Deployment options

Managed automation

Managed automation is DigiCert's turnkey automation solution. It is the most scalable and easiest to set up and maintain.

There are two main deployment scenarios to consider for managed automation, based on where the TLS certificates live:

  • Standard hosts, such as web servers
    To automate certificate management on a standard host, you install a lightweight piece of software called an "ACME agent" on it. The ACME agent uses the industry standard ACME protocol to manage the certificates on each host.
  • Network appliances, such as load balancers
    It is not possible to install the ACME agent software onto a proprietary network appliance. Instead, you must install a different piece of software called a "sensor" onto another system on your network. The sensor uses API calls to remotely manage the certificates on one or more network appliances.

A complete automation deployment typically involves a mix of many different hosts and network appliances. Each individual host must have the ACME agent software installed on it, but you can manage multiple network appliances from a single sensor installation.

Managed automation deployment

Managed automation for standard hosts (ACME agent-based)

Automating certificates on standard hosts requires that you install the ACME agent software on each of them.

The agent is DigiCert's native host automation client, which includes the industry standard ACME protocol plus high-level management functions. It supports certificate automations for web servers including Microsoft IIS, Apache HTTP Server, Apache Tomcat, Nginx, and IBM HTTP Server.

You download the agent software from CertCentral. It is designed to be secure and lightweight, with no impact on system or network performance. Once installed, the ACME agent keeps itself up to date, so no ongoing maintenance is necessary.

Each ACME agent uses a "pull" communications model to sync with the DigiCert cloud over a secured link. No network configuration or firewall changes are required. Network integrity remains intact.

For hosts which are required to go through a proxy server to connect to the Internet, you have the option to use a DigiCert sensor as the proxy. Using a sensor as proxy provides additional fault tolerance options for your certificate automations.

Managed automation for network appliances (sensor-based)

Since it is not possible to install the ACME agent software on proprietary network appliances, you must instead use the network-based sensor software.

The sensor is DigiCert's native automation client for managing TLS certificates on proprietary network appliances such as load balancers. It supports certificate automations for dedicated load balancers (such as F5 BIG-IP LTM, Citrix NetScaler, A10) as well as cloud-based load balancer services (such as Amazon ELB and CloudFront). A sensor can also act as a proxy for ACME agents, providing automation failover services to them.

You download the sensor software from CertCentral. Configuration of the sensor depends on the types of network appliances it manages and whether it provides proxy/failover services. Once installed, the sensor keeps itself up to date, so no ongoing maintenance is required.

A single sensor can manage automations and provide proxy services for many different systems. This can include a mix of hardware and cloud-based load balancers, plus any local hosts where it acts as proxy. The sensor must be installed onto a dedicated host on the network that is able to communicate with all of these systems.

Like the DigiCert agent, the sensor software is designed for secure and seamless operation, with no impact on network performance or integrity.

The same sensor and agent software used by the CertCentral automation service is also used by the discovery service. If you already have sensors or agents installed for discovery, you can use them for automation as well, and vice versa.

Sensor-based automations are also referred to as "agentless" or "remote" since they do not require a locally installed agent on each system.

Automation with third-party ACME clients

The CertCentral automation service also supports the use of third-party ACME clients, such as EFF certbot and Kubernetes cert-manager. In this case, you use the third-party ACME client instead of DigiCert's native ACME agent.

For third-party ACME clients, you must download the software outside of CertCentral, installing it separately onto each host that will run certificate automations. The installed ACME clients must be configured based on their own unique deployment requirements and must be able to access the DigiCert cloud.

The following are potential limitations to consider when using third-party ACME clients with the CertCentral automation service:

  • Lack of support for proprietary network appliances such as load balancers.
  • Lack of automated software updates. Each client must be manually maintained.
  • Lack of centralized management features. Automation actions must be initiated locally on each client.
  • May require additional network and firewall changes.

Due to the above limitations, DigiCert only recommends the use of third-party ACME clients for smaller-sized automation deployments or for clients such as Kubernetes cert-manager which natively support high-volume automations from a centralized location.

Automation via API calls

A final way to deploy automation is via the DigiCert API library. API calls are provided for the various managed automation functions such as the certificate ENROLL and RENEW actions. The API allows you to integrate and trigger these automation actions directly from custom web applications.

The automation service API requires that DigiCert agents and sensors already be installed and configured on the relevant systems. While the API initiates the automation actions, the actual work of downloading and installing the certificates is still performed by the managed automation clients.