Obtain and manage certificates from any server instance that implements ACME specification using the WildFly CLI

This blog post describes the functionality that is in the final stages of development and will be available in the next WildFly 18 release.

Currently, you can obtain and manage certificates from Let’s Encrypt using certificate-authority-account configured on Wildfly. After the release of WildFly 18 it will be possible to configure certificate-authority-account with any other certificate authority that implements ACME protocol.

This means all management operations that are currently possible with Let’s Encypt certificates will be possible with certificates from other certificate authorities as well. More specifically it will be possible to get a certificate, revoke it if necessary, and check if it’s due for renewal. This blog post is going to give an overview of how to configure certificate authority URLs.

A certificate-authority-account needs to be configured before you can obtain your first certificate. Let’s Encrypt is the default certificate authority and does not have to be specified, but all other certificate authorities need to be added first.

Add a certificate authority

You can add a certificate-authority to the Elytron subsystem that will be used to hold URLs for certificate authorities that implement the server side of the ACME protocol. These URLs can point to local server instances (for testing purposes for example) or to certificate authorities like Buypass, Entrust etc.

/subsystem=elytron/certificate-authority=myCA:add(
       url="https://my.example.url/acme/directory",
       staging-url="https://my.example.staging.url/acme/directory")

The above command results in the following configuration in the Elytron subsystem:

 
<tls>
    ...
    <certificate-authorities> 
        <certificate-authority name="myCA" url="https://my.example.url/acme/directory" staging-url="https://my.example.staging.url/acme/directory"> 
    </certificate-authorities>
    ...
</tls> 

Now you have successfully configured certificate-authority that can be used by certificate-authority-account.

Add a certificate authority account

You can add a certificate-authority-account to the elytron subsystem with the following command using the WildFly CLI:

/subsystem=elytron/certificate-authority-account=myCAAccount:add(
      certificate-authority=myCA,
      alias=example,
      key-store=accountsKS)

Note: If you do not specify any certificate-authority, Let’s Encrypt will be used by default. It is also possible to specify contact URLs that the certificate authority can use if there are any issues related to this account. The alias is the alias of certificate authority account key in the keystore.

Key store accountKS must be previously configured in the Elytron subsystem. This key store will be used to hold server certificates.

The above command results in the following configuration in the Elytron subsystem:

 
<tls>     
    ...     
    <certificate-authority-accounts>             
        <certificate-authority-account name="myCAAccount" certificate-authority="myCA">                      
            <account-key key-store="accountKS" alias="example"/>         
        </certificate-authority-account>       
    </certificate-authority-accounts>      
    ... 
</tls>

To obtain and manage your certificate, please see Farah Juma’s blog post where she goes through the operations you can use on certificate-authority-account that uses Let’s Encrypt. All operations stay the same with any other certificate authority.