Schedule automation events

Before you begin

Schedule a certificate automation event

  1. In your CertCentral account, in the left main menu, go to Automation > Automated IPs.

  2. On the Automated IPs page, find the certificate you want to automate.

  3. In the Actions column, select the appropriate option from the dropdown menu:

    • Request a certificate
      Request a new certificate when there is no certificate configured yet to the IP/Port.
    • Switch to DigiCert
      Replace a certificate issued from a different Certificate Authority (CA) with a DigiCert certificate.
    • Renew
      • Non-Multi-year Plans: When a certificate expired or is about to expire in less than 90 days.
      • Multi-year Plans: When an order or Multi-year Plan expired or is about to expire in less than 90 days.
    • Reissue
      • Non-Multi-year Plans: When an active certificate is revoked or missing.
        Note: The certificate will be reissued with the remaining validity of the original certificate.
      • Multi-year Plans: When a certificate issued from an active Multi-year Plan needs to be replaced, is revoked or is missing.
        Note: The certificate will be reissued with the maximum allowed certificate validity or the remaining validity on the Multi-year Plan.
    • Get your next certificate
      • Multi-year Plans: When an active certificate for a Multi-year Plan is about to expire in less than 30 days.
        Note: You can reissue or get your next certificate at no cost each time it reaches the end of its validity period until the Multi-year Plan expires.
    • Submit manual request
      When you want to request a certificate manually.
  4. Select or create an automation profile for this event.

  5. (Optional) Select Issue a duplicate certificate using an existing order to request a duplicate of the certificate that is automated with an existing order. This option is only available if duplicate certificates are enabled under your CertCentral account's automation settings.

  6. Enter the Common name and Subject Alternative Names you want the certificate to secure.

  7. If applicable, select any additional options for the current use case. See use case notes below.

  8. Set the time for automation to begin—immediately or scheduled in advance.

  9. (Optional) Set the certificate to renew and install automatically near the end of its validity period.

  10. Read through the agreement and select I agree to the Certificate Services Agreement.

  11. Select Start automation or Schedule automation.


Use case notes: Citrix NetScaler load balancers

Prerequisites for Citrix NetScaler certificate automations:

  • You cannot automate a certificate with an “IP unreachable” status. An “IP unreachable” status refers to non-addressable virtual servers where the PFX certificate is present.

When scheduling certificate automation events for Citrix NetScaler load balancers:

  • Make sure the organization associated with the automation profile you choose includes country, state, and locality (CSL) details. This information is required to generate the CSR and automate the load balancer.
  • When requesting automation on the HTTP port, if you want to redirect the traffic after automation, enter the HTTPS redirect port of the HTTP instance for the virtual IP address.
    Note: During automation, we create an HTTPS virtual server with a new certificate. When successful, automation redirects the traffic to the HTTPS instance on the specified port.

Use case notes: F5 BIG-IP load balancers

When scheduling certificate automation events for F5 BIG-IP load balancers:

  • (Optional) Select Private key security type to specify the storage of your private keys:
    • Normal: Store the private key in the F5 BIG-IP load balancer itself.
    • FIPS: Store the private key in the Federal Information Processing Standards (FIPS) enabled module of the F5 BIG-IP load balancer.
    • NetHSM: Store the private key in the Hardware Security Module (HSM) device connected to the F5 BIG-IP load balancer.
    • (Note: This setting can also be configured from the CertCentral Manage automation view.)

Use case notes: DV certificate automations

Prerequisites for DV certificate automations:

  • Create a DNS integration to automate DV certificates on load balancers
  • Make sure to enable the domain validation settings for specific domains:
    1. In your CertCentral account, in the left main menu, go to Settings > Preferences.
    2. On the Preferences page, expand Advanced Settings.
    3. Under Domain Control Validation, in the Validation Scope section, select Submit exact domain names for validation.
    4. Select Save Settings.

DV certificates do not support:

  • Bulk certificate automation retry if DNS integration fails
  • Duplicate certificate issuance

When scheduling DV certificate automation events:

  • Do not select Issue a duplicate certificate using an existing order, as it is not supported for DV certificates.
  • (Optional) Select DNS integration or provider for the validation of the DNS challenge to prove the ownership of the domains. The list includes all the integrations added to the sensor.

DNS integrations or providers marked Critical had issues in the past while setting the DNS challenge. They may fail again. We recommend you select another integration or provider for successful validation.

By default, certificates under automation on the load balancer inherit the associated DNS integration. To override the configuration, select a different DNS integration.

The updated DNS integration for scheduled automation will become effective immediately. However, for auto-renewal, the updated DNS integration will only be effective from the next schedule automation.

  • DV certificate issuance workflow with Authkey
    In Authkey enabled accounts, after you submit a DV certificate automation request, CertCentral immediately approves the request and issues the certificate. Then automation installs the certificate.
  • DV certificate issuance workflow without Authkey
    In non-Authkey enabled accounts, after you submit a DV certificate automation request, the request moves to Approval pending. You must complete the DCV for the domains on the request before CertCentral issues the DV certificate. Then automation installs the certificate.

Troubleshooting

For known issues and troubleshooting tips:

If you need help or to report errors related to CertCentral managed automation, contact Support.