Account Creation in ACME

Account Creation (ACME)

Background

Automatic Certificate Management Environment (ACME) facilitates domain owner verification and certificate issuance management. In order to start with ACME, we must implement a functionality for account creation. This will be utilized by the ACME client to create an account on the ACME server. On the other hand, it will be easy for ACME server to manage issued certificates and clients. Every client who wants to acquire a certificate through ACME must have an account.

Steps

1. Create an API endpoint “new-account”.
2. Validate the payload in request i.e. contact and email.
3. Have some User Interaction for Terms of Service.
4. Create an account in Database and store the public key of the client.
5. Return an account object (201) created with account URL.

Request Format

The request format in ACME for account creation uses JSON Web Signature (JWS).

The request for creation of a new account is sent to the ‘new-account’ property of directory object.

Request :

  POST /acme/new-account HTTP/1.1

  Host: example.com

  Content-Type: application/jose+json

Data :

{

    "protected": base64url({

      "alg": "ES256",

      "jwk": {...},

      "nonce": "6S8IqOGY7eL2lsGoTZYifg",

      "url": "https://example.com/acme/new-account"

    }),

    "payload": base64url({

      "terms-of-service-agreed": true,

      "contact": [

        "mailto:cert-admin@example.com",

        "tel:+12025551212"

      ]

}),

    "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I"

  }

Fields and their meanings :

1. contact (optional, array of string):  Same meaning as the corresponding server field defined in Section 7.1.2 of the ACME draft.
2.   terms-of-service-agreed (optional, boolean):  Same meaning as the corresponding server field defined in Section 7.1.2 of the acne draft.
3.  only-return-existing (optional, boolean):  If this field is present with the value "true", then the server MUST NOT create a new account if one does not already exist. This allows a client to look up an account URL based on an account key (see Section 7.3.1 in acme draft).

Response Format

The response format is as follows.

Response:

HTTP/1.1 201 Created

  Content-Type: application/json

  Replay-Nonce: D8s4D2mLs8Vn-goWuPQeKA

  Location: https://example.com/acme/acct/1

  Link: <https://example.com/acme/some-directory>;rel="index"

Data:

{

    "status": "valid",

    "contact": [

      "mailto:cert-admin@example.com",

      "tel:+12025551212"

] }

Fields and their meanings :

1. status (required, string):  The status of this account.  Possible

     values are: "valid", "deactivated", and "revoked".  The value

     "deactivated" should be used to indicate client-initiated

     deactivation whereas "revoked" should be used to indicate server-

     initiated deactivation.

2.   contact (optional, array of string):  An array of URLs that the

     server can use to contact the client for issues related to this account

.  For example, the server may wish to notify the client

     about server-initiated revocation or certificate expiration.

3.   terms-of-service-agreed (optional, boolean):  Including this field in

     a new-account request, with a value of true, indicates the

     client’s agreement with the terms of service.  This field is not

     updateable by the client.

4.   orders (required, string):  A URL from which a list of orders

     submitted by this account can be fetched via a GET request, as

     described in Section 7.1.2.1 of the acme draft.