Skip to main content

Een aangepast toepassing instellen voor beheerde automatisering

Beheerde automatisering van CertCentral ondersteunt standaard de meest populaire webservertoepassingen.

CertCentral biedt ook de flexibiliteit om het certificaatbeheer uit te breiden voor extra toepassingen die niet standaard worden ondersteund, doordat het configuratie van ACME-clients van derden mogelijk maakt via de optie "aangepaste toepassing".

Volg deze stappen om beheerde automatisering voor een aangepaste toepassing in te schakelen:

Step 1: Install DigiCert agent

Custom automations require an active DigiCert agent on the server. The agent coordinates automation requests received from the Trust Lifecycle Manager web console and calls your custom shell script to handle certificate lifecycle events for the custom application.

For detailed instructions about how to install and activate DigiCert agents on your servers, see Deploy and manage agents.

Stel de ACME-clients van de derde partij in

In addition to a DigiCert agent, the server must have Certbot installed. Your custom automation script invokes the Certbot ACME client to request certificates from Trust Lifecycle Manager and install them for your custom Linux or Windows application.

For detailed instructions about how to download and install the Certbot client, refer to the official Certbot instructions.

Step 3: Create shell script

You need a shell script to drive certificate lifecycle events for your custom application. When a new certificate is needed, the DigiCert agent calls this shell script to invoke the Certbot client, which then requests the certificate through the Trust Lifecycle Manager ACME service.

The shell script contains the Certbot command to request and install certificates for your custom application using the parameters expected by the Trust Lifecycle Manager ACME service.

Below are examples of shell scripts to enable Trust Lifecycle Manager managed automation for custom Linux and Windows applications.

voorbeeld 1. Linux
directoryuri=$1
host=$2
emailaddress=$3
eabkeyidentifier=$5
eabkeyhmac=$6
process_path=/usr/bin/apachectl
server_root=/etc/httpd
config_root=/etc/httpd/config
procCmdLine="/usr/bin/apachectl start"
acmeConfigDirectory="/etc/letsencrypt/"
certbot --server $directoryuri --config-dir $acmeConfigDirectory --eab-kid $eabkeyidentifier  --eab-hmac-key $eabkeyhmac --installer apache -m $emailaddress --force-renew --agree-tos --no-redirect --expand -d $host --no-verify-ssl --no-autorenew --pre-hook "$process_path stop" --post-hook $procCmdLine -n --apache-server-root $server_root --apache-vhost-root $config_root
returnCode=$?
echo "The command exit status : ${returnCode}"
exit $returnCode

voorbeeld 2. Windows
directoryuri=%1
host=%2
emailaddress=%3
eabkeyidentifier=%5
eabkeyhmac=%6
acmeConfigDirectory="./%eabkeyidentifier%"
certbot --server %directoryuri% --config-dir %acmeConfigDirectory% --eab-kid %eabkeyidentifier%  --eab-hmac-key %eabkeyhmac% -m %emailaddress% --force-renew --agree-tos --no-redirect --expand -d %host% --no-verify-ssl --no-autorenew 
set returnCode=%errorlevel%
EXIT /B %returnCode%

Variable definitions at the top of these shell scripts set the required ACME request parameters:

  • These must match up with the ACME arguments you configure for the custom application in Trust Lifecycle Manager.

  • During an automation event, values for these arguments are supplied to the shell script by the local DigiCert agent that calls it.

Commands used in the shell script:

  • Must include all mandatory parameters.

  • Must not exceed 512 characters.

  • Must not include special directives like rm -rf or rmdir

The shell script filename:

  • Must end with .sh or .bat.

  • Must not exceed 255 characters.

Configureer de instellingen voor de beheerde automatisering

Gebruik het menu voor Beheerde automatisering van CertCentral om de configuratie voor uw aangepaste toepassing te voltooien:

  1. Ga in het linker hoofdmenu van uw CertCentral-account naar Automatisering > Automatisering beheren.

  2. From the More actions dropdown at top, select Add script.

  3. Fill out the Add script form:

    1. Name: Enter a user-friendly name to use when referencing the script.

    2. Operating system: Select the applicable operating system (Linux or Windows).

    3. Script type: Select Custom automation.

    4. Script filename: Enter the script's filename in or path relative to the local agent's user-scripts sub-directory.

      • Linux: If your script is named "myscript.sh" and is stored directly in the agent's user-scripts sub-directory, enter myscript.sh here. If you stored the script within an additional sub-directory called "custom-apps" in the user-scripts sub-directory, enter custom-apps/myscript.sh instead.

      • Windows: If your script is named "myscript.bat" and is stored directly in the agent's user-scripts folder, enter myscript.bat here. If you stored the script within an additional sub-folder called "custom-apps" in the user-scripts folder, enter custom-apps\myscript.bat instead.

      Waarschuwing

      Make sure there are no spaces in the filename for either Linux or Windows. The script will fail if the path or filename has spaces in it.

    5. Command-line arguments: Enter a space-separated list of general ACME parameters to use with your custom automation script.

      Bijvoorbeeld:

      {acmeDirectoryUrl} {hosts} {email} {key} {extActKid} {extActHmac}

      Merk op dat:

      • Elk argument exact zoals hier weergegeven moet worden ingevoerd.

      • De volgorde van de argumenten moet overeenkomen met hoe ze in uw shellscript worden gebruikt.

      • Tijdens een automatiseringsgebeurtenis worden de vereiste waarden voor deze argumenten automatisch verkregen uit het geselecteerde automatiseringsprofiel.

      Uitleg van ACME-argumenten die worden ondersteund door de beheerde automatisering van CertCentral:

      • {acmeDirectoryUrl} – ACME directory URL-instellingen.

      • {hosts} – Gegevens certificaathost.

      • {email} – E-mailadres voor meldingen.

      • {key} – Sleutelalgoritme (RSA of ECC).

      • {extActKid} – KID van externe account gebruikt in de URL.

      • {extActHmac} – HMAC sleutel voor het ondertekenen van het antwoord.

    6. Description (optional): Enter an optional description for the script to help identify it when working with DigiCert agents and agent-based automations in Trust Lifecycle Manager.

  4. Selecteer vanuit de weergave Automatisering bewerken de Naam of de lokale ACME-agent die op dezelfde certificaathost als de aangepaste toepassing wordt uitgevoerd.

Step 5: Assign script to the applicable agent IP/port targets

To complete the custom automation configuration, assign the script to any DigiCert agents that will coordinate certificate lifecycle automation events for the custom application:

  1. From the Trust Lifecycle Manager main menu, select Discovery & automation tools > Agents.

  2. Locate the local DigiCert agents on the systems where the custom application is running. Select each agent by name to view the details for it.

  3. Select the pencil (edit) icon on the right of the agent details page to update the agent configuration.

  4. In the IP/port targets section for the agent, locate any IP/port targets where the custom application is running and configure them as follows:

    • Application: Select Custom.

    • Custom automation script: Select the custom automation script by the name assigned to it in Trust Lifecycle Manager.

  5. Select the Update button at bottom to save your changes.

What's next

After enabling managed automation for your custom application, you can schedule certificate lifecycle automation events for it as you would any other server application in Trust Lifecycle Manager.

In deze sectie: