acme_certificate account_key* support for sectigo CA

Archives Ansible Project
1

Hello,

sectigo is my SSL provider and they support the ACME protocol and I’d like to leverage the acme_certificate module; however, Sectigo seems to use and HMAC key for authentication rather than RSA keys. is it possible to use an HMAC key with the set of acme_* modules for CAs such as sectigo? thanks much for any help!

-vic

2

Hi,

sectigo is my SSL provider and they support the ACME protocol and I'd
like to leverage the acme_certificate module; however, Sectigo seems
to use and HMAC key for authentication rather than RSA keys. is it
possible to use an HMAC key with the set of acme_* modules for CAs
such as sectigo? thanks much for any help!

you also need a RSA/ECC account key for Sectigo (that's a ACME
requirement they can't change). The HMAC key is used for External
Account Binding, to link the ACME account (associated to the RSA/ECC
key) to the Sectigo account. According to RFC8555
(https://tools.ietf.org/html/rfc8555#section-7.3.4, External Account
Binding requires a MAC key and a key identifier, which are needed
during account registration.

I didn't yet have time to look at that more closely, but I'm interested
in implementing support for that eventually. (Test mini test CA we are
using in CI, Pebble, now also supports External Account Binding, so we
can even test it before trying it out with a real account :slight_smile: )

I've created an issue
(https://github.com/ansible-collections/community.crypto/issues/89) to
track this.

If you want to use the acme_* modules right now, you need to use a
different ACME client (which supports External Account Binding) to
create an ACME account at Sectigo that's associated to your Sectigo
account, and export the ACME account key (will be an RSA or an ECC
private key) in PEM format. Then you can use the acme_* modules with
that account.

(Please note that I don't have access to a Sectigo account, so I cannot
test whether the modules work fine with Sectigo's ACME implementation.
So it could be that other things go wrong.)

Cheers,
Felix

3

Hi,

> sectigo is my SSL provider and they support the ACME protocol and
> I'd like to leverage the acme_certificate module; however, Sectigo
> seems to use and HMAC key for authentication rather than RSA keys.
> is it possible to use an HMAC key with the set of acme_* modules
> for CAs such as sectigo? thanks much for any help!

if you're still interested in this, I started implementing External
Account Binding for acme_account in
https://github.com/ansible-collections/community.crypto/pull/100.

Cheers,
Felix