Skip to main content

Set up managed automation for custom applications

DigiCert​​®​​ Trust Lifecycle Manager's automation solution supports the most popular web server applications out of the box.

DigiCert also provides the flexibility to extend certificate management to additional Linux or Windows applications, by using your own custom automation script in conjunction with the Certbot ACME client.

Follow these steps to start using Trust Lifecycle Manager to automate certificate management for a custom server application.

Step 1: Install DigiCert agent

Custom automations require an active DigiCert agent on the server. The agent:

  • Coordinates each automation request sent through Trust Lifecycle Manager, including details about the requested certificate type and properties.

  • Invokes your custom shell script on the server to complete the request and install the certificate for your application.

For detailed instructions about how to install and activate DigiCert agents on your servers, see Deploy and manage agents.

Step 2: Install Certbot ACME client

In addition to a DigiCert agent, the server must have the Certbot ACME client installed.

Your custom shell script invokes Certbot to complete each request and install the resulting certificate for your custom Linux or Windows application.

For detailed instructions about how to download and install the Certbot client, refer to the official Certbot instructions.

Step 3: Create shell script

You need a shell script to help manage the certificates for your custom application.

The shell script contains the Certbot command to request and install certificates for your application via the Trust Lifecycle Manager ACME service. Below are example shell scripts for Linux and Windows.

Example scripts

Example 1. Linux
# Define variables
host=$1
emailaddress=$2
eabkeyidentifier=$3
eabkeyhmac=$4
key=$5
directoryuri=$6

# Remove double quotes from ACME URL
value=$directoryuri
value=${value#\"}
directoryuri=${value%\"}

# Run Certbot
certbot certonly --server $directoryuri --config-dir ./acme/ --eab-kid $eabkeyidentifier --eab-hmac-key $eabkeyhmac --force-renew --agree-tos --no-redirect --expand -d $host --email $emailaddress --no-autorenew --preferred-challenges http --standalone --key-type $key -n --no-verify-ssl

# Complete script
returnCode=$?
echo "The command exit status : ${returnCode}"
exit $returnCode

Example 2. Windows
directoryuri=%1
host=%2
emailaddress=%3
eabkeyidentifier=%5
eabkeyhmac=%6
acmeConfigDirectory="./%eabkeyidentifier%"
certbot --server %directoryuri% --config-dir %acmeConfigDirectory% --eab-kid %eabkeyidentifier%  --eab-hmac-key %eabkeyhmac% -m %emailaddress% --force-renew --agree-tos --no-redirect --expand -d %host% --no-verify-ssl --no-autorenew 
set returnCode=%errorlevel%
EXIT /B %returnCode%

Usage notes

Variable definitions at the top of these shell scripts set the required ACME request parameters:

  • These must match up with the ACME arguments you configure for the custom application in Trust Lifecycle Manager (see below).

  • During an automation event, values for these arguments are supplied to the shell script by the local DigiCert agent.

Commands used in the shell script:

  • Must include all mandatory parameters.

  • Must not exceed 512 characters.

  • Must not include special directives like rm -rf or rmdir

The shell script filename:

  • Must end with .sh or .bat.

  • Must not exceed 255 characters.

Step 4: Add script details in Trust Lifecycle Manager

Store your custom automation shell script in the local DigiCert agent's user-scripts sub-directory on the server. Configure the details about it in the Trust Lifecycle Manager web console, as follows:

  1. From the Trust Lifecycle Manager main menu, select Discovery & automation tools > Agents.

  2. From the More actions dropdown at top, select Add script.

  3. Fill out the Add script form:

    1. Name: Enter a user-friendly name to use when referencing the script.

    2. Operating system: Select the applicable operating system (Linux or Windows).

    3. Script type: Select Custom automation.

    4. Script filename: Enter the script's filename in or path relative to the local agent's user-scripts sub-directory.

      • Linux: If your script is named "myscript.sh" and is stored directly in the agent's user-scripts sub-directory, enter myscript.sh here. If you stored the script within an additional sub-directory called "custom-apps" in the user-scripts sub-directory, enter custom-apps/myscript.sh instead.

      • Windows: If your script is named "myscript.bat" and is stored directly in the agent's user-scripts folder, enter myscript.bat here. If you stored the script within an additional sub-folder called "custom-apps" in the user-scripts folder, enter custom-apps\myscript.bat instead.

      Warning

      Make sure there are no spaces in the filename for either Linux or Windows. The script will fail if the path or filename has spaces in it.

    5. Command-line arguments: Enter a space-separated list of general ACME parameters to use with your custom automation script.

      For example:

      {acmeDirectoryUrl} {hosts} {email} {keyType} {extActKid} {extActHmac}

      Note that:

      • Each argument must be entered exactly as shown here.

      • The order of the arguments must match up with how they are used in your shell script.

      • When you submit a certificate automation request from Trust Lifecycle Manager, it supplies the required values for these parameters based on the certificate profile you select and the request details you enter.

      Explanation of ACME parameters used by DigiCert​​®​​:

      • {acmeDirectoryUrl}: The ACME directory URL.

      • {hosts}: Domain name(s) for the certificate.

      • {email}: Add an email address to the certificate.

      • {keyType}: Key algorithm (RSA or ECC).

      • {extActKid}: External Account Binding (EAB) key identifier.

      • {extActHmac}: HMAC key for EAB.

    6. Description (optional): Enter an optional description for the script to help identify it when working with DigiCert agents and agent-based automations in Trust Lifecycle Manager.

  4. Select Add to save the custom automation script details in Trust Lifecycle Manager.

Step 5: Assign script to the applicable agent IP/port targets

To complete the custom automation configuration, assign the script to any DigiCert agents that will coordinate certificate lifecycle automation events for the custom application:

  1. From the Trust Lifecycle Manager main menu, select Discovery & automation tools > Agents.

  2. Locate the local DigiCert agents on the systems where the custom application is running. Select each agent by name to view the details for it.

  3. Select the pencil (edit) icon on the right of the agent details page to update the agent configuration.

  4. In the IP/port targets section for the agent, locate any IP/port targets where the custom application is running and configure them as follows:

    • Application: Select Custom.

    • Custom automation script: Select the custom automation script by the name assigned to it in Trust Lifecycle Manager.

  5. Select the Update button at bottom to save your changes.

What's next

After enabling managed automation for your custom application, you can manage certificate deployments for it as you would any other server application in Trust Lifecycle Manager.

When you need a new certificate for your custom application:

  1. You submit the request through the Trust Lifecycle Manager web console or REST API.

  2. The DigiCert agent on the local system processes the certificate request and invokes your custom shell script with the required parameters.

  3. Your custom shell script invokes the Certbot ACME client to complete the request and install the new certificate for your application.

In this section: