Use Ansible with CertCentral ACME
Enterprises are increasingly using Red Hat Ansible to automate lifecycle operations. With the CertCentral ACME service, you can obtain TLS/SSL certificates from within an Ansible playbook.
The instructions here demonstrate how to integrate CertCentral ACME with Ansible to get a certificate as a step within a larger lifecycle task.
The integration enables you to connect to CertCentral using ACME External Account Binding (EAB) credentials and issue a certificate via the ACMEv2 protocol.
Before you begin
You need to add ACME credentials for the desired certificate type in CertCentral and have the corresponding ACME URL and EAB values with you.
Download the scripts
Download the package and extract the sample scripts from the downloaded zip file.
注記
DigiCert recommends placing the scripts in one location, such as an installation directory. For example: installdir/scripts/digicert_acme_cert_main.yml
Create an installation directory and configure the script
Create an installation directory and copy
digicert_acme_cert_main.yml
andget-cert.yml
files into the installation directory.Create a script or customize the sample script
digicert_acme_cert_main.yml
.Specify the certificate parameters in the script under
vars
:cert_cn
: Common name of the certificate.contact_email
: Email ID of the admin.eab_kid
: Key identifier of the external account binding (EAB).eab_key
: HMAC key of the external account binding (EAB).
Optionally, you can specify other parameters and update the default settings:
data_dir
: Location of the default data directory in the installation directory where all generated keys and issued certificates are stored. You can change it to your preferred location.For example:
data/
accountkey.pem
{{cert_cn}}.csr
{{cert_cn}}.key
{{cert_cn}}.pem
{{cert_cn}}-chain.pem
{{cert_cn}}-fullchain.pem
subject_alt_name
: Specify the Subject Alternative Names (SANs) you wish to secure with this certificate.
Request a certificate
Go to the installation directory and run the Ansible playbook command:
As root user:
ansible-playbook digicert_acme_cert_main.yml
As non-root user:
ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml
Your certificate is issued and stored in the data directory.
What’s next
You can customize the above example as needed and include it in your Ansible playbook.