Skip to main content

Reseller Acme API Integration

Identrust provides an ACME API implementing the ACME protocol RFC 8555 for resellers.

Issuing a certificate through the ACME API (Staging environment)

The staging environment is for testing integrations to make sure everything works as expected before pointing to the production API.

info

PREREQUISITE: must have a reseller account and configured API key.

Staging environment

Base URLs.

APIURL
Resellerreseller-cms-pte.identrust.com
ACMEacme-cms-pte.identrust.com

The staging environment comes with some predefined test certificate profiles.

PROFILE NAMEACME DIRECTORY
TLS-90dhttps://acme-cms-pte.identrust.com/acme/TLS-90d/directory
TLS-1yhttps://acme-cms-pte.identrust.com/acme/TLS-1y/directory

EXAMPLE: Issue a 90 day certificate through the ACME API

Set environment variables

export RESELLER_HOST=reseller-cms-pte.identrust.com
export API_KEY=supersecret
export PROFILE=TLS-90d
export ACME_URL=https://acme.cms.dev.identrust.com/acme/$PROFILE/directory

Using the reseller API create an account for the user. The kid and hmac returned in the response will be used as the EAB for the acme client.

curl -X 'POST' \
  "http://$RESELLER_HOST/account" \
  -H 'accept: application/json' \
  -H "Authorization: $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{ "customer_email": "customer@example.com" }'

An example response


{ "id": 1234,
  "kid": "f8217eb6-6e52-11f0-a301-bad3575f33d9",
  "resellerCode": "RESELLER_CODE",
  "email": "customer@example.com",
  "revoked": false,
  "deleted":false,
  "hmacKey":"VL0adReIGO1c3XIyLxi6Klj7qNKEGk8INky7GwPkSeg="
}

info

The hmacKey is returned as a base64 encoded string. You may need to convert it to a base64url encoded string.

Once you have the hmac and KID you can plug it into your preferred acme client.

# using lego acme client and cloudflare as the dns provider

export EAB_KID=f8217eb6-6e52-11f0-a301-bad3575f33d9
export EAB_HMAC=VL0adReIGO1c3XIyLxi6Klj7qNKEGk8INky7GwPkSeg

lego -d test.example.com -s "$ACME_URL" \
    --dns.resolvers 1.1.1.1 \
    --email customer@example.com \
    --dns cloudflare \
    -a \
    -k rsa2048 \
    --eab --kid "$EAB_KID" --hmac "$EAB_HMAC" run