Configuring AppViewX ACME Client
This section explains implementation of AppViewX ACME client for Microsoft Windows and Linux.
Prerequisites
- AppViewX ACME client has no installation steps. The binary will be provided for both Microsoft Windows and Linux and can be consumed directly.
- For Windows, use the administrator command prompt for all the commands.
- For Linux:
- DNS: Does not require sudo.
- HTTP: This first command alone will require
sudo.
sudo setcap 'cap_net_bind_service=+ep' <appviewx-acme-client-binary>
- EAB is mandatory for AppViewX ACME plug-in.
Windows Commands
| Component/Function | Command |
|---|---|
| Enroll HTTP |
|
| Enroll EAB HTTP |
|
| DNS enroll (AWS Route 53) |
Note: DNS configurations can vary
depending on the DNS providers. For more information, refer
to https://go-acme.github.io/lego/dns/.
|
| DNS enroll (AppViewX) |
Note:
|
| Sample for custom and cert attributes |
Sample for Customer and Certificate Attributes in case of
multiple
values:
|
| Renew all |
Note: --days indicates that the
certificates will be renewed if their remaining validity is
less than the number of days specified.
|
| Renew one |
|
| DNS renew (AppViewX) |
|
| Revoke |
Note: Revocation reasons can include any
of the following:
|
| Reinstate |
Note: It is important to include the
--keep flag at the end of the reinstate
command; else, the certificates will be deleted after the
operation. |
| Windows schedule command |
|
| Post Scripts |
The parameter |
Linux Commands
| Component/Function | Command |
|---|---|
| Enroll HTTP |
|
| Enroll EAB HTTP |
|
| DNS enroll (AWS Route 53) |
Note: DNS configurations can vary
depending on the DNS providers. For more information, refer
to https://go-acme.github.io/lego/dns/.
|
| DNS enroll (AppViewX) |
Note:
|
| Custom and cert attributes |
Sample for Customer and Certificate Attributes in case of
multiple
values:
|
| Renew all |
Note: --days indicates that the
certificates will be renewed if their remaining validity is
less than the number of days specified.
|
| Renew one |
|
| DNS renew (AppViewX) |
|
| Revoke |
Note: Revocation reasons can include any
of the following:
|
| Suspend |
Note: It is important to include the
--keep flag at the end of the suspend
command; else, the certificates will be deleted after the
operation. |
| Linux cron scheduler |
|
| Post Scripts |
The parameter |
Config.json
A configuration file, similar to those used in other ACME tools like Certbot, is utilized to centralize certificate settings. This file includes all the required parameters for certificate enrollment and renewal.
The config.json serves as an input configuration file
for the AppViewX Acme client during certificate enrollment. If provided, it
overrides or complements parameters passed through the command line. The same
file can be reused for certificate renewal, ensuring consistency in CSR
details and external bindings.
A sample JSON is as follows:
{
"csr_params": {
"organization": "",
"organization_unit": "",
"country": "",
"province": "",
"locality": "",
"emails": [""],
"key_type": "rsa4096"
},
"eab": {
"mac": "",
"kid": "",
"alg": "HS384"
},
"account_email": "[email protected]",
"cert_attributes": {
"attribute1": "value1",
"attribute2": "value2"
},
"custom_attributes": {
"attribute1": "value1",
"attribute2": "value2"
}
}| Json keys | Expected Input | Description |
|---|---|---|
| CSR Parameters (These parameters are used to generate the CSR that is sent to the ACME server during certificate enrollment.) | ||
| organization | String | The legal name of the organization to appear in the certificate. |
| organization_unit | String | The department or division name within the organization (e.g., “IT”, “Security”). |
| country | String | The two-letter ISO country code (e.g., US, IN). |
| province | String | The state or province name where the organization is located. |
| locality | String | The city or locality name. |
| emails | String | A list of email addresses to be included in the CSR (optional, can be used for contact or notification purposes). |
| key_type | Possible values : [“rsa”, “ecdsa”] (String) | Specifies the key algorithm and size for the private key
(e.g., rsa2048, rsa4096,
ec256) |
| eab (Contains details for External Account Binding, a mechanism used to associate an ACME account with an external identity — typically required by private or enterprise CAs.) | ||
| mac | <value_of_EAB_KID> | The HMAC key provided by the CA for binding the account. It ensures secure linking between the ACME account and the external system. |
| kid | <value_of_EAB_HMAC_KEY> | The Key ID associated with the external account. This uniquely identifies the external account with the CA. |
| alg | HS256/HS384/HS512 | The hashing algorithm used for the HMAC computation (e.g.,
HS256, HS384,
HS512). In this case,
HS384 is used. |
| account_email (I) | ||
| cert_attributes (Holds standard certificate attributes that may be required by certain CAs or internal policy configurations. These are typically metadata key-value pairs that define certificate properties beyond the CSR fields.) | ||
| "attribute1": "value1" | Represents a
configurable attribute used by the certificate authority. Can store additional metadata such as certificate profile, policy OID, or usage type. |
|
| "attribute2": "value2" | ||
| custom_attributes (Defines user-specific or application-specific custom attributes to be passed during certificate enrollment.) | ||
| "attribute1": "value1" | Custom key-value
pair used for internal reference or integration. Can contain additional metadata (for example, environment name, tenant ID, or service tag). |
|
| "attribute2": "value2" | ||
