Skip to main content

Set up managed automation for a custom application

CertCentral managed automation supports the most popular web server applications out of the box.

CertCentral also provides the flexibility to extend certificate management to additional applications not natively supported by allowing configuration of third-party ACME clients via the "custom application" option.

Follow these steps to enable CertCentral managed automation for a custom application.

Step 1: Install DigiCert agent

Custom automations require an active DigiCert agent on the server. The agent coordinates automation requests received from CertCentral and calls your custom shell script to handle certificate lifecycle events for the custom application.

For detailed instructions about how to deploy DigiCert agents on your servers, see Install and activate an ACME automation agent.

Step 2: Install third-party ACME client

In addition to a DigiCert agent, the server must have a third-party ACME client installed. Your custom automation script invokes the ACME client to request certificates from CertCentral and install them for your custom Linux or Windows application.

CertCentral managed automation works with any third-party ACME client that supports the ACMEv2 protocol. Follow the software provider's guidelines to install and configure your preferred third-party ACME client on the same system as your custom application.

Step 3: Create shell script

You need a shell script to drive the third-party ACME client on your server. During an automation event, the DigiCert agent calls this shell script to invoke the ACME client, which then requests the certificate from CertCentral and installs it for your custom application.

The shell script contains the ACME client command to request and install certificates for your custom application using the parameters expected by the CertCentral ACME service. Command syntax varies based on which third-party ACME client you use. Check the software provider's guidelines for more information.

Below are examples of shell scripts to enable CertCentral managed automation for a custom application via third-party ACME clients Certbot (Linux) and Win-ACME (Windows):

Example 1. Certbot (Linux)
directoryuri=$1
host=$2
emailaddress=$3
eabkeyidentifier=$5
eabkeyhmac=$6
process_path=/usr/bin/apachectl
server_root=/etc/httpd
config_root=/etc/httpd/config
procCmdLine="/usr/bin/apachectl start"
acmeConfigDirectory="/etc/letsencrypt/"
certbot --server $directoryuri --config-dir $acmeConfigDirectory --eab-kid $eabkeyidentifier  --eab-hmac-key $eabkeyhmac --installer apache -m $emailaddress --force-renew --agree-tos --no-redirect --expand -d $host --no-verify-ssl --no-autorenew --pre-hook "$process_path stop" --post-hook $procCmdLine -n --apache-server-root $server_root --apache-vhost-root $config_root
returnCode=$?
echo "The command exit status : ${returnCode}"
exit $returnCode

Example 2. Win-ACME (Windows)
set SERVERURL=%1
set SANS=%2
set EMAIL=%3
set KEYALGO=%4
set EABKEY=%5
set EABHMAC=%6
set VALIDATIONMODE=--validation selfhosting
"wacs.exe" --baseuri %SERVERURL% --eab-key-identifier=%EABKEY% --eab-key=%EABHMAC% --target manual --host %SANS% --emailaddress %EMAIL% --force --accepttos --notaskscheduler %VALIDATIONMODE% --csr %KEYALGO% --store centralssl --centralsslstore  ./certs
set returnCode=%errorlevel%
EXIT /B %returnCode%

Variable definitions at the top of these shell scripts set the required ACME request parameters:

  • These must match up with the ACME arguments you configure for the custom application in CertCentral.

  • During an automation event, values for these arguments are supplied to the shell script by the local DigiCert agent that calls it.

Commands used in the shell script:

  • Must include all mandatory parameters.

  • Must not exceed 512 characters.

  • Must not include special directives like rm -rf or rmdir

The shell script filename:

  • Must end with .bat or .sh

  • Must not exceed 255 characters.

Step 4: Configure managed automation settings

Use the CertCentral Manage automation menu to complete the configuration for your custom application:

  1. In your CertCentral account, in the left main menu, select Automation > Manage automation.

  2. From the Manage automation view, select the Name of the local DigiCert agent running on the system with the custom application.

  3. In the agent configuration panel on the right, move down to the Configure IP/Port section.

  4. Locate the IP address and port number for the custom application. Select Custom as the application name.

  5. In the Client command path field, provide the complete path for the shell script that invokes the third-party ACME client.

    For example:

    • Windows: G:\certcentral\agent\custom_automation_1.bat

    • Linux: /home/certcentral/agent/custom_automation_1.sh

  6. In the Client command arguments field, specify the general ACME arguments to use.

    For example:

    {acmeDirectoryUrl} {hosts} {email} {key} {extActKid} {extActHmac}

    Note that:

    • Each argument must be entered exactly as shown here.

    • The order of the arguments must match up with how they are used in your shell script.

    • During an automation event, the required values for these arguments are obtained from the selected automation profile.

    Explanation of ACME arguments supported by CertCentral managed automation:

    • {acmeDirectoryUrl} – ACME directory URL settings.

    • {hosts} – Certificate host details.

    • {email} – Email address for notifications.

    • {key} – Key algorithm (RSA or ECC).

    • {extActKid} – External account key identifier used in the URL.

    • {extActHmac} – HMAC key for signing the response.

  7. Select Save to put the updated automation settings into effect.

What's next?

After setting up the custom application, you can manage certificates for it from CertCentral in the same way as any other managed application. To learn more, see Next steps.

In this section: