summaryrefslogtreecommitdiff
path: root/docs/configuration/pki
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-05 22:55:37 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-05 22:55:37 +0100
commit8e2932ebb426534b6727836c51395077ed8ed490 (patch)
tree99a34af01c5b22a6eb516ef81bc490e183f45716 /docs/configuration/pki
parent0cb7b820c92c82744641340a8c2e15947be4db88 (diff)
downloadvyos-documentation-8e2932ebb426534b6727836c51395077ed8ed490.tar.gz
vyos-documentation-8e2932ebb426534b6727836c51395077ed8ed490.zip
pki: T5886: add support for ACME protocol (LetsEncrypt)
Diffstat (limited to 'docs/configuration/pki')
-rw-r--r--docs/configuration/pki/index.rst44
1 files changed, 43 insertions, 1 deletions
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst
index 66ad84a3..1fea13ac 100644
--- a/docs/configuration/pki/index.rst
+++ b/docs/configuration/pki/index.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2021-09-01
+:lastproofread: 2024-01-05
.. include:: /_include/need_improvement.txt
@@ -248,6 +248,44 @@ certificates used by services on this router.
If CA is present, this certificate will be included in generated CRLs
+ACME
+^^^^
+
+The VyOS PKI subsystem can also be used to automatically retrieve Certificates
+using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol.
+
+.. cfgcmd:: set pki certificate <name> acme domain-name <name>
+
+ Domain names to apply, multiple domain-names can be specified.
+
+ This is a mandatory option
+
+.. cfgcmd:: set pki certificate <name> acme email <address>
+
+ Email used for registration and recovery contact.
+
+ This is a mandatory option
+
+.. cfgcmd:: set pki certificate <name> acme listen-address <address>
+
+ The address the server listens to during http-01 challenge
+
+.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096>
+
+ Size of the RSA key.
+
+ This options defaults to 2048
+
+.. cfgcmd:: set pki certificate <name> acme url <url>
+
+ ACME Directory Resource URI.
+
+ This defaults to https://acme-v02.api.letsencrypt.org/directory
+
+ .. note:: During initial deployment we recommend using the staging API
+ of LetsEncrypt to prevent and blacklisting of your system. The API
+ endpoint is https://acme-staging-v02.api.letsencrypt.org/directory
+
Operation
=========
@@ -292,3 +330,7 @@ also to display them.
.. opcmd:: show pki crl
Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.
+
+.. opcmd:: renew certbot
+
+ Manually trigger certificate renewal. This will be done twice a day.