This is an implementation of an Automatic Certificate Management Environment (ACME) Server, fully written in Java
- Java 17 and up
- Any JDBC (and Hibernate compatible) database. Currently, H2, MariaDB and PostgreSQL drivers are in classpath
- Proxy support for HTTP Challenge
One year ago, I started this project. I'm happy to announce that this project is now one year old! And we're reaching version 2.0 😮 with a lots of features.
- Provisioner directory is now in /acme/provisionername/directory
- Database scheme has been complete rebuilt, please clean database before use
- Due to move of provisioner directory, the URLs to OCSP and CRL have also been moved, please regenerate your intermediate certificates by delete the corresponding entries in the keystore
Changelog has been moved here
This version is not fully RFC 8555 compliant, but should work with most clients. I'll hope to say one day that we are fully compliant.
Documentation is now located here. In the same directory are also other tutorials related to this ACME Server.
- Self-hosted ACME Server for use with your own CA
- Download CA support
- Download in standard formats like CRT, PEM, DER
- CAB file CA export for install on legacy Windows Mobile based devices (e.g. older embedded devices, old PDAs, ...)
- Support for PKCS#12 (.p12) KeyStore and PKCS#11 Hardware Security Modules (HSM)
- Revokation support for certificates
- ACME Account deactivation
- Mostly ACME RFC compliant in its behaviour
- Multiple provisioners support with own intermediate CA
- Set expiration and key algorithm for each intermediate
- Set expiration for each issued certificate in provisioner
- Each provisioner has its own CRL (Certificate Revokation List)
- Set a domain naming restriction for each provisioner (e.g. domain must end with ".example.com")
- Enable wildcard support individually for each provisioner (e.g. *.example.com)
- Built-in OCSP (Online Certificate Status Protocol) server
- Signature check of client's requests
- Support for multiple identifiers in one order (multiple domains)
- Nonce validation (Replay protection)
- Supported challenges:
- HTTP-01
- DNS-01
- Statistics
- API and WebUI TLS Security can be automatically configured using Mozilla's SSL Config Guidelines, see Wiki here (JSON configuration from 4.0 until 5.7 (latest at writing this) are included, if specified version not available it will try to fetch these from the Mozilla server. Note: Version before 5.1 might be a bit buggy)
| HTTP-01 | DNS-01 | ||
|---|---|---|---|
| GetHttpsForFree | ✅ | ✅ | -> modified version is included in web frontend |
| Certbot | ✅ | ✅ | ℹ Note, works only correctly, if certificate issuing is not async in the server (default) |
| acme.sh | 🐞 | ✅ | For HTTP-01 use Standalone mode, nginx mode won't work for no reason. Should also work for OPNsense, cause it also uses acme.sh as backend |
| Traefik | ✅ | ❓ | |
| win-acme | ✅ | ❓ | Tested with IIS 8.5 on Win Server 2012 r2. Only use Provisioner with RSA, because IIS doesn't support Elliptical Curves |
| acme4j | ✅ | ✅ | Also used for Unit Testing, currently HTTP-01 only |
| Test status | Notes | |
|---|---|---|
| Debian 11, 12 | ✅ | |
| FreeBSD 13.2, 13.3, 14 | ✅ | Only the RELEASE Builds were tested |
| Windows 10 | ✅ |
| JDBC Driver Built-in | Test status | Notes | |
|---|---|---|---|
| MariaDB | Yes | ✅ | |
| H2 | Yes | ✅ | Only embedded mode has been tested, server mode should be supported |
| PostgreSQL | Yes | ✅ | Use a up-to-date database version. Tested with PostgreSQL 16.2, older version may won't work properly |
| MySQL | No | ❓ | Hibernate configuration has been prepared, but not tested yet |
If you want to use a database engine, where the JDBC driver isn't built in, you have to add the driver manually to the classpath and specify the Main-Class manually.
| ✅ | ❌ | 🐞 | ❓ |
|---|---|---|---|
| works without issues | not working at the moment | buggy | not tested |
Enable debug mode by set environment variable DEBUG to TRUE or start ACME Server with --debug.
Do not use this in production as it disables some security mechanisms (e.g. nonce check) and can lead to misuse of your
CA.
To be able to run the Unit Test, please make sure, that port 80 (default HTTP Port) is not in use
We welcome every contribution to the ACME Server project. Please refer to our style guide located in the styleguide
directory for more information
on coding standards and practices. This ensures that the code keeps readable and easier to test.
- OpenAI's ChatGPT (Helped me, when I was struggling)
- BouncyCastle (For a great cryptographic library in Java)
- KeyStore Explorer (Helped me debugging my generated certificates)
- GetHttpsForFree (For debugging my ACME Server and understanding the ACME protocol, a modified version is built-in the server)
- Acme4j (It's client implementation helped me to generate the expected DNS Challenge value on the server side)
- CabinetMaker for generating CAB file using pure Java, it has been refactored for Java 17+
