ACME Certificate Authority (acmeCA)
Configuration for the ACME Certificate Authority.
Name | Type | Default | Description |
---|---|---|---|
accountContact | string | A contact URL the ACME server can use to contact the client for issues related this the ACME account. | |
accountKeyFile | string | ${server.output.dir}/resources/security/acmeAccountKey.pem | A path to the file containing a key identifier for a registered account on the ACME CA server. If the file does not exist, a new account is registered with the ACME CA server and the associated key is written to this file. Back this file up to maintain control of the account on the ACME CA server. |
acmeRevocationCheckerRef | A reference to top level acmeRevocationChecker element (string). | Configuration for checking the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). | |
acmeTransportConfigRef | A reference to top level acmeTransportConfig element (string). | ACME transport layer. | |
challengePollTimeout | A period of time with millisecond precision | 120s | The amount of time to spend polling the status of an ACME challenge before polling discontinues and treats the challenge as failed. A value of 0 indicates to poll indefinitely. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
directoryURI | string | The URI to the ACME CA server's directory object. | |
domain | string | A domain name to request a certificate for. | |
domainKeyFile | string | ${server.output.dir}/resources/security/acmeDomainKey.pem | A path to the file containing a key identifier for a domain. If the file does not exist, a new key is generated and written to this file. Back this file up to maintain control of the domain. |
orderPollTimeout | A period of time with millisecond precision | 120s | The amount of time to spend polling the status of an ACME order before polling discontinues and treats the order as failed. A value of 0 indicates to poll indefinitely. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
renewBeforeExpiration | A period of time with millisecond precision | 7d | Renew time before expiration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
subjectDN | string | Subject distinguished name (DN) to use for the certificate. The DN can include the following relative distinguished name (RDN) types: cn, c, st, l, o and ou. If the cn RDN type is defined, it must be one of the domains defined by the domain configuration element and it must be the first RDN in the DN. If the cn RDN type is not defined, the first domain defined by the domain configuration element is used as the cn RDN value. | |
validFor | A period of time with millisecond precision | The duration of time that the certificate signing request specifies for the certificate to be valid. The default is defined by the ACME CA server. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
acmeRevocationChecker
Configuration for checking the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs).
Name | Type | Default | Description |
---|---|---|---|
enabled | boolean | true | Verifies whether certificate revocation checking is enabled for the ACME CA service. The default is true. |
ocspResponderUrl | string | Sets the URI that identifies the location of the OCSP responder. This setting overrides the ocsp.responderURL security property and any responder that is specified in the certificate Authority Information Access Extension. |
acmeTransportConfig
ACME transport layer.
Name | Type | Default | Description |
---|---|---|---|
protocol | string | The SSL handshake protocol. Protocol values can be found in the documentation for the Java Secure Socket Extension (JSSE) provider of the underlying JRE. When using the IBM JRE the default value is SSL_TLSv2 and when using the Oracle JRE the default value is SSL. | |
trustStore | string | A keystore that contains trusted certificate entries that are used by SSL for signing verification. | |
trustStorePassword | Reversably encoded password (string) | The password that is used to load the truststore file. The value can be stored in clear text or encoded form. Use the securityUtility tool to encode the password. | |
trustStoreType | string | The keystore type for the truststore. Supported types are JKS, PKCS12 and JCEKS. |