Sensor configuration examples

After installing and activating a sensor, you must perform initial configuration on the sensor itself to add the network appliances for automation. This initial configuration can either be performed interactively from the command line, or by adding and reading the configuration parameters from a text file.

The examples below demonstrate the use of the interactive configuration method to add various network appliance types for sensor-based automation.

The login password of each network appliance must meet the DigiCert password requirements so it will work with automation. The password must contain lower and upper case letters, numbers, or symbols.

Allowed symbols for different network appliance types:

  • A10: !@#$%^()-+_ {}[]~?:./
  • Citrix NetScaler: ~!@#$%^*()_+-|`{}[]:;?/,."
  • F5 BIG-IP: ~!@#$%^&*()_+`-={}[]|;:'"<>,./?

A10

To add an A10 load balancer for sensor-based automation, run the addagentless utility with the -type A10 argument on the sensor system.

Example interactive configuration session:

generic
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter management IP address:10.141.17.192
Enter Management Port (443):443
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer.
Enter admin username:admin
Enter admin password:
Confirm admin password:
Successfully added or changed the agentless.
IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.

A10 high availability

To add an A10 high availability load balancer for sensor-based automation, run the addagentless utility with the -type A10 -ha VRRPA arguments on the sensor system.

Example interactive configuration session:

generic
Sensor CLI. Copyright 2021, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter management IP address:10.141.17.192
Enter Management Port (443):443
Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer.
Enter admin username:admin
Enter admin password:
Confirm admin password:
Enter SSH enable password:
Confirm SSH enable password:
For high availability configurations, enter the management IP address and login information for each additional load balancer in the configuration. To finish the list, press Return at the prompt (blank input).
Enter management IP address, port, and username (separated by commas):10.141.17.192,443,admin
Enter admin password:
Confirm admin password:
Enter management IP address, port, and username (separated by commas):
Successfully added or changed the agentless.
IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.

Citrix NetScaler

To add a Citrix NetScaler load balancer for sensor-based automation, run the addagentless utility with the -type NETSCALER argument on the sensor system.

Example interactive configuration session:

generic
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter the management IP:10.141.17.192
http or https:https
Enter management Port (443):443
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Enter webservice username:nsroot
Enter webservice password:
Confirm webservice password:
Enter SSH username:nsroot
Enter SSH password:
Confirm SSH password:
Enter SSH port:22
Successfully added or changed the agentless. HA Pair peers are
Management IP : 10.141.17.192     (Primary)
The sensor may use any of these management IP addresses to perform certificate automation activities.
IMPORTANT: After you run this command, return to Manage Automation Agents in console. Verify that the certificate host appears and is configured.

F5 BIG-IP

To add an F5 BIG-IP load balancer for sensor-based automation, run the addagentless utility with the -type BIGIP argument on the sensor system.

Example interactive configuration session:

generic
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter management IP address:10.141.17.192
Enter Management Port:443
If available, do you want to map this sensor with the previously voided load balancer (Y/N)?:N
Enter web service username: admin
Enter web service password:
Confirm web service password:
Successfully added or changed the agentless automation. This applies to the following HA Pair peers :
Management IP: 10.141.17.192  (ACTIVE)
Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.

When the F5 BIG-IP load balancer is added, the sensor automatically collects information on IP/ports that can be automated.

For successful automation,

  1. Make sure to select only supported network protocols when configuring virtual IPs.
    Note: The UDP protocol does not support automation. Virtual IPs configured using UDP protocols will be filtered and cannot be discovered.
  2. For Virtual Servers configured with iApp templates, disable Strict Updates for successful automation. In the F5 console, go to the iApps Application Services folder and clear the Strict Updates check box.
  3. For your Virtual Server configuration, do not add a Destination Address/Mask. Automation cannot identify a destination address specified as xxx.xxx.xxx.xxx/0. The address will appear as 0.0.0.0. Such IPs cannot be automated.
  4. For high-availability (HA) configurations, the addagentless utility only needs to be run once. Enter either the floating IP, or the management IP of one of the load balancers. The sensor will automatically detect the HA peer configuration.

