Ansible
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager through an Ansible playbook, using the ACMEv2 protocol to generate requests and download the issued certificates.
Before you begin
In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client
enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:
ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.
Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.
HMAC key: Used to encrypt and authenticate your account key during certificate requests.
On the Ansible end, make sure you have the community.crypto collection, which provides the following two modules required for the integration:
acme_account
module to create an account using external account binding.acme_certificate
module to issue a certificate.Warning
Use the latest version of the community.crypto collection to avoid a known issue in earlier versions of the
acme_certificate
module where some certificates issued through Ansible with ACME had a missing common name or SANs in a different order than requested.
Integration workflow
Download the Ansible integration package to get the following files:
digicert_acme_cert_main.yml: Sample Ansible playbook script for getting certificates from Trust Lifecycle Manager. Update it with your custom values before requesting certificates.
get-cert.yml: Helper script to submit certificate requests to DigiCert via ACMEv2. Keep it in the same directory as the Ansible playbook.
ReadMe.txt: Instructions and technical details to help you set up the integration.
Notice
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Ansible.
To request a certificate from Trust Lifecycle Manager, update the vars
section in the sample Ansible playbook file digicert_acme_cert_main.yml to supply values for the following parameters:
acme_dir_url
: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.eab_kid
: ACME EAB key identifier (KID) for the certificate profile.eab_key
: ACME EAB HMAC key for the certificate profile.cert_cn
: Common name of the certificate to issue.contact_email
: Email address of the administrative contact.
Optionally, update the following parameters in the playbook file to further customize your certificate request:
data_dir
: Location of the subdirectory where keys and certificates get stored within the installation directory where you run the Ansible playbook. By default, the resulting assets will get stored in the data subdirectory.subject_alt_name
: Specify the Subject Alternative Names (SANs) you wish to secure with this certificate. By default, the SAN extension in issued certificates will include the certificate common name with and without the www prefix.
Place your customized Ansible playbook file and the helper script get-cert.yml in the directory where you want to install the certificate.
Run the Ansible playbook as follows:
As root user:
ansible-playbook digicert_acme_cert_main.yml
As non-root user:
ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml
What's next
If the Ansible playbook ran successfully, the data subdirectory contains a series of files for the new certificate identified by its common name:
<common_name>.csr
<common_name>.key
<common_name>.pem
<common_name>-chain.pem
<common_name>-fullchain.pem
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.