Sensor configuration examples
After installing and activating a sensor, you must perform initial configuration on the sensor itself to add the network appliances for automation. This initial configuration can either be performed interactively from the command line, or by adding and reading the configuration parameters from a text file.
The examples below demonstrate the use of the interactive configuration method to add various network appliance types for sensor-based automation.
Important
The login password of each network appliance must meet the DigiCert password requirements so it will work with automation. The password must contain lower and upper case letters, numbers, or symbols.
Allowed symbols for different network appliance types:
A10: !@#$%^()-+_ {}[]~?:./
Citrix ADC: ~!@#$%^*()_+-|`{}[]:;?/,."
F5 BIG-IP: ~!@#$%^&*()_+`-={}[]|;:'"<>,./?
A10
To add an A10 load balancer for sensor-based automation, run the addagentless
utility with the -type A10
argument on the sensor system.
Example interactive configuration session:
Sensor CLI. Copyright 2020, DigiCert Inc. Add or change login credentials and specify data IP addresses for certificate automation. Enter management IP address:10.141.17.192 Enter Management Port (443):443 If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer. Enter admin username:admin Enter admin password: Confirm admin password: Successfully added or changed the agentless. IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.
A10 high availability
To add an A10 high availability load balancer for sensor-based automation, run the addagentless
utility with the -type A10 -ha VRRPA
arguments on the sensor system.
Example interactive configuration session:
Sensor CLI. Copyright 2021, DigiCert Inc. Add or change login credentials and specify data IP addresses for certificate automation. Enter management IP address:10.141.17.192 Enter Management Port (443):443 Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer. Enter admin username:admin Enter admin password: Confirm admin password: Enter SSH enable password: Confirm SSH enable password: For high availability configurations, enter the management IP address and login information for each additional load balancer in the configuration. To finish the list, press Return at the prompt (blank input). Enter management IP address, port, and username (separated by commas):10.141.17.192,443,admin Enter admin password: Confirm admin password: Enter management IP address, port, and username (separated by commas): Successfully added or changed the agentless. IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.
Citrix ADC
To add a Citrix ADC load balancer for sensor-based automation, run the addagentless
utility with the -type NETSCALER
argument on the sensor system.
Example interactive configuration session:
Sensor CLI. Copyright 2020, DigiCert Inc. Add or change login credentials and specify data IP addresses for certificate automation. Enter the management IP:10.141.17.192 http or https:https Enter management Port (443):443 If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N Enter webservice username:nsroot Enter webservice password: Confirm webservice password: Enter SSH username:nsroot Enter SSH password: Confirm SSH password: Enter SSH port:22 Successfully added or changed the agentless. HA Pair peers are Management IP : 10.141.17.192 (Primary) The sensor may use any of these management IP addresses to perform certificate automation activities. IMPORTANT: After you run this command, return to Manage Automation Agents in console. Verify that the certificate host appears and is configured.
F5 BIG-IP
To add an F5 BIG-IP load balancer for sensor-based automation, run the addagentless
utility with the -type BIGIP
argument on the sensor system.
Example interactive configuration session:
Sensor CLI. Copyright 2020, DigiCert Inc. Add or change login credentials and specify data IP addresses for certificate automation. Enter management IP address:10.141.17.192 Enter Management Port:443 If available, do you want to map this sensor with the previously voided load balancer (Y/N)?:N Enter web service username: admin Enter web service password: Confirm web service password: Successfully added or changed the agentless automation. This applies to the following HA Pair peers : Management IP: 10.141.17.192 (ACTIVE) Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
When the F5 BIG-IP load balancer is added, the sensor automatically collects information on IP/ports that can be automated.
For successful automation:
Make sure to select only supported network protocols when configuring virtual IPs. Note: The UDP protocol does not support automation. Virtual IPs configured using UDP protocols will be filtered and cannot be discovered.
For Virtual Servers configured with iApp templates, disable Strict Updates for successful automation. In the F5 console, go to the iApps Application Services folder and clear the Strict Updates check box.
For your Virtual Server configuration, do not add a Destination Address/Mask. Automation cannot identify a destination address specified as xxx.xxx.xxx.xxx/0. The address will appear as 0.0.0.0. Such IPs cannot be automated.
For high-availability (HA) configurations, the
addagentless
utility only needs to be run once. Enter either the floating IP, or the management IP of one of the load balancers. The sensor will automatically detect the HA peer configuration.
Amazon Web Services (AWS)
DigiCert sensor-based automation supports AWS Application/Network Load Balancer (ALB/NLB) and AWS CloudFront. Note that:
Newly automated certificates will be stored in AWS Certificate Manager (ACM) independently of the original certificate stored in AWS Identity and Access Management (IAM).
When automating a distribution with no certificates, AWS recommends modifying the distribution settings to:
SSLSupportMethod
tosni-only
MinimumProtocolVersion
toTLSv12_2019
Notice
Users with limited access require permissions for the listed policies.
For AWS ALB/NLB:
For AWS CloudFront:
To add an AWS ALB/NLB load balancer for sensor-based automation, run the addagentless
utility with the -type AWS
argument on the sensor system.
To add an AWS CloudFront distribution for sensor-based automation, run the addagentless
utility with the -type AWS-CLOUDFRONT
argument on the sensor system.
During configuration, you are prompted to select one of the following AWS login methods:
Use the default AWS credential provider chain
Supply the credentials yourself
Use an AWS profile name
Below are interactive configuration examples of adding an AWS ALB or NLB load balancer to a sensor, selecting these 3 different login methods (use the tabs at top to view each). Additional details about AWS credentials follow these examples.
AWS credentials: provider chain
When adding an AWS load balancer for sensor-based automation, you have the option to use an AWS credential provider chain for login. With this method, login credentials will be sought in the following sequence during an automation event:
Environment variables –
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
.Note: You are required to restart the sensor:
If environment variables are added while the sensor is already installed and running.
If environment variables are updated or changed while the sensor is running.
Credential profiles file at the default location (
~/.aws/credentials
) shared by all AWS SDKs and the AWS CLI.For successful authentication, we recommend:
Adding the
AWS_CREDENTIAL_PROFILES_FILE
environment variable.Setting the credential file to a location where both the sensor and the user have access to it.
For example:
AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
Note: You must restart the sensor if an update or change is made to the environment variables when the sensor is running.
Instance profile credentials delivered through the Amazon EC2 metadata service.
For successful instance credential authentication:
Sensor must be installed on the EC2 instance.
Identity and Access Management (IAM) role must be linked to an EC2 instance. To create and link the IAM role to an instance, refer to Create IAM role and Assign IAM role to an instance (below).
IAM role associated with the instance must have the following policy authorization:
For AWS ALB/NLB:
For AWS CloudFront:
For more details, refer to the AWS documentation.
Create IAM role
Sign in to AWS Management Console and select IAM service.
In the sidebar menu, select Access management > Roles. Then, select Create role.
On the Create role page, select the AWS service trusted entity type and the EC2 use case. Then, select Next: Permissions.
Select the policies you want to assign to the role. Then, select Next: Tags.
Assign tags to the role (optional) and select Next: Review.
Enter a role name, add a description (optional), and select Create role.
Assign IAM role to an instance
On the AWS Management Console, select EC2 service.
In the sidebar menu, select Instances.
On the Instances page, select the instance. Then, select Actions > Instances Settings > Attach/Replace IAM Role.
On Attach/Replace IAM Role page, select the IAM role to attach to your instance. Then select Apply.
Important
Supply credentials in at least one of these locations for the sensor to connect to AWS.
AWS credentials: profile name
To use an AWS profile name for your login credentials, set the profile with key-value pairs. You can do this in the AWS credential profiles file located at the default location (~/.aws/credentials
), which is shared by all AWS SDKs and the AWS CLI.
For successful authentication, we recommend:
Adding the
AWS_CREDENTIAL_PROFILES_FILE
environment variable.Setting the credential file to a location where both the sensor and the user have access to it.
For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
[default] aws_access_key_id = YOUR_ACCESS_KEY_ID aws_secret_access_key = YOUR_SECRET_ACCESS_KEY [profile1] aws_access_key_id = YOUR_ACCESS_KEY_ID aws_secret_access_key = YOUR_SECRET_ACCESS_KEY [profile2] aws_access_key_id = YOUR_ACCESS_KEY_ID aws_secret_access_key = YOUR_SECRET_ACCESS_KEY [profile3] aws_access_key_id = YOUR_ACCESS_KEY_ID aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
If you are working with multiple AWS accounts, you can easily switch between your accounts by creating multiple profiles (sets of credentials) in your credentials file.
Each section (for example, [default], [profile1], [profile2]), represents a separate credential profile. The keyword in square brackets is your profile name.
Important
If you do not specify the AWS profile name as a login, the AWS account ID will be used as your login credential.