Build certificate delivery plugins

Before you begin

Follow the steps in the Prepare your development environment topic to:
- Access the example repository for this plugin type.
- Configure the required development tools and settings.
- Run a test build.
Make sure you understand the common project files for custom plugins.
Review the README file for the example plugin repository in detail.

Plugin development

To develop a certificate delivery plugin, create a branch of the example repository and update the Java class definitions with your custom logic:

Each plugin should target a particular type of system, for example a specific server application or load balancer model.
The target system must support remote management through APIs, SSH, or similar mechanisms. Your custom logic specifies how to connect to that system type to deliver certificates and perform any custom post-delivery work.
The certificate delivery workflow is initiated via the web-based Admin web request function in Trust Lifecycle Manager and must include steps to:
- Generate the certificate signing request (CSR) on the DigiCert sensor host and return the CSR to Trust Lifecycle Manager to initiate certificate issuance.
- Download the resulting certificate from Trust Lifecycle Manager to the sensor, deliver it to the target system, and perform any required post-delivery work.

Java classes

The example plugin repository provides the following Java classes under src/main/java/com/example/certdelivery and its subdirectories. To create your custom plugin, modify or extend the applicable class or method definitions in these files.

ヒント

Review the included Javadocs in the source files for details about expected inputs, outputs, and behavior for each method.

MyCertDeliveryPlugin.java

Description

The primary class that defines the custom logic for each certificate delivery plugin. It extends the AbstractCertificateDeliveryWorkflow class and performs tasks for requesting and delivering certificates for a particular system type via the Admin web request function in Trust Lifecycle Manager.

Customizations

To implement custom certificate request and delivery logic, update the code in the following methods, annotated with @Override.

Purpose

Generate a certificate signing request (CSR) and private key pair using the request parameters sent from Trust Lifecycle Manager, then send the CSR back to Trust Lifecycle Manager to initiate the certificate issuance process.

Customizing

By default, this method generates a CSR and private key using the parameters provided in the request, writing them to a temporary directory for use in later workflow steps.

To customize:

Add logic to process any custom flow settings and control how the CSR is generated, for example by updating the request parameters or delegating CSR generation to an external system.
Using the same framework as the default example, assign the resulting CSR to the response object and return it to Trust Lifecycle Manager.

Input

The request received from Trust Lifecycle Manager is deserialized into a GenerateCsrRequest object with the following fields.

Field	Type	Description
`subjectDn`	String	Subject Distinguished Name, with fields separated by a null character (`\u0000`). Supports: CN, O, OU, L, ST, C, and EMAIL.
`keyAlgorithm`	String	Key algorithm for key pair generation, for example: `RSA`, `EC`.
`keySize`	String	Key size in bits, for example: `2048`, `4096`.
`signatureAlgorithm`	String	Hash algorithm for signing the CSR, for example: `sha256`, `sha384`, `sha512`.
`dnsNames`	String	Comma-separated DNS names for the subject alternative name (SAN) extension.
`ipAddresses`	String	Comma-separated IP addresses for the SAN extension.
`emails`	String	Comma-separated email addresses for the SAN extension.
`flowId`	String	Unique workflow identifier (UUID) used to correlate this step with later steps in the same delivery flow.

Flow settings

Certificate delivery plugins can include custom flow settings, with runtime values supplied by the admin who requests the certificate. These settings are specified in the configuration.json file and presented as inputs on the Admin web request screen in Trust Lifecycle Manager.

Your custom plugin code should include logic to read these values and use them as needed to control CSR generation. The example plugin includes a single destination field to control where the CSR and private key get generated on the sensor. If no value is supplied, files are generated in the system temp directory by default.

Response

The response returned to Trust Lifecycle Manager must be a GenerateCsrResponse object with the CSR assigned in PEM format, for example: response.setCsr(csrPemString);

Purpose

Download the issued certificate from Trust Lifecycle Manager and deliver it to the target system, performing any required post-delivery tasks.

Customizing

By default, this method downloads the certificate package (ZIP file) from the provided certificate link, extracts the end-entity certificate and intermediate CA certificate, and saves them to a temporary directory.

To customize:

Add logic to process any custom flow settings and deliver the extracted certificate files to the intended destination on the target system.
Add any required post-delivery tasks, such as restarting a service, triggering a reload, or notifying an external system.

Input

The request received from Trust Lifecycle Manager is deserialized into a DispatchCertificateRequest object with the following fields:

Field	Type	Description
`certificateLink`	String	URL to download the issued certificate package (ZIP file).
`flowId`	String	Unique workflow identifier (UUID) matching the CSR generation step.

Flow settings

The same flow settings from the CSR generation method are available for installing the certificate. These runtime values are included in the initial certificate request sent from Trust Lifecycle Manager.

Your custom plugin code should include logic to read these values and use them as needed to deliver the issued certificate. The example plugin includes a single destination field to control where files are stored on the sensor. If no value is supplied, files are written to the system temp directory by default.

Response

The response returned to Trust Lifecycle Manager must be a DispatchCertificateResponse object.

MyCertDeliveryPluginHelper.java

Description

Provides static utility methods for CSR generation and certificate downloads and extraction.

Helper methods

The helper class provides the following public utility methods, which you can use in your custom plugin code.

MyCertDeliveryPluginRunner.java

Description

Acts as the entry point for the plugin, invoking the plugin object defined in MyCertDeliveryPlugin.java, along with the required SDK context object for sharing information across different methods and storing results at different execution points.

Customizations

This class should not typically be modified. If you do customize it, make sure the fully qualified class name matches the one in the pom.xml file.

MyPluginConfiguration.java

Description

Found in the extended/configuration subdirectory, this class defines the main configuration properties for the plugin instance. All properties you define here should have matching fields in the config_settings section of the configuration.json file for the plugin. This ensures that users provide values for these properties when configuring each instance (connector) of the plugin in Trust Lifecycle Manager.

Customizations

By default, this class defines variables to store user credentials (userName and password) for accessing the target system.

To customize:

Adjust the default variables if the target system uses an authentication method other than user credentials.
Add one or more variables to store any required network properties for connecting to the target system, such as its URL or IP address.
Define additional variables as needed to configure different settings for connecting and using each instance of the custom plugin.

Build the plugin ZIP file

重要

Before building the plugin, make sure your development environment includes the required software and settings. For details, see Prepare your development environment.

After adding your custom logic, build the plugin ZIP file on the development system as follows:

From the top-level project directory, run the build script by making the ./build.sh command.
The script prints status messages to the console as it executes. At the end, it generates and prints the SHA-256 checksum for the ZIP file, confirming a successful build.
Find the final ZIP file for the plugin in the plugin-dist subdirectory. The ZIP file contains the plugin JAR file and metadata JSON file required by Trust Lifecycle Manager.

What's next

To add the plugin to Trust Lifecycle Manager, you must upload both the plugin ZIP file and corresponding JSON configuration file.

For details about the required JSON configuration format, see Create the plugin configuration.