github
/
acme4j
mirror of https://github.com/shred/acme4j
1
0
Fork 0
Code Issues Releases Wiki Activity

Document certificate renewal

pull/17/merge
Richard Körber 2016-03-10 01:40:16 +01:00
parent ec8ea0bd87
commit d0915051d1
1 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/site/markdown/usage/certificate.md
View File

@ -6,7 +6,7 @@ Once you completed all the previous steps, it's time to request the signed certi
To do so, prepare a PKCS#10 CSR file. A single domain may be set as _Common Name_. Multiple domains must be provided as _Subject Alternative Name_. Other properties (_Organization_, _Organization Unit_ etc.) depend on the CA. Some may require these properties to be set, while others may ignore them when generating the certificate.
CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is also a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair.
CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair.
Do not just use your account key pair as domain key pair, but generate a separate pair of keys!
@ -20,6 +20,14 @@ csrb.sign(domainKeyPair);
byte[] csr = csrb.getEncoded();
```
It is a good idea to store the generated CSR somewhere, as you will need it again for renewal:
```java
try (FileWriter fw = new FileWriter("example.csr")) {
csrb.write(fw);
}
```
Now all you need to do is to pass in a binary representation of the CSR and request the certificate:
```java
@ -65,7 +73,19 @@ The number of domains per certificate may also be limited (_Let's Encrypt_ curre
## Renewal
Renewing your certificate depends on the CA. Some may require you to go through the authorization process again, while others may just provide an updated certificate for download at the `certUri` above.
Certificates are only valid for a limited time, and need to be renewed before expiry. To find out the expiry date of a `X509Certificate`, invoke its `getNotAfter()` method.
For renewal, just request a new certificate using the original CSR:
```java
PKCS10CertificationRequest csr = CertificateUtils.readCSR(
new FileInputStream("example.csr"));
URI certUri = client.requestCertificate(account, csr.getEncoded());
X509Certificate cert = client.downloadCertificate(certUri);
```
Instead of loading the original CSR, you can also generate a new one. So renewing a certificate is basically the same as requesting a new certificate.
## Revocation