This document details the API exposed for handling ACME flows, as of draft-12.
Create the context with specific ACME server by providing the directory URI.
var context = new AcmeContext(WellKnownServers.LetsEncryptStagingV2);
Use specific key for existing account or creating new account.
var context = new AcmeContext(
WellKnownServers.LetsEncryptStagingV2,
KeyFactory.FromPem("account-key.pem"));
Export the account key for later use.
var pem = context.AccountKey.ToPem();
var der = context.AccountKey.ToDer();
Get the url to Terms of Service
for user to review.
var tos = context.TermsOfService();
Create new account.
var account = await context.NewAccount(
new [] { "mailto:admin@example.com", "mailto:it@example.com" }, true);
var account = await context.NewAccount("admin@example.com", true);
Fetch existing account from server.
var account = await context.Account();
Fetch the account info from server.
var accountInfo = await account.Resource();
Update contacts, or accept Terms of Service
again if it's updated.
await account.UpdateUpdate(
contact: new[] { $"mailto:support@example.com" },
agreeTermsOfService: true);
Update the account key.
var newKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
await account.ChangeKey(newKey);
File.WriteAllText("new-key.pem", newKey.ToPem());
Deactivate account.
await account.Deactivate();
Apply for certificate issuance.
var order = await context.NewOrder(new [] { "*.example.com" });
var orderUri = order.Location;
Retrieve order by URI.
var order = await context.Order(orderUri);
Finalize the order.
var certKey = KeyFactory.NewKey(KeyAlgorithm.RS256);
await orderCtx.Finalize(
new CsrInfo
{
CountryName = "CA",
State = "State",
Locality = "City",
Organization = "Dept",
}, certKey);
Send customized CSR to finalize the order.
var csr = new CertificationRequestBuilder();
csr.AddName($"C=CA, ST=State, L=City, O=Dept, CN=*.example.com");
await orderCtx.Finalize(csr.Generate());
Download the certificate PEM.
var certChain = await order.Download();
Finalize and download the certificate.
var certKey = KeyFactory.NewKey(KeyAlgorithm.RS256);
var cert = await order.Generate(
new CsrInfo
{
CountryName = "CA",
State = "State",
Locality = "City",
Organization = "Dept",
}, certKey);
Retrieve authorizations of the order.
var authorizations = await order.Authorizations();
Search authorization by domain name.
var authz = await order.Authorization("*.example.com");
var authzUri = authz.Location;
Retrieve authorization by URI.
var authz = await context.Authorization(authzUri);
Retrieve challenges of the authorzation.
var challenges = await authz.Challenges();
var dnsChallenge = await authz.Dns();
var httpChallenge = await authz.Http();
var tlsAlpnChallenge = await authz.TlsAlpn();
Create the respone file for provisioning to /.well-know/acme-challenge/
.
var keyAuth = httpChallenge.KeyAuthz;
File.WriteAllText(httpChallenge.Token, keyAuth);
Compute the value for DNS TXT record.
var dnsTxt = context.AccountKey.DnsTxt(challenge.Token);
Generate certificate with X509 ACME validation extension.
var alpnCertKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
var alpnCert = context.AccountKey.TlsAlpnCertificate(challenge.Token, "www.my-domain.com", alpnCertKey);
Let the ACME server to validate the challenge once it is ready.
await challenge.Validate();
Download certificate for a pending order.
var cert = await order.Generate(
new CsrInfo
{
CountryName = "CA",
State = "State",
Locality = "City",
Organization = "Dept",
});
Download the certifcate for a finalized order.
var certChain = await order.Download();
Export the certificate to PEM, DER, or PFX.
var cert = new CertificateInfo(certChain, certKey);
var pem = cert.ToPem();
var der = cert.ToDer();
var pfx = cert.ToPfx("cert-name", "abcd1234");
var keyPem = cert.Key.ToPem();
Revoke certificate with account key.
context.RevokeCertificate(cert.ToDer(), RevocationReason.KeyCompromise);
Revoke certificate with certificate private key.
context.RevokeCertificate(cert.ToDer(), RevocationReason.KeyCompromise, certKey);