Set up a custom application for managed automation

CertCentral managed automation supports the most popular web server applications out of the box.

CertCentral also provides the flexibility to extend certificate management for additional applications not supported natively by allowing configuration of third party ACME clients via the "custom application" option.

To enable managed automation for a custom application, follow these steps:

  1. Set up third-party ACME client
    On the certificate host, install and configure your preferred third-party ACME client.
  2. Create shell script
    On the certificate host, create a helper script that CertCentral can use to invoke the third-party ACME client.
  3. Configure managed automation settings
    In CertCentral, use the Manage automation menu to configure the shell script to use with the custom application.

Custom automations still require that a DigiCert ACME automation agent be installed and activated on the local certificate host.

Set up third-party ACME client

CertCentral managed automation works with any third-party client that supports the industry standard ACME protocol.

Follow the software provider's guidelines to install and configure your preferred third-party ACME client on the certificate host.

Create shell script

CertCentral requires a shell script on the certificate host to invoke the third-party ACME client. During an automation event, the DigiCert agent calls the shell script to invoke the client, which in turn procures and installs the certificate.

The shell script must contain the basic automation commands for the third-party ACME client. Command syntax will vary depending on which third-party ACME client is used. Check the software provider's guidelines to learn more.

Below are examples of shell scripts used to procure DigiCert certificates via third-party clients EFF Certbot (Linux) and Win-ACME (Windows):

EFF Certbot (Linux)
procCmdLine="/usr/bin/apachectl start"
certbot --server $directoryuri --config-dir $acmeConfigDirectory --eab-kid $eabkeyidentifier  --eab-hmac-key $eabkeyhmac --installer apache -m $emailaddress --force-renew --agree-tos --no-redirect --expand -d $host --no-verify-ssl --no-autorenew --pre-hook "$process_path stop" --post-hook $procCmdLine -n --apache-server-root $server_root --apache-vhost-root $config_root
echo "The command exit status : ${returnCode}"
exit $returnCode
Win-ACME (Windows)
set SANS=%2
set EMAIL=%3
set KEYALGO=%4
set EABKEY=%5
set EABHMAC=%6
set VALIDATIONMODE=--validation selfhosting
"wacs.exe" --baseuri %SERVERURL% --eab-key-identifier=%EABKEY% --eab-key=%EABHMAC% --target manual --host %SANS% --emailaddress %EMAIL% --force --accepttos --notaskscheduler %VALIDATIONMODE% --csr %KEYALGO% --store centralssl --centralsslstore  ./certs
set returnCode=%errorlevel%
EXIT /B %returnCode%

Variable definitions at the top of these shell scripts read in the required ACME arguments:

  • These must match up with the ACME arguments you configure for the custom application in CertCentral.
  • During an automation event, values for these arguments are supplied by the local DigiCert automation agent that calls the shell script.

Commands used in the shell script:

  • Must include all mandatory parameters.
  • Must not exceed 512 characters.
  • Must not include special directives like rm -rf or rmdir

The shell script filename:

  • Must end with .bat or .sh.
  • Must not exceed 255 characters.

Configure managed automation settings

Use the CertCentral Manage automation menu to complete the configuration for your custom application:

  1. In your CertCentral account, in the left main menu, go to Automation > Manage automation.

  2. From the Manage automation view, select the Name of the local ACME agent running on the same certificate host as the custom application.

  3. In the agent configuration panel on the right, move down to the Configure IP/Port section.

  4. Locate the IP address and Port number for the custom application. Select Custom as the application name.

  5. In the Client command path field, provide the full directory path for the shell script that will invoke the third-party ACME client.

    For example:

    • Windows: G:\certcentral\agent\custom_automation_1.bat
    • Linux: /home/certcentral/agent/
  6. In the Client command arguments field, specify the general ACME arguments to use.

    For example:

    {acmeDirectoryUrl} {hosts} {email} {key} {extActKid} {extActHmac}

    Note that:

    • Each argument must be entered exactly as shown here.
    • The order of the arguments must match up with how they are used in your shell script.
    • During an automation event, the required values for these arguments are automatically obtained from the selected automation profile.

    Explanation of ACME arguments supported by CertCentral managed automation:

    • {acmeDirectoryUrl} – ACME directory URL settings.
    • {hosts} – Certificate host details.
    • {email} – Email address for notifications.
    • {key} – Key algorithm (RSA or ECC).
    • {extActKid} – External account key identifier used in the URL.
    • {extActHmac} – HMAC key for signing the response.
  7. Select Save to put the updated automation settings into effect.

What's next?

After setting up the custom application, you can manage certificate automations for it in the same way as other managed applications.