Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8950

TLS Application-Layer Protocol Negotiation (ALPN) challenge for ACME (tls-alpn-01)

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Epic Link:

      Description

      This ticket supersedes ECA-7082

      Abstract

      Note that this is not a complete specification but a general description to allow non-implementers to understand this protocol. Implementers should refer to the RFC for the spec.

      ALPN is an extension of TLS which allows server and client to negotiate which protocol to communicate over. When using ALPN for authentication in this manner, the ACME client provisions the TLS server's ALPN configuration with a self signed certificate which contains the correct subjectAltName for that server, as well as an acmeIdentifier containing a SHA256 digest the key authorization (see [RFC8555|https://tools.ietf.org/html/rfc8555])

      Once the client is prepared to be challenged, it POSTs an empty JSON object to the CA, with the key authorization and the public key in the header. Using ALPN, the CA will then verify that the challenge values in the challenge payload correspond to those in the certificate on the TLS server. 

      Specification

      Automated Certificate Management Environment (ACME) TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension now has an RFC in [RFC8737|https://tools.ietf.org/html/rfc8737]

      Implementation Details

      As Amin Khorsandi mentioned in the previous ticket there doesn't seem to be support for tls-alpn-01 in JDK8, so unless something else has changed implementation of this ticket may have to wait until after a tech jump. 

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mikek Mike Agrenius Kushner
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: