wm: doc

ref: aaeb28aa8e5cf5a9fb58b4525d724ad4661f5abd
dir: /acmed.ms/

View raw version
This guide provides a quick setup for requesting a TLS certificate with acmed.

First, we generate our private key:

cpu% ramfs -p
cpu% cd /tmp
cpu% auth/rsagen -t 'service=acme role=sign hash=sha256 acct=username@example.com' > username@example.com.key

Next, we generate the public key, formatted as a JSON Web Key:

cpu% auth/rsa2jwk username@example.com.key > /sys/lib/tls/acmed/username@example.com.pub

We store our private key into secstore, then factotum:

cpu% auth/secstore -g factotum
secstore password:
cpu% cat username@example.com.key >> factotum
cpu% auth/secstore -v -p factotum
secstore password:
cpu% read -m factotum > /mnt/factotum/ctl

We next generate a private key for the host, and set the proper file permissions,
and copy it into /sys/lib/tls/acmed/:

cpu% auth/rsagen -t 'service=tls owner=*' > example.com.key
cpu% chmod 600 username@example.com.key example.com.key 
cpu% cp username@example.com.key example.com.key /sys/lib/tls/acmed/

We generate a certificate signing request, then create the .well-known/acme-challenge
directory, then pass the CSR to acmed:

cpu% auth/rsa2csr 'CN=example.com' /sys/lib/tls/acmed/example.com.key >/sys/lib/tls/acmed/example.com.csr
cpu% mkdir -p /usr/$user/www/example.com/.well-known/acme-challenge
cpu% webfs; auth/acmed -t http -o /usr/$user/www/example.com/.well-known/acme-challenge username@example.com /sys/lib/tls/acmed/example.com.csr >/sys/lib/tls/acmed/example.com.crt

If all went well, you should find the certificate in /sys/lib/tls/acmed/example.com.crt