Script types
DigiCert® Trust Lifecycle Manager supports the following script types to customize agent-based certificate lifecycle management on your servers:
Custom automation: Manage certificates for custom server applications.
Pre- or post-installation: Do extra work before or after an automation event.
SNI information: Dynamically learn the SNI domains used by DigiCert agents to discover and manage certificates.
Importante
Use one of the following languages for your custom agent scripts, based on the host operating system:
Windows: bat, cmd, or PowerShell script
Linux: shell script (any)
If you use a different language/format to do work, use one of the above scripting languages as a wrapper to ensure compatibility.
Custom automation
Use custom automation scripts to manage certificates for custom server applications through DigiCert agents.
This type of script allows you to use your own ACME client like Certbot on your server to manage certificate lifecycles for applications not natively supported by Trust Lifecycle Manager.
You configure the custom automation script to invoke the third-party ACME client with the options needed to request and install certificates for your application.
To learn more, see Establecer una aplicación personalizada para la automatización administrada.
Pre- or post-installation
Use pre- or post-installation scripts to do extra work before an automation event (pre-installation) or after the local DigiCert agent installs the certificate in an automation event (post-installation).
This type of script allows you to do any type of work needed to facilitate PKI operations on your servers, such as readiness testing, preparation, or clean up.
With pre-installation scripts, the DigiCert agent will cancel the automation event if the script does not return a success code of 0
. This helps you control when a certificate is automated based on an external input.
Importante
Return 0
from a pre-installation script for success, or non-zero for failure. Avoid using return codes 1
, 127
, or 4294770688
as they are pre-defined by the agent for other purposes.
You can use different pre- or post-installation scripts per web server application. To simplify management, Trust Lifecycle Manager allows you to assign the scripts across multiple agents in bulk.
SNI information
Trust Lifecycle Manager requires administrators to supply a list of active domains in order to discover and automate certificates on websites using Server Name Indication (SNI). You can use SNI information scripts to dynamically learn the SNI domains on your servers so you don't need to configure them manually.
For example, you might read the SNI domains directly from your web server configuration to ensure that your DigiCert agents always have the latest information.
Set up your SNI script to output the SNI information as JSON in the following format.
[ { "IP": "10.1.2.3", "Port": "8443", "Domain": "www.example.com" }, { "IP": "10.1.2.3", "Port": "8443", "Domain": "app2.example.com" } ]
The following is an example SNI information script that uses the Microsoft PowerShell scripting language to read the latest SNI information from the local IIS web server. It outputs the information as JSON to use to dynamically configure the local DigiCert agent.
$bindingInfo = get-website | select -ExpandProperty Bindings | Select -ExpandProperty Collection | where sslFlags -eq 1 | select bindingInformation $res = @{} foreach($ele in $bindingInfo) { $list = $ele.bindingInformation.split(":") $res[$list[2]] = @{IP=$list[0]; Port=$list[1]; Domain=$list[2]} } $thumbs = Get-ChildItem IIS:SSLBindings | Foreach-Object { [PSCustomObject]@{ Host = $_.Host Thumbprint = $_.Thumbprint } } echo($res.values | ConvertTo-Json)
To simplify management, Trust Lifecycle Manager allows you to assign SNI information scripts across multiple agents in bulk.