diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-01-11 07:30:11 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-11 07:30:11 +0100 |
| commit | 80e696c186c5382f4a667b90a1020f5e8de2cd35 (patch) | |
| tree | 49a02a39ee2814bdbd758d064c678381b3eb9c9d | |
| parent | 03f0cff457694487c9111aed9e6682f389eb601f (diff) | |
| parent | 02446eb692b6f03e04fd1f419ee82472e2d4cb2f (diff) | |
| download | vyos-documentation-80e696c186c5382f4a667b90a1020f5e8de2cd35.tar.gz vyos-documentation-80e696c186c5382f4a667b90a1020f5e8de2cd35.zip | |
Merge pull request #1234 from vyos/mergify/bp/sagitta/pr-1222
pki: T5886: add support for ACME protocol (LetsEncrypt) (backport #1222)
| -rw-r--r-- | docs/configuration/pki/index.rst | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index e83272f5..44d6de71 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-09-01 +:lastproofread: 2024-01-05 .. include:: /_include/need_improvement.txt @@ -248,6 +248,44 @@ certificates used by services on this router. If CA is present, this certificate will be included in generated CRLs +ACME +^^^^ + +The VyOS PKI subsystem can also be used to automatically retrieve Certificates +using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. + +.. cfgcmd:: set pki certificate <name> acme domain-name <name> + + Domain names to apply, multiple domain-names can be specified. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme email <address> + + Email used for registration and recovery contact. + + This is a mandatory option + +.. cfgcmd:: set pki certificate <name> acme listen-address <address> + + The address the server listens to during http-01 challenge + +.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096> + + Size of the RSA key. + + This options defaults to 2048 + +.. cfgcmd:: set pki certificate <name> acme url <url> + + ACME Directory Resource URI. + + This defaults to https://acme-v02.api.letsencrypt.org/directory + + .. note:: During initial deployment we recommend using the staging API + of LetsEncrypt to prevent and blacklisting of your system. The API + endpoint is https://acme-staging-v02.api.letsencrypt.org/directory + Operation ========= @@ -292,3 +330,7 @@ also to display them. .. opcmd:: show pki crl Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. + +.. opcmd:: renew certbot + + Manually trigger certificate renewal. This will be done twice a day. |