email or a valid Cisco mailer associated with appropriate team
For all other ACME clients, please refer to the documentation for that client to find the account information for support cases.
We highly recommend that you integrate your ACME client with our Keeper instance to securely store your ACME client information.
This will ensure that your account stays under your control while still being able to tear down and rebuild servers.
Integrating with Keeper, allows you to move your servers without worrying about losing secrets or having to register a new ACME account.
You can utilize RunOn to generate external account binding credentials. For more information on how to use RunOn, please reference the RunOn Certificate Management Documentation.
You must allow network traffic to and from our ACME server and your domain server(s) to issue certificates.
Please reference the sharepoint for more information on our ACME service
If you have any additional problems, please open a support case.
The Cisco ACME team is not responsible for issues using external ACME Clients like Certbot or Cert-Manager.
Cisco ACME