ACME Certificate Authority (acmeCA)

Configuration for the ACME Certificate Authority.

NameTypeDefaultDescription

accountContact

string

A contact URL the ACME server can use to contact the client for issues related this the ACME account.

accountKeyFile

string

${server.output.dir}/resources/security/acmeAccountKey.pem

A path to the file containing a key identifier for a registered account on the ACME CA server. If the file does not exist, a new account is registered with the ACME CA server and the associated key is written to this file. Back this file up to maintain control of the account on the ACME CA server.

acmeRevocationCheckerRef

A reference to top level acmeRevocationChecker element (string).

Configuration for checking the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs).

acmeTransportConfigRef

A reference to top level acmeTransportConfig element (string).

ACME transport layer.

challengePollTimeout

A period of time with millisecond precision

120s

The amount of time to spend polling the status of an ACME challenge before polling discontinues and treats the challenge as failed. A value of 0 indicates to poll indefinitely. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

directoryURI

string
Required

The URI to the ACME CA server's directory object.

domain

string

A domain name to request a certificate for.

domainKeyFile

string

${server.output.dir}/resources/security/acmeDomainKey.pem

A path to the file containing a key identifier for a domain. If the file does not exist, a new key is generated and written to this file. Back this file up to maintain control of the domain.

orderPollTimeout

A period of time with millisecond precision

120s

The amount of time to spend polling the status of an ACME order before polling discontinues and treats the order as failed. A value of 0 indicates to poll indefinitely. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

renewBeforeExpiration

A period of time with millisecond precision

7d

Renew time before expiration. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

subjectDN

string

Subject distinguished name (DN) to use for the certificate. The DN can include the following relative distinguished name (RDN) types: cn, c, st, l, o and ou. If the cn RDN type is defined, it must be one of the domains defined by the domain configuration element and it must be the first RDN in the DN. If the cn RDN type is not defined, the first domain defined by the domain configuration element is used as the cn RDN value.

validFor

A period of time with millisecond precision

The duration of time that the certificate signing request specifies for the certificate to be valid. The default is defined by the ACME CA server. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

acmeRevocationChecker

Configuration for checking the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs).

NameTypeDefaultDescription

enabled

boolean

true

Verifies whether certificate revocation checking is enabled for the ACME CA service. The default is true.

ocspResponderUrl

string

Sets the URI that identifies the location of the OCSP responder. This setting overrides the ocsp.responderURL security property and any responder that is specified in the certificate Authority Information Access Extension.

acmeTransportConfig

ACME transport layer.

NameTypeDefaultDescription

protocol

string

The SSL handshake protocol. Protocol values can be found in the documentation for the Java Secure Socket Extension (JSSE) provider of the underlying JRE. When using the IBM JRE the default value is SSL_TLSv2 and when using the Oracle JRE the default value is SSL.

trustStore

string

A keystore that contains trusted certificate entries that are used by SSL for signing verification.

trustStorePassword

Reversably encoded password (string)

The password that is used to load the truststore file. The value can be stored in clear text or encoded form. Use the securityUtility tool to encode the password.

trustStoreType

string

The keystore type for the truststore. Supported types are JKS, PKCS12 and JCEKS.