Amazon Web Services (AWS)

DigiCert sensor-based automation supports AWS Application/Network Load Balancer (ALB/NLB) and AWS CloudFront. Note that:

  • Newly automated certificates will be stored in AWS Certificate Manager (ACM) independently of the original certificate stored in AWS Identity and Access Management (IAM).
  • When automating a distribution with no certificates, AWS recommends modifying the distribution settings to:
    • SSLSupportMethod to sni-only
    • MinimumProtocolVersion to TLSv12_2019

Users with limited access require permissions for the listed policies.

For AWS ALB/NLB:

For AWS CloudFront:

To add an AWS ALB/NLB load balancer for sensor-based automation, run the addagentless utility with the -type AWS argument on the sensor system.

To add an AWS CloudFront distribution for sensor-based automation, run the addagentless utility with the -type AWS-CLOUDFRONT argument on the sensor system.

During configuration, you are prompted to select one of the following AWS login methods:

  1. Use the default AWS credential provider chain
  2. Supply the credentials yourself
  3. Use an AWS profile name

Below are interactive configuration examples of adding an AWS ALB or NLB load balancer to a sensor, selecting these 3 different login methods (use the tabs at top to view each). Additional details about AWS credentials follow these examples.

Login method 1
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 1

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Successfully added or changed the agentless automation. This applies to the following HA Pair peers :

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Login method 2
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 2

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Enter AWS access key Id:ABCD12E3F4GHIJ567KLM
Enter AWS secret key:
Confirm AWS secret key:

Successfully added or changed the agentless automation. This applies to the following HA Pair peers :

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Login method 3
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 3

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Enter your AWS profile name (Press Enter if the profile name and AWS Account ID are same.):

Successfully added or changed the agentless automation. This applies to the following HA Pair peers:

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.

AWS credentials: provider chain

When adding an AWS load balancer for sensor-based automation, you have the option to use an AWS credential provider chain for login. With this method, login credentials will be sought in the following sequence during an automation event:

  1. Environment variables – AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

    Note: You are required to restart the sensor:

    • If environment variables are added while the sensor is already installed and running.
    • If environment variables are updated or changed while the sensor is running.
  2. Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI.

    For successful authentication, we recommend:

    • Adding the AWS_CREDENTIAL_PROFILES_FILE environment variable.
    • Setting the credential file to a location where both the sensor and the user have access to it.

    For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

    Note: You must restart the sensor if an update or change is made to the environment variables when the sensor is running.

  3. Instance profile credentials delivered through the Amazon EC2 metadata service.

    For successful instance credential authentication:

    1. Sensor must be installed on the EC2 instance.
    2. Identity and Access Management (IAM) role must be linked to an EC2 instance. To create and link the IAM role to an instance, refer to Create IAM role and Assign IAM role to an instance (see below).
    3. IAM role associated with the instance must have the following policy authorization:

    For more details, refer to the AWS documentation.

Create IAM role

  1. Sign in to AWS Management Console and select IAM service.

  2. In the sidebar menu, select Access management > Roles. Then, select Create role.

  3. On the Create role page, select the AWS service trusted entity type and the EC2 use case. Then, select Next: Permissions.

  4. Select the policies you want to assign to the role. Then, select Next: Tags.

  5. Assign tags to the role (optional) and select Next: Review.

  6. Enter a role name, add a description (optional), and select Create role.

Assign IAM role to an instance

  1. On the AWS Management Console, select EC2 service.

  2. In the sidebar menu, select Instances.

  3. On the Instances page, select the instance. Then, select Actions > Instances Settings > Attach/Replace IAM Role.

  4. On Attach/Replace IAM Role page, select the IAM role to attach to your instance. Then select Apply.

Supply credentials in at least one of these locations for the sensor to connect to AWS.

AWS credentials: profile name

To use an AWS profile name for your login credentials, set the profile with key-value pairs. You can do this in the AWS credential profiles file located at the default location (~/.aws/credentials), which is shared by all AWS SDKs and the AWS CLI.

For successful authentication, we recommend:

  • Adding the AWS_CREDENTIAL_PROFILES_FILE environment variable.
  • Setting the credential file to a location where both the sensor and the user have access to it.

For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

generic
[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profile1]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profile2]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profile3]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

If you are working with multiple AWS accounts, you can easily switch between your accounts by creating multiple profiles (sets of credentials) in your credentials file.

Each section (for example, [default], [profile1], [profile2], etc), represents a separate credential profile. The keyword in square brackets is your profile name.

If you do not specify the AWS profile name as a login, the AWS account ID will be used as your login credential.