Skip to main content

Een aangepast toepassing instellen voor beheerde automatisering

Beheerde automatisering van CertCentral ondersteunt standaard de meest populaire webservertoepassingen.

CertCentral biedt ook de flexibiliteit om het certificaatbeheer uit te breiden voor extra toepassingen die niet standaard worden ondersteund, doordat het configuratie van ACME-clients van derden mogelijk maakt via de optie "aangepaste toepassing".

Volg deze stappen om beheerde automatisering voor een aangepaste toepassing in te schakelen:

Step 1: Install DigiCert agent

Custom automations require an active DigiCert agent on the server. The agent:

  • Coordinates each automation request sent through Trust Lifecycle Manager, including details about the requested certificate type and properties.

  • Invokes your custom shell script on the server to complete the request and install the certificate for your application.

For detailed instructions about how to install and activate DigiCert agents on your servers, see Deploy and manage agents.

Belangrijk

To add and assign custom scripts, each agent must be running software version 3.1.2 or above.

Stel de ACME-clients van de derde partij in

In addition to a DigiCert agent, the server must have the Certbot ACME client installed.

Your custom shell script invokes Certbot to complete each request and install the resulting certificate for your custom Linux or Windows application.

For detailed instructions about how to download and install the Certbot client, refer to the official Certbot instructions.

Step 3: Create shell script

You need a shell script to help manage the certificates for your custom application.

The shell script contains the Certbot command to request and install certificates for your application via the Trust Lifecycle Manager ACME service. Below are example shell scripts for Linux and Windows.

Example scripts

voorbeeld