Running Certbot

Run the following Certbot command to enroll a certificate using PKIaaS and the ACME protocol.

certbot certonly -d <domain> --server <acme-url> --webroot --no-eff-email --agree-tos -m <email> --eab-kid <eab-kid> --eab-hmac-key <eab-hmac-key>

See below for a description of each parameter.

• -d <domain>
• --server <acme-url>
• --webroot
• --no-eff-email
• --agree-tos
• -m <email>
• --eab-kid <eab-kid>
• --eab-hmac-key <eab-hmac-key>

-d <domain>

Include the <domain> domain in the certificate. This option allows repetition, for example:

-d example.com -d www.example.com

--server <acme-url>

Use the <acme-url> enrollment URL, where <acme-url> is the ACME Directory URL described in Configuring ACME in PKIaaS.

--webroot

–webroot instructs certbot to write any domain challenges to the file system. However since PKIaaS uses External Account Binding then no domain challenges will be issued during the enrollment.

--no-eff-email

Do not share the <email> email address with the Electronic Frontier Foundation.

⚠ If another application, such as a Web server, is running and using ports 80 or 443, disable the application.

--agree-tos

Automatically agree to the terms of service of the ACMEv2 server.

-m <email>

Use the <email> email address to register the ACME account with Entrust PKiaaS.

ℹ Entrust PKiaaS will not send email messages to this email address.

--eab-kid <eab-kid>

Use the <eab-kid> Key Identifier provided by Entrust PKIaaS for External Account Binding (EAB).

--eab-hmac-key <eab-hmac-key>

Use the <eab-hmac-key> HMAC Key provided by Entrust PKIaaS for External Account Binding (EAB).