tls-alpn-01 Challenge

With the tls-alpn-01 challenge, you prove to the CA that you are able to control the web server of the domain to be authorized, by letting it respond to a request with a specific self-signed cert utilizing the ALPN extension.

TlsAlpn01Challenge provides a byte array called acmeValidation:

TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.TYPE);

byte[] acmeValidation = challenge.getAcmeValidation();

You need to create a self-signed certificate with the domain to be validated set as the only Subject Alternative Name. The acmeValidation must be set as DER encoded OCTET STRING extension with the object id It is required to set this extension as critical.

After that, configure your web server so it will use this certificate on an incoming TLS request having the SNI subject and the ALPN protocol acme-tls/1.

The TlsAlpn01Challenge class does not generate a self-signed certificate, as it would require Bouncy Castle. However, there is a utility method in the acme4j-utils module for this use case:

Identifier identifier = auth.getIdentifier();
KeyPair certKeyPair = KeyPairUtils.createKeyPair(2048);

X509Certificate cert = CertificateUtils.
    createTlsAlpn01Certificate(certKeyPair, identifier, acmeValidation);

Now use cert and certKeyPair to let your web server respond to TLS requests containing an ALPN extension with the value acme-tls/1 and a SNI extension containing your subject.