Skip to main content

Use Ansible with CertCentral ACME

Enterprises are increasingly using Red Hat Ansible to automate lifecycle operations. With the CertCentral ACME service, you can obtain TLS/SSL certificates from within an Ansible playbook.

The instructions here demonstrate how to integrate CertCentral ACME with Ansible to get a certificate as a step within a larger lifecycle task.

The integration enables you to connect to CertCentral using ACME External Account Binding (EAB) credentials and issue a certificate via the ACMEv2 protocol.

Before you begin

You need to add ACME credentials for the desired certificate type in CertCentral and have the corresponding ACME URL and EAB values with you.

Download the scripts

Download the package and extract the sample scripts from the downloaded zip file.

Note

DigiCert recommends placing the scripts in one location, such as an installation directory. For example: installdir/scripts/digicert_acme_cert_main.yml

Create an installation directory and configure the script

  1. Create an installation directory and copy digicert_acme_cert_main.yml and get-cert.yml files into the installation directory.

  2. Create a script or customize the sample script digicert_acme_cert_main.yml.

  3. Specify the certificate parameters in the script under vars:

    • cert_cn: Common name of the certificate.

    • contact_email: Email ID of the admin.

    • eab_kid: Key identifier of the external account binding (EAB).

    • eab_key: HMAC key of the external account binding (EAB).

    Optionally, you can specify other parameters and update the default settings:

    • data_dir: Location of the default data directory in the installation directory where all generated keys and issued certificates are stored. You can change it to your preferred location.

      For example:

      data/

      accountkey.pem

      {{cert_cn}}.csr

      {{cert_cn}}.key

      {{cert_cn}}.pem

      {{cert_cn}}-chain.pem

      {{cert_cn}}-fullchain.pem

    • subject_alt_name: Specify the Subject Alternative Names (SANs) you wish to secure with this certificate.

Request a certificate

Go to the installation directory and run the Ansible playbook command:

  • As root user: ansible-playbook digicert_acme_cert_main.yml

  • As non-root user: ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml

Your certificate is issued and stored in the data directory.

What’s next

You can customize the above example as needed and include it in your Ansible playbook.