Skip to main content

Custom scripts

Nota

DigiCert​​®​​ Trust Assistant v1.2.6 onward is required to execute custom post-processing scripts.

Overview

In addition to the System scripts, DigiCert provides a custom scripting framework that allows customer's administrator to upload and manage their own custom scripts based on the requirements.

Custom scripts are developed and maintained by the administrator persona of customer to implement organization-specific post-processing workflows. Similar to System scripts, these scripts are executed automatically after DigiCert Trust Assistant completes certificate enrollment or renewal operations.

Custom script configuration lifecycle

This section guides administrators through the end-to-end process of creating, uploading, and configuring custom scripts in DigiCert​​®​​ Trust Lifecycle Manager and testing them using DigiCert Trust Assistant.

Create a custom script

Prepare a post-processing script to automate certificate-related tasks. Supported script types include:

  • Windows: PowerShell (.ps1) and Batch (.bat)

  • macOS: Shell (.sh)

For detailed guidance on writing effective custom scripts, see Creating custom post-processing scripts.

Upload the custom script

Use the following steps to upload the custom script you created:

  1. In DigiCert Trust Lifecycle Manager, go to Discovery & Automation Tools > Scripts > Upload custom script.

  2. Select your script file and upload it. Choose appropriate base templates for the script before completing the upload.

During the upload process, the script is automatically scanned for malware and unsafe patterns. If the script is marked as safe during scan, it is digitally signed with a trusted certificate. Once saved, the signed script becomes available for use in certificate profiles.

For more details on script scanning and signing processes, see Security and validation of custom scripts.

Configure the certificate profile in DigiCert Trust Lifecycle Manager

To attach your custom script to a certificate workflow:

  1. Either edit an existing certificate profile or create a new one. For instructions on creating a certificate profile using DigiCert Trust Assistant, see Create a certificate profile with DigiCert Trust Assistant.

  2. In the Post-certificate installation section under Advanced settings, select the uploaded custom script.

  3. Save the changes to map the custom script with the certificate profile.

Test and execute the custom script with DigiCert Trust Assistant

When a certificate is picked up via DigiCert Trust Assistant, the mapped custom script is automatically executed:

  1. DigiCert Trust Assistant first verifies the script’s digital signature. The verification process checks the signer’s certificate validity and its trust chain against the trusted CA store.

  2. During execution, standard output (stdout) and error output (stderr) are captured in the DTA logs for auditing and troubleshooting.

  3. Temporary data or intermediate files generated during script execution are purged after completion.

For more details on script signature verification and execution processes, see Security and validation of custom scripts.

Security and validation of custom scripts

To ensure security and integrity, DigiCert enforces the following measures for all custom scripts to ensure that post-processing scripts are executed in a controlled, authenticated, and malware-free environment that maintains the integrity of the overall certificate management process:

  • Malware scanning:

    • All uploaded scripts are automatically scanned for malware or potentially unsafe content before they are uploaded and later executed.

    • The maximum supported script size for upload is 4 MB.

  • Digital signing and verification:

    • Once verified as safe, the scripts are digitally signed with a trusted certificate, making them ready for use in certificate profiles.

    • Signing ensures that the script’s origin and integrity can be verified during every execution.

    • The verification process on the DigiCert Trust Assistant checks the signer’s certificate validity and its trust chain against the trusted CA store.

Verifying a custom script signature (optional)

When a signed custom script is downloaded from DigiCert​​®​​ Trust Lifecycle Manager, administrators may optionally verify the integrity and authenticity of the signature before use.

Nota

The signature verification step is optional and can be skipped.

  1. Ensure OpenSSL is installed and available in your PATH.

  2. Run the verification command:

    $ openssl cms -verify -in </path/to/downloaded/signed_script.p7m> -inform der -purpose any

    A successful verification displays:

    CMS Verification successful
77u/JFZlcnNpb24gPSAiMS4wLjAiCgoJU3RhcnQtUHJvY2VzcyBDOlxXaW5kb3dzXE5PVEVQQUQuRVhFCglTdGFydC1Qcm9jZXNzIGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbQo=%

    The Base64-encoded block at the end represents the original unsigned script.

  3. To decode and extract the original script, pipe the output through Base64 decode:

    $ openssl cms -verify -in </path/to/downloaded/signed_script.p7m> -inform der -purpose any | base64 -d > unsigned_script.ps1

    This will:

    • Verify the CMS signature

    • Suppress the Base64-encoded content

    • Decode the Base64-encoded content and save it as unsigned_script.ps1 (or .sh for macOS)

Nota

Administrators using macOS can refer to Verifying macOS shell scripts for detailed instructions on verifying a signed custom script without relying on OpenSSL.

Script signing certificate and CA chain

Use the following links to download the PEM-encoded signing, intermediate CA, and root CA certificates used to sign the custom scripts:

TSA (Time-Stamping Authority) signing certificate and CA chain

Use the following links to download the TSA (Time-Stamping Authority) signing and intermediate root CA certificates:

In questa sezione: