Skip to main content

Ansible

Follow these steps to get certificates from DigiCert​​®​​ Trust Lifecycle Manager through an Ansible playbook, using the ACMEv2 protocol to generate requests and download the issued certificates.

Bevor Sie beginnen

In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:

  • ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.

  • Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.

  • HMAC key: Used to encrypt and authenticate your account key during certificate requests.

On the Ansible end, make sure you have the community.crypto collection, which provides the following two modules required for the integration:

  • acme_account module to create an account using external account binding.

  • acme_certificate module to issue a certificate.

    Warnung

    Use the latest version of the community.crypto collection to avoid a known issue in earlier versions of the acme_certificate module where some certificates issued through Ansible with ACME had a missing common name or SANs in a different order than requested.

Integration workflow

Laden Sie die Skripte herunter

Download the Ansible integration package to get the following files:

  • digicert_acme_cert_main.yml: Sample Ansible playbook script for getting certificates from Trust Lifecycle Manager. Update it with your custom values before requesting certificates.

  • get-cert.yml: Helper script to submit certificate requests to DigiCert via ACMEv2. Keep it in the same directory as the Ansible playbook.

  • ReadMe.txt: Instructions and technical details to help you set up the integration.

Hinweis

The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Ansible.

Erstellen Sie ein Installationsverzeichnis und konfigurieren Sie das Skript

To request a certificate from Trust Lifecycle Manager, update the vars section in the sample Ansible playbook file digicert_acme_cert_main.yml to supply values for the following parameters:

  • acme_dir_url: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.

  • eab_kid: Schlüsselkennung der externen Kontobindung (EAB).

  • eab_key: HMAC-Schlüssel der externen Kontobindung (EAB).

  • cert_cn: Allgemeiner Name des Zertifikats.

  • contact_email: E-Mail-ID des Administrators.

Optional können Sie weitere Parameter angeben und die Standardeinstellungen aktualisieren:

  • data_dir: Speicherort des Standarddatenverzeichnisses im Installationsverzeichnis, in dem alle generierten Schlüssel und ausgestellten Zertifikate gespeichert sind. Sie können es an Ihren bevorzugten Standort ändern.

  • subject_alt_name: Geben Sie die Subject Alternative Names (SANs) an, die Sie mit diesem Zertifikat sichern möchten.

Fordern Sie ein Zertifikat an

Place your customized Ansible playbook file and the helper script get-cert.yml in the directory where you want to install the certificate.

Gehen Sie in das Installationsverzeichnis und führen Sie den Ansible-Playbook-Befehl aus:

  • Als Root-Benutzer: ansible-playbook digicert_acme_cert_main.yml

  • Als Nicht-Root-Benutzer: ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml

What's next

If the Ansible playbook ran successfully, the data subdirectory contains a series of files for the new certificate identified by its common name:

  • <common_name>.csr

  • <common_name>.key

  • <common_name>.pem

  • <common_name>-chain.pem

  • <common_name>-fullchain.pem

The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.

In diesem Abschnitt: