First, we generate our private key:

cpu% ramfs -p cpu% cd /tmp cpu% auth/rsagen -t 'service=acme role=sign hash=sha256 acct=username@example.com' > username@example.com.key

Next, we generate the public key, formatted as a JSON Web Key:

cpu% auth/rsa2jwk username@example.com.key > /sys/lib/tls/acmed/username@example.com.pub

We next generate a private key for the host, and set the proper file permissions, and copy it into /sys/lib/tls/acmed/:

cpu% auth/rsagen -t 'service=tls role=client owner=*' > example.com.key cpu% chmod 600 username@example.com.key example.com.key cpu% cp username@example.com.key example.com.key /sys/lib/tls/acmed/

We store our keys into secstore, then factotum:

cpu% auth/secstore -g factotum secstore password: cpu% cat username@example.com.key >> factotum cpu% cat example.com.key >> factotum cpu% auth/secstore -v -p factotum secstore password: cpu% read -m factotum > /mnt/factotum/ctl

We generate a certificate signing request, then create the .well-known/acme-challenge directory, then pass the CSR to acmed:

cpu% auth/rsa2csr 'CN=example.com' /sys/lib/tls/acmed/example.com.key >/sys/lib/tls/acmed/example.com.csr cpu% mkdir -p /usr/$user/www/example.com/.well-known/acme-challenge cpu% webfs; auth/acmed -t http -o /usr/$user/www/example.com/.well-known/acme-challenge username@example.com /sys/lib/tls/acmed/example.com.csr >/sys/lib/tls/acmed/example.com.crt

If all went well, you should find the certificate in /sys/lib/tls/acmed/example.com.crt

Last modified Thu Feb 19 12:59:27 PST 2026

[ Current version | History | Create a new page ]

About the server |