Skip to main content

Get TLS/SSL certificates using Ansible

Enterprises are increasingly using Red Hat Ansible to automate lifecycle operations. With CertCentral ACME support, you can obtain TLS/SSL certificates from within an Ansible playbook.

The example here demonstrates how to integrate CertCentral ACME with Ansible to get a certificate as a step within a larger lifecycle task.

The integration enables you to connect to CertCentral using ACME External Account Binding (EAB) and issue a certificate using the ACME v2 protocol.

Before you begin

Make sure you have created an ACME Directory URL in your CertCentral account and have the EAB credentials with you.

Download the scripts

Download the package and extract the sample scripts from the downloaded zip file.

注記

DigiCert recommends placing the scripts in one location, such as an installation directory. For example: installdir/scripts/digicert_acme_cert_main.yml

Create an installation directory and configure the script

  1. Create an installation directory and copy digicert_acme_cert_main.yml and get-cert.yml files into the installation directory.

  2. Create a script or customize the sample script digicert_acme_cert_main.yml.

  3. Specify the certificate parameters in the script under vars:

    • cert_cn: Common name of the certificate.

    • contact_email: Email ID of the admin.

    • eab_kid: Key identifier of the external account binding (EAB).

    • eab_key: HMAC key of the external account binding (EAB).

    Optionally, you can specify other parameters and update the default settings:

    • data_dir: Location of the default data directory in the installation directory where all generated keys and issued certificates are stored. You can change it to your preferred location.

      For example:

      data/

      accountkey.pem

      {{cert_cn}}.csr

      {{cert_cn}}.key

      {{cert_cn}}.pem

      {{cert_cn}}-chain.pem

      {{cert_cn}}-fullchain.pem

    • subject_alt_name: Specify the Subject Alternative Names (SANs) you wish to secure with this certificate.

Request a certificate

Go to the installation directory and run the Ansible playbook command:

  • As root user: ansible-playbook digicert_acme_cert_main.yml

  • As non-root user: ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml

Your certificate is issued and stored in the data directory.

What’s next?

You can customize the example above and include it in your Ansible playbook.

このセクションの内容: