Skip to content

feat(enroll): ACME HTTP-01/DNS-01 so cert-manager and native ACME clients enroll without an agent #110

Description

@Bugs5382

The CryptOS CA should expose an ACME endpoint (RFC 8555) so any standard ACME client can enroll and renew certificates automatically, with no CryptOS-specific agent. The main consumer is Kubernetes cert-manager pointed at CryptOS as an ACME issuer, but this covers any ACME client.

On the CryptOS side this is the usual ACME surface: a directory, account registration, orders, authorizations, challenges, finalize, and certificate download. It should support HTTP-01 and DNS-01 challenges, since DNS-01 is what cert-manager usually uses for internal and wildcard names. Issued leaf certificates chain to the CryptOS root.

The operator installs nothing CryptOS-specific. They configure cert-manager with an ACME issuer that points at the CryptOS directory URL and set up the DNS-01 solver. We document that.

ACME is already one of the built-in protocol adapters in the design decisions, so this is the concrete driver for it.

Not scheduled. External Account Binding, which challenge types are enabled by policy, rate limits, and TLS-ALPN-01 are still open.

Metadata

Metadata

Assignees

Labels

enhancementNew feature (feat). Minor version bump.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions