API-based enrollment
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager into your Salt nodes using the Trust Lifecycle Manager REST API. The issued certificate gets sent back in the API response in PEM-encoded X.509 format.
Before you begin
You need an API token for an active DigiCert ONE user or service user with access to Trust Lifecycle Manager and a user role of Manager
or User and certificate manager
. See API access for more details.
In Trust Lifecycle Manager, you need a certificate profile with the REST API
enrollment method and 3rd Party app
authentication method. Gather the following parameters from the profile details page to use when configuring the integration:
Profile ID: Get it from the
GUID
field or DigiCert ONE URL of the profile details page.REST API endpoint (API KEY auth): Copy it from the
REST URL
dropdown at the top of the profile details page.
Integration workflow
Download the SaltStack integration package to get the following sample files:
certificate_params.sls: Sample Salt pillar data file to configure the certificate request and API access details.
copy_certificate_minion.sls: Sample script to copy certificates from a Salt master to minions.
request_certificate.sls: Sample script to generate a CSR and request a certificate from Trust Lifecycle Manager via its REST API.
top.sls: Sample Salt pillar "top" file to specify the location of the data file that contains your DigiCert certificate request parameters.
Notice
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > SaltStack.
Use the sample files to configure the Salt pillar with your certificate request and API access details:
Copy the certificate_params.sls and top.sls files into the /srv/pillar directory on the Salt node.
Update the certificate_params.sls file to supply values for the following parameters:
private-key-path
: Directory path where the private key should be stored on the Salt node.csr-path
: Directory path where the CSR should be stored on the Salt node.rest-api-url
: The REST API endpoint (API KEY auth) copied from the certificate profile details page in Trust Lifecycle Manager.x-api-key
: API token for an active DigiCert ONE user or service user with access to Trust Lifecycle Manager and a user role ofManager
orUser and certificate manager
.profile-id
: GUID of the API-enabled certificate profile to issue the certificate from in Trust Lifecycle Manager.common-name
: Common name of the certificate to issue.
(Optional) Rename the certificate_params.sls file to help identify it. If you rename this file, make sure to also edit the top.sls file to contain the new filename. Do not change the file extension.
To request a certificate from Trust Lifecycle Manager on a Salt master or minion:
Copy the request_certificate.sls script to the /srv/salt directory on the Salt node.
(Optional) Rename the script to help identify it. Do not change the file extension.
Run the script as follows. Supply the ID of the local Salt node (master or minion) as the second argument. If you renamed the script, supply the new name as the final argument.
From a Salt master:
salt <salt-master-id> state.apply request_certificate
From a Salt minion:
salt <salt-minion-id> state.apply request_certificate
If you requested the certificate on a Salt master, you can copy it to a Salt minion as follows:
Copy the copy_certificate_minion.sls script to the /srv/salt directory on the Salt master.
Edit the script to provide values for the following:
name
: The path to copy the certificate to on the minion.source
: The salt:// path of the certificate on the master.
Run the script on the Salt master as follows. Supply the ID of the Salt minion to copy the certificate to as the second argument.
salt <salt-minion-id> state.apply copy_certificate_minion
What's next
The requested certificate is sent back in PEM-encoded X.509 format in the response to the salt
command. Copy it into a .crt file on the Salt node.
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.