Before DigiCert can issue a DV certificate, you must demonstrate control over the domains included in the certificate request.
For automating DV certificate installation, use DNS integration to prove your control over the domains in your DV certificate request. For this DCV method, you must create a DNS integration before submitting the request.
Your DNS integration allows the DigiCert automation services to use your credentials to place the DNS challenge on the DNS server and complete the validation check. The DNS challenge is generated automatically as part of the automation process. Once the domain validation is completed, the automation will succeed and install the DV certificate.
You can create a DNS integration using a supported DNS provider or a customized DNS script.
Example: DNS challenge
example.com,example1.com,example2.com
dns-txt-token
342893284294sfjdkfjshfLog in to the sensor host.
Go to sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the listsupporteddns command.
listsupporteddns.bat./listsupporteddns.shHere is the complete list of automation supported DNS providers.
| DNS providers |
|---|
| Amazon Route 53 |
| Azure |
| Cloudflare |
| CloudXNS |
| DreamHost |
| Digital Ocean |
| GoogleDNS |
| Go Daddy |
| NS1 |
| OVH |
| RFC2136 |
| Sakura Cloud |
Log in to the sensor host.
Go to the sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the adddnsintegration command.
adddnsintegration.bat -type <dns_provider_name>./adddnsintegration.sh -type <dns_provider_name>When you enter the command, a series of prompts appear for each provider. Provide the information and press Enter.
Example: adddnsintegration.bat -type route53
C:\Program Files\DigiCert\DigiCert sensor\cli>adddnsintegration.bat -type route53
Sensor CLI. Copyright 2022, DigiCert Inc.
Add a DNS integration to automate DV certificates.
Enter alias:Route53Valid
Access key id:AKIAZC26PJRAX775JVKE
Secret key:
Confirm secret key:
DNS integration route53 added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.Before you start, create a DNS script for the operating system you want to automate the DV certificate installation. You can create a script or modify one of the sample scripts to define your script.
DigiCert recommends placing the scripts in a default location, such as the sensor’s installation directory. For example: sensorinstalldir/localscripts/script-to-upload.bat
For Windows, you need two scripts to prove your control over the domains: DNS .bat script and embedded PowerShell postscript (.ps1, .py, .ps, or any other format).
Create embedded DNS PowerShell postscript
Create DNS script
For Linux, you need a DNS .sh script to prove control over the domains.
Create a DNS script
Log in to the sensor host.
Go to the sensor CLI directory.
cd install_dir/cli
Where install_dir is the installation directory for the sensor.
Run the adddnsintegration command.
adddnsintegration.bat -type custom./adddnsintegration.sh -type customWhen you enter the command, a series of prompts appear. Provide the information and press Enter.
Example: ./adddnsintegration.sh -type custom
[root@c7-sowjanya-124 cli]# ./adddnsintegration.sh -type custom
Sensor CLI. Copyright 2022, DigiCert Inc.
Add a DNS integration to automate DV certificates.
Enter alias:CustomeDNS
Script file path:/tmp/test.sh
DNS integration custom added.
After adding the DNS integration, go back to CertCentral and link the integration to the load balancer where you want to automate a DV certificate.Every program you start terminates with an exit code and reports it to the operating system. An exit code, or sometimes known as a return code, is the code returned to a parent process by an executable.
| Exit code | Description |
|---|---|
| 0 | Successful execution of the script. |
| 1 | Failed to execute the script for any reason. |
AWS - DNS PowerShell postscript (.ps1)
#ensure AWS PStools are installed incl
#https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html
#Install-Module -Name AWS.Tools.Installer
#Install-AWSToolsModule AWS.Tools.Route53
#Set-AWSCredential -AccessKey <accesskey> -SecretKey <secretkey> -StoreAs TestDNSProfile
Import-Module AWSPowerShell
Function Set-R53Record {
# Entry parameters
Param (
[Parameter(Mandatory=$True)] [String]$Profile,
[Parameter(Mandatory=$True)][String]$Domain,
[Parameter(Mandatory=$True)][String]$Type,
[Parameter(Mandatory=$True)][String]$Name,
[Parameter(Mandatory=$True)][String]$Value,
[Int]$TTL = 300,
[String]$Comment
)
$DomainDot = $Domain + "."
# Create two objects for R53 update
$Change = New-Object Amazon.Route53.Model.Change
$Change.Action = "UPSERT"
# CREATE: Creates a resource record set that has the specified values.
# DELETE: Deletes an existing resource record set that has the specified values.
# UPSERT: If a resource record set doesn't already exist, AWS creates it. If it does, Route 53 updates it with values in the request.
$Change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
$Change.ResourceRecordSet.Name = "$Name.$Domain"
$Change.ResourceRecordSet.Type = $Type
$Change.ResourceRecordSet.TTL = $TTL
#$Change.ResourceRecordSet.ResourceRecords.Add(@{Value=$Value})
$Change.ResourceRecordSet.ResourceRecords.Add(@{Value=if ($Type -eq "TXT") {"""$Value"""} else {$Value}})
# Get hosted zone
$HostedZone = Get-R53HostedZones -ProfileName $Profile| Where-Object { $DomainDot.EndsWith($_.Name) }
Write-Output "Found HostedZone:$HostedZone"
# Set final parameters and execute
$Parameters = @{
HostedZoneId = $HostedZone.Id
ChangeBatch_Change = $Change # Object
ChangeBatch_Comment = $Comment # "Edited A record"
}
return Edit-R53ResourceRecordSet -ProfileName $Profile @Parameters
}
if($args.Length -ne 1){
Write-Output "Args not found"
exit -1;
}
$fileInput = Get-Content $args[0]
if ($fileInput.Length -lt 3){
Write-Output "File not found"
exit -1;
}
$tempDomains = $fileInput[0].Split(",")
$challenge = $fileInput[2]
$domains = @()
foreach ($d in $tempDomains)
{
if ("$d" -ne "null")
{
Write-Output $d
$domains = $domains += $d
}
}
foreach ($domain in $domains)
{
Set-R53Record -Profile DNSProfileName -Domain $domain -Type "TXT" -Name "_dnsauth" -Value $challenge -TTL 86400 -Comment "DNS challenge for $domain"DNS .bat script
echo "Invoking DNS script"
pushd %~dp0
powershell.exe -File {DNSPostscriptPath} %*
echo "Exit Code : %errorlevel%"
set returnCode=%errorlevel%
popd
EXIT /B %returnCode%%* determines the DNS challenge. It retrieves its values from the postscript.
AWS - DNS .sh script
#!/usr/bin/bash
set_R53_Record(){
Profile=$1
Domain=$2
Type=$3
Name=$4
Value=$5
TTL=$6
Comment=$7
DomainDot="$Domain."
echo "Profile:$Profile Domain:$Domain"
HOSTEDZONEID=$(/usr/local/bin/aws route53 list-hosted-zones --profile $Profile | jq '.HostedZones | .[] | select(.Name|inside('\"$DomainDot\"')) | .Id' | tr -d '"')
cat > change-batch.json << EOL
{"Comment":"$Comment","Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"$Name.$Domain","Type":"$Type","TTL":$TTL,"ResourceRecords":[{"Value":"\"$Value\""}]}}]}
EOL
/usr/local/bin/aws route53 change-resource-record-sets --hosted-zone-id $HOSTEDZONEID --profile $Profile --change-batch file://change-batch.json
}
if [ "$#" -ne 1 ]; then
echo "Args not found"
exit -1;
fi
IFS=$'\n' read -d '' -r -a lines < $1
if [ ${#lines[@]} != 3 ]; then
echo "File not found"
exit -1;
fi
challenge=${lines[2]}
IFS=',' read -ra domains <<< "${lines[0]}"
for domain in "${domains[@]}"; do
set_R53_Record default $domain "TXT" "_dnsauth" $challenge 86400 "DNS challenge for $domain"
done