Enabling and configuring ACME using TLS Protect
You can enable and configure the ACME service using TLS Protect.
NOTE Before you do this, make sure that the ACME server component is installed. See Installing the ACME Service.
To enable and configure ACME
-
From the TLS Protect menu, click Configuration> ACME.
-
You will be prompted to Enable ACME?. Click Yes.
-
Under Create Certificates in, select the folder into which ACME Service certificates will be placed.
IMPORTANT A CA template must be assigned to the folder that you select. See Assigning a CA template to a policy folder.
-
(Optional) Select Automatically create folders if they don't exist.
- When selected, if a folder doesn't exist when the certificate's location is specified, a folder with that name will be created. In the certbot request's URL, the new folder's name cannot contain uppercase letters.
- When cleared, certificate requests will fail if the folder doesn't already exist. An error message will be sent via certbot and an event will be logged in Trust Protection Platform. Certbot will display a similar message in the letsencrypt.log file.
-
Type the ACME URL Hostname.
NOTE The default name is the fully qualified domain name (FQDN) of the engine. You have the option to change it here.
- When you're done, click Save.
To verify server configuration
In a web browser, type https://[ACME_server_FQDN]/vacme/[v1|v2]/[TPP_folder]/directory
For example:
https://tpp-alpha.venafi.com/example/vacme/v1/test/directory
The displayed text confirms that the ACME server is working. You can also see the URLs that the ACME client will use (internally) to register and request certificates.
To change an engine's default URL Hostname
- In Policy Tree, go to the Platforms tree.
- In Platforms, click an Engine name.
-
Under Trust Protection Platform URL HostNames, in the Automatic Certificate Management Environment (/VACME) field, enter the hostname of the ACME server.
NOTE The default name is the fully qualified domain name (FQDN) of the engine.
- Click Save.