mirror of https://github.com/shred/acme4j
Document certificate renewal
parent
ec8ea0bd87
commit
d0915051d1
|
@ -6,7 +6,7 @@ Once you completed all the previous steps, it's time to request the signed certi
|
|||
|
||||
To do so, prepare a PKCS#10 CSR file. A single domain may be set as _Common Name_. Multiple domains must be provided as _Subject Alternative Name_. Other properties (_Organization_, _Organization Unit_ etc.) depend on the CA. Some may require these properties to be set, while others may ignore them when generating the certificate.
|
||||
|
||||
CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is also a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair.
|
||||
CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair.
|
||||
|
||||
Do not just use your account key pair as domain key pair, but generate a separate pair of keys!
|
||||
|
||||
|
@ -20,6 +20,14 @@ csrb.sign(domainKeyPair);
|
|||
byte[] csr = csrb.getEncoded();
|
||||
```
|
||||
|
||||
It is a good idea to store the generated CSR somewhere, as you will need it again for renewal:
|
||||
|
||||
```java
|
||||
try (FileWriter fw = new FileWriter("example.csr")) {
|
||||
csrb.write(fw);
|
||||
}
|
||||
```
|
||||
|
||||
Now all you need to do is to pass in a binary representation of the CSR and request the certificate:
|
||||
|
||||
```java
|
||||
|
@ -65,7 +73,19 @@ The number of domains per certificate may also be limited (_Let's Encrypt_ curre
|
|||
|
||||
## Renewal
|
||||
|
||||
Renewing your certificate depends on the CA. Some may require you to go through the authorization process again, while others may just provide an updated certificate for download at the `certUri` above.
|
||||
Certificates are only valid for a limited time, and need to be renewed before expiry. To find out the expiry date of a `X509Certificate`, invoke its `getNotAfter()` method.
|
||||
|
||||
For renewal, just request a new certificate using the original CSR:
|
||||
|
||||
```java
|
||||
PKCS10CertificationRequest csr = CertificateUtils.readCSR(
|
||||
new FileInputStream("example.csr"));
|
||||
|
||||
URI certUri = client.requestCertificate(account, csr.getEncoded());
|
||||
X509Certificate cert = client.downloadCertificate(certUri);
|
||||
```
|
||||
|
||||
Instead of loading the original CSR, you can also generate a new one. So renewing a certificate is basically the same as requesting a new certificate.
|
||||
|
||||
## Revocation
|
||||
|
||||
|
|
Loading…
Reference in New Issue