Creating custom post-processing scripts
Overview
This guide provides you a reference for developing custom post-processing scripts that DigiCert® Trust Assistant will execute after installing a certificate. For more details, see DigiCert Trust Assistant post-processing scripts.
This guide will help you:
Use environment variables to capture the runtime execution context.
Build scripts with a clear and consistent structure.
Implement error handling.
Check DigiCert Trust Assistant logs for execution results.
Avoid common script pitfalls and best practices for maintainability, portability, and security.
Using environment variables
DigiCert Trust Assistant exposes several useful metadata as environment variables. Use these values in your script to automate actions without user input.
Variable | Description | Example Values |
|---|---|---|
| The keystore where the certificate is residing. The value could be an operating system keystore, DigiCert software keystore, or any Hardware tokens. |
NotaIf any other token was added using Adding other hardware tokens in conf.json or Keystore settings via extra-conf.json , use the id value. |
| The serial number of the certificate. | |
| The JSON-encoded Subject Distinguished Name (SDN) of the certificate. For more details about the complete list of supported SDN attributes, see Subject Distinguished Name (SDN) attributes. | |
| The Common name of the certificate. This is one of the attributes extracted from the SDN. For more details about the complete list of supported SDN attributes, see Subject Distinguished Name (SDN) attributes. | |
| The JSON-encoded Subject Distinguished Name (SDN) of the issuing CA of the certificate. For more details about the complete list of supported SDN attributes, see Subject Distinguished Name (SDN) attributes. | |
| The comma-separated list of Key Usage extension values of the certificate. For more details, see Key usage. | |
| The comma-separated Extended Key Usage extension values of the certificate. For more details, see Extended key usage. | |
| The Subject Alternative Name (SAN) extension of the certificate. For S/MIME certificates, this field may include one or more RFC822-compliant email addresses. For more details about the complete list of supported SAN attributes, see Subject Alternative Name (SAN) attributes. | |
| The Thumbprint (SHA1) of the certificate. | |
| The absolute path of the DER encoded certificate. | Windows: macOS: |
| The language code configured on the calling application. The calling application can be DigiCert One - Trust LifeCycle Manager or DigiCert Trust Assistant. This value can be used to support internationalization of script error messages. | Possible values: |
| The absolute path of the temp directory. This temp directory can be useful for storing temporary data during script execution. AvisoThe temporary directory is used only to store intermediate data and is automatically cleaned up after execution, in both success and failure scenarios. | Windows: macOS: |
Nota
Best Practices
Always validate the presence of a variable before using it.
Log all variables for troubleshooting purposes. Provide a default behavior if a variable is missing or empty.
Recommended script structure
A well-defined and consistent structure enhances the readability, maintainability, and debuggability of scripts. PowerShell and Bash scripts should be organized into the following logical sections:
Initialization and environment validation
Define constants (for example, script version), functions, and logging utilities.
Parse and validate required environment variables and parameters.
verify prerequisites (for example, required certificate properties, required tools, or permissions).
Exit early if any required input is missing, invalid, or if a prerequisite check fails.
Core logic
Perform the core post-processing task (for example, configuration, invoking an application, and logging results).
Handle any platform-specific logic cleanly within this section.
Error handling and exit
Catch errors and return consistent exit codes.
Log the cause and outcome clearly.
For shell scripts, exit with
0on success and non-zero codes for specific failures.For PowerShell scripts, throw a clear error message on failures.
Basic instructions and examples
The examples below show how environment variables and workflow logic can be used in both Windows PowerShell and macOS shell scripts.
PowerShell (Windows) example
# Custom Post-processing PowerShell script example
# Version
$ScriptVersion = "1.0.0"
# Log utility with timestamp
function Log {
param(
[string]$Message
[string]$Level = "Info"
)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$formattedMessage = "[CustomScript.ps1] $timestamp - $Message"
switch ($Level) {
"Debug" { Write-Debug $formattedMessage }
"Info" { Write-Information $formattedMessage }
"Error" { Write-Error $formattedMessage }
}
}
# Prerequisites check
function Check-Prerequisites {
...
...
}
# ####################################################################
# Initialization and Environment Validation
# ####################################################################
$subject = $env:DCCERT_SUBJECT
$serial = $env:DCCERT_SERIAL
if (-not $subject -or -not $serial) {
Log -Message $($_.Exception.Message) -Level "Error"
}
# ####################################################################
# Main
# ####################################################################
try {
Log -Message "Starting post-processing..."
Check-Prerequisites
Log -Message "Processing certificate for: $subject (Serial: $serial)"
# Example action: Move or copy certificate file
Copy-Item -Path $env:DCCERT_DER_PATH -Destination "C:\CertArchive\$serial.cer" -Force
Log -Message "Completed successfully."
} catch {
Log -Message $($_.Exception.Message) -Level "Error"
throw $_.Exception.Message
}Bash (macOS) example
#!/bin/bash
# Custom Post-processing shell script example
# Version
$Version="1.0.0"
# Log utility with timestamp
log() {
echo "[CustomScript.sh] $(date '+%Y-%m-%d %H:%M:%S') - $1"
}
log "Starting post-processing..."
: "${DCCERT_SUBJECT:?Environment variable missing: DCCERT_SUBJECT}"
: "${DCCERT_SERIAL:?Environment variable missing: DCCERT_SERIAL}"
log "Subject: $DCCERT_SUBJECT"
log "Serial: $DCCERT_SERIAL"
# Example action: Save certificate copy
if [[ -n "${DCCERT_DER_PATH}" ]]; then
cp "$DCCERT_DER_PATH" "/usr/local/certs/${DCCERT_SERIAL}.cer"
log "Certificate archived successfully."
else
log "Error: Certificate file missing or invalid path."
exit 1
fi
log "Post-processing complete."
exit 0Implementing error handling
Proper error handling ensures that post-processing scripts behave predictably and fail safely. Scripts must return clear and consistent results, enabling calling applications or services to display meaningful error messages to end users when issues occur.
For PowerShell scripts (Windows)
Use throw to raise clear, descriptive errors. The script must terminate immediately if a critical failure occurs.
if (-not (Test-Path $CertPath)) {
throw "Certificate path not found: $CertPath"
}For shell scripts (macOS)
Exit with 0 on success. Use non-zero exit codes for specific error conditions (for example, invalid input, missing files, or dependency failures), and write descriptive error messages to stderr.
if ! cp "$SOURCE" "$DEST"; then echo "Error: File copy failed." >&2 exit 2 fi exit 0
Checking logs for execution results
All script logs, including both standard output (stdout) and error output (stderr), are automatically captured and stored in the DigiCert Trust Assistant logs. Administrators can review these logs to verify whether post-processing scripts executed successfully or encountered errors. See Log management for more details.
Quick logging guidelines
Log key details such as the certificate subject, start and end times, and operation result.
Write informational messages to
stdoutand error messages tostderr.Exit with code
0on success and a non-zero code for failure.
Examples
PowerShell scripts
Log -Message "Post-processing started for $env:DCCERT_SUBJECT" # ... script logic ... Log -Message "Post-processing completed successfully."
Shell scripts
log "Post-processing started for $DCCERT_SUBJECT" # ... script logic ... log "Post-processing completed successfully."
Nota
These outputs are automatically redirected to the DigiCert Trust Assistant logs, where both stdout and stderr entries can be reviewed for troubleshooting and auditing.
Script pitfalls and best practices
To ensure secure, predictable, and repeatable execution of custom post-processing scripts, follow these best practices:
Protect sensitive data: Do not log, echo, or persist private keys, PINs, passwords, or other confidential information. Treat all sensitive values as transient and handle them only in memory.
Validate all inputs: Validate every external input, environment variable, file path, and parameter before use. Reject or sanitize unexpected values to prevent injection or execution of untrusted data.
Ensure idempotency: Design scripts so that re-execution does not create duplicates, overwrite valid data, or trigger destructive side effects. Each operation should be safely repeatable.
Use absolute paths: Reference files and binaries with full paths to prevent ambiguity, path hijacking, or inconsistent behavior in automated or multi-user environments.
Nota
Implement structured logging, strict input validation, and clear exit codes to make troubleshooting faster and safer in production environments.