Preparing to request certificates using DNS-01 challenges
Before you can request a certificate from the Let's Encrypt® CA using DNS-01 challenges, you first need to create a DNS Provider Configuration and a DNS Provider Account.
Before you begin
- For information about HTTP-01 verses DNS-01 challenges, see Let's Encrypt CA challenge options.
- Complete the procedure Configuring Global Settings.
- To obtain the DXL file referenced in this procedure or to learn about how to build your own DNS provider configuration, see article KB0089487 on the HCL Support site.
About this task
This procedure provides steps to automatically configure DNS Provider Configurations documents for two specific DNS providers. This configuration is done by importing a DXL file available through the HCL Support article at the beginning of this procedure. The DXL file contains provider-specific API code.
However, if your DNS provider is not one of the reference providers available through the DXL file, there is support for developing your own DNS Provider Configuration document according to the requirements of your DNS provider API. More information about this approach is also found through the Support article.
The DNS Provider Account document created in this procedure is used to associate your domain with the DNS Provider in certstore.nsf. Later, when you create a TLS Credentials document to request a certificate for a host name within this domain, CertMgr knows to use DNS-01challenges.
Procedure
-
Create a DNS Configuration document with a reference implementation:
- Download the DXL file provided through the Support article.
- Open certstore.nsf.
- Click the DNS Configuration view.
- Select to create a DNS Provider Configuration document for each of the two reference DNS providers.
Note:- The Basic tab of each DNS Provider Configuration document that is created includes documentation on the implementation for the associated reference DNS provider.
- Certificate request logging is posted in the DNS Trace Logs view of certstore.nsf. By default, only errors are logged. You can enable full logging by selecting Enabled in the HTTP request tracing field in the Operations tab of the DNS Provider Configuration document. Or, disable logging by selecting Disabled.
-
Create the DNS Provider Account. Typically you create one account per DNS
provider.
- Click the DNS Providers view.
- Click Add Account.
- In the Registered domain field, enter the DNS domain to request certificates for. For example, renovations.com.
- In the Account name field, provide a name for the account.
- In the Status field, select Enabled.
- In the DNS provider configuration field, select the DNS Provider configuration you use. Click ? to open the DNS Provider Configuration document to reference it as you complete the remaining steps.
- Complete the fields in the Configuration Values section as required by your DNS provider.
- Save & Close.