Share via

ACME (Automated Certificate Management Environment) Compatibility: OnPremiseCA<->AzureAKS

49885604 215 Reputation points
2023-08-06T22:24:03.8766667+00:00

Hi everyone,

in order to deploy an ACME environment, I need to know if there are any incompatibilities for configuring an ACME between an onpremise PKI infrastructure (Server Root, Server Policy, IssuingCA Servers etc...) and Azure AKS Cluster (for enrolling many certificates automatically).

How should ACME be implemented? Does it need to be installed on the Issuing Servers that will enroll the certificates? Is there an infrastructure scheme or a Best-Practices\Guides to follow?

The CA's on-premise Servers are currently Windows Server 2012 R2 Std\DC.

Can you help me to understand how my client could deploy this scenario?

Thanks in advance and kind regards,
Alessio.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,448 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Accepted answer
  1. Prrudram-MSFT 28,201 Reputation points Moderator
    2023-08-22T05:11:16.47+00:00

    49885604

    There are no known incompatibilities between ACME clients/PKI on-premises and Azure AKS. You should be able to use a Windows ACME client, such as win-acme, to connect to an Azure AKS cluster and obtain SSL/TLS certificates from a PKI on-premises.

    When using a Windows ACME client with Azure AKS, you need to make sure that the client is able to communicate with the AKS cluster's ingress controller. This can be done by configuring the ACME client to use the AKS cluster's public IP address or DNS name as the target for certificate issuance.

    You also need to make sure that the PKI on-premises is configured to issue SSL/TLS certificates that are compatible with the AKS cluster's ingress controller. The ingress controller supports certificates that are issued by trusted public CAs, as well as certificates that are issued by private CAs that are trusted by the AKS cluster's nodes.

    To use a private CA with the AKS cluster's ingress controller, you need to configure the ingress controller to trust the CA's root certificate. This can be done by creating a Kubernetes secret that contains the CA's root certificate and then referencing the secret in the ingress controller's TLS configuration.

    Overall, using a Windows ACME client with a PKI on-premises to obtain SSL/TLS certificates for an Azure AKS cluster is a supported scenario. However, you need to make sure that the ACME client is able to communicate with the AKS cluster's ingress controller and that the PKI on-premises is configured to issue compatible certificates.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li-MSFT 4,571 Reputation points Microsoft External Staff
    2023-08-07T14:21:04.2233333+00:00

    Hello

    The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users’ servers, allowing the automated deployment of public key infrastructure at very low cost. There are several ACME clients available for Windows, including win-acme, which aims to be very simple to start with, but powerful enough to grow into almost every scenario.

    It is recommended that you start with a baseline implementation and modify it to align with your workload’s specific needs. Microsoft’s AKS Baseline Cluster is a good starting point to help you build production-ready AKS clusters. There are also several best practices and considerations for developers and operators of web servers or other long-running ACME clients at any scale to help reduce load on ACME CAs, increase site availability, decrease operator errors, and improve end user experience.

    As for compatibility with Windows Server 2012 R2 Std\DC, I couldn’t find any specific information about it. However, it is generally recommended to upgrade domain controllers to a newer version of Windows Server before promoting a server to a DC that runs a newer version of Windows Server. You should verify the target server meets the system requirements, verify application compatibility, review recommendations for moving to a newer version of Windows Server, and verify security settings before proceeding with the upgrade.

    If the response is helpful, please click "Accept Answer" and upvote it.

  2. Thom McKiernan 5 Reputation points Microsoft Employee
    2024-06-12T10:09:27.94+00:00

    We've published a useful tutorial here on using ACME with LetsEncrypt.org on Application Gateway for AKS clusters https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway

    0 comments
  3. Limitless Technology 44,751 Reputation points
    2023-08-07T10:55:22.6833333+00:00

    Hello there,

    Deploying an ACME (Automated Certificate Management Environment) environment that integrates an on-premises PKI infrastructure with an Azure AKS (Azure Kubernetes Service) cluster for enrolling certificates requires careful consideration of compatibility and networking configurations. While ACME itself is a protocol designed to automate the issuance and management of certificates, integrating it with an on-premises PKI and a cloud-based Kubernetes environment like AKS involves several factors to take into account.

    Here are some considerations to keep in mind:

    Network Connectivity: Ensure that your Azure AKS cluster and on-premises PKI infrastructure have proper network connectivity. This is important for communication between the ACME client (which could be running within the AKS cluster) and the PKI components (Root CA, Issuing CA, etc.) in your on-premises network. Depending on your network architecture, you might need to configure VPNs, VNET peering, or other networking solutions to facilitate communication.

    DNS Resolution: The ACME protocol relies on DNS to validate domain ownership when issuing certificates. Make sure that the DNS records for the domains you want to secure are correctly configured both in your on-premises DNS and in your Azure environment. The ACME client in your AKS cluster needs to be able to resolve these DNS records.

    Firewall Rules: Check your network firewalls and security groups to ensure that necessary ports for ACME and PKI communication are open. Ports typically used include 80 (HTTP), 443 (HTTPS), and possibly others for PKI protocols like LDAP or CRL distribution.

    PKI Integration: If you're using an on-premises PKI infrastructure, ensure that your ACME client can communicate with the necessary PKI services (e.g., the Issuing CA) to retrieve and manage certificates. This might require opening specific ports and ensuring proper authentication and authorization.

    Certificate Renewal Automation: ACME clients can automate the renewal process of certificates. Ensure that your ACME client (running within your AKS cluster) can interact with the ACME server to renew certificates when needed. This involves opening outbound connections from your AKS cluster to the ACME server endpoints.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.