Extend internal CA with boulder so that it supports ACME?

Hello guys,

I am currently determining the topic of my bachelor thesis and my team analyzed the need of an ACME based system, since the PKI we currently have, does not support ACME.

I thought about, setting up a cfssl server and extending cfssl so that it can communicate with our PKI via REST API. While doing some researches on this topic, I found that the bare cfssl implementation does not speak ACME either, am I correct?

I now found out about bolder, and wonder if boulder is the way to go for me.

Does it make sense to concentrate on boulder to make our internal CA/PKI able to speak ACME?
Are there already similar projects that I can investigate? Or are there some guides / docs to getting started working and developing boulder

Any help appreciated.

I haven’t used it, but step-ca might be a good choice:

Edit:

To expand, there are some past threads discussing using Boulder for an internal CA. For example, this one:

The Boulder developers don’t recommend it, since it’s not designed to be easy to install, or easy to use in an environment less complicated than a full-on publicly-trusted CA.

It might be a worthwhile project, depending on your goals, but it’s not the easiest way to run an internal CA.

Also, I forgot to mention it, but EJBCA Enterprise also supports ACME.

3 Likes

smallstep-certificate does really look like it could be solution for my intensions, thanks for that!

1 Like

You are correct :+1:

I believe they support a specific older pre-RFC ACME draft. I’m not sure if it is RFC 8555 compatible. I’d love to be corrected about this if I’m wrong!

RFC 8555 isn’t very large. It would probably be easier to add another interface to your existing codebase from scratch that translates ACME to its existing API than to add a fully-formed ACME based CA like Boulder alongside the existing CA codebase.

I can confirm that, after the mentioned topic, we’re deploying Smallstep Certificates for our internal ACME and works fine with Certbot.

Good luck!

P.S. If you need any help you can join the smallstep community on Gitter (as I did - they helped me a lot)

1 Like