Skip to main content

Certificate Management

Issuing certificate using ACME protocol

We can issue a certificate to the enclave signed by an external Certificate Authority (CA) using the ACME protocol. To use the ACME protocol, the enclave must prove domain ownership. This is done using the HTTP-01 challenge. The enclave starts the challenge by contacting the CA, which then requests the enclave to place a secret at a specific path on port 80. The CA attempts to access the domain at port 80 on the specified path to verify the presence of the secret. Once verified, the client sends a Certificate Signing Request (CSR) to the CA for signing.

Updating the manifest to use ACME type

In our manifest we can updated the caCertDetails as following:

spec:
...
caCertDetails:
enclaveCertType: ACME
acmeCertDomainName: example.com
acmeContactEmail: dev@example.com