ACME-based enrollment
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager into your Salt nodes using the ACMEv2 protocol to generate requests and download the resulting certificates.
Before you begin
In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:
ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.
Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.
HMAC key: Used to encrypt and authenticate your account key during certificate requests.
Integration workflow
Download the SaltStack integration package to get the following sample files:
certificate_issuance_params.sls: Sample Salt pillar data file to configure your DigiCert ACME credentials.
copy_certificate_minion.sls: Sample script to copy certificates from a Salt master to minions.
request_certificate.sls: Sample script to request and install a certificate from Trust Lifecycle Manager on a Salt master or minion using the ACME credentials from the Salt pillar.
top.sls: Sample Salt pillar "top" file to specify the location of the data file that contains your DigiCert ACME credentials.
Notice
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > SaltStack.
Use the sample files to configure the Salt pillar with your ACME and certificate details:
Copy the certificate_issuance_params.sls and top.sls files into the /srv/pillar directory on the Salt node.
Update the certificate_issuance_params.sls file to supply values for the following parameters:
server_url: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.eab_kid: ACME EAB key identifier (KID) for the certificate profile.eab_hmac_key: ACME EAB HMAC key for the certificate profile.domain: Common name of the certificate to issue.
(Optional) Rename the certificate_issuance_params.sls file to help identify it. If you rename this file, make sure to also edit the top.sls file to contain the new filename. Do not change the file extension.
To request a certificate from Trust Lifecycle Manager on a Salt master or minion:
Copy the request_certificate.sls script to the /srv/salt directory on the Salt node.
(Optional) Rename the script to help identify it. Do not change the file extension.
Run the script as follows. Supply the ID of the local Salt node (master or minion) as the second argument. If you renamed the script, supply the new name as the final argument.
From a Salt master:
salt <salt-master-id> state.apply request_certificateFrom a Salt minion:
salt <salt-minion-id> state.apply request_certificate
If you requested the certificate on a Salt master, you can copy it to a Salt minion as follows:
Copy the copy_certificate_minion.sls script to the /srv/salt directory on the Salt master.
Edit the script to provide values for the following:
name: The path to copy the certificate to on the minion.source: The salt:// path of the certificate on the master.
Run the script on the Salt master as follows. Supply the ID of the Salt minion to copy the certificate to as the second argument.
salt <salt-minion-id> state.apply copy_certificate_minion
What's next
After a successful certificate request, the Salt node's /srv/salt directory contains a series of files for the new certificate identified by its common name.
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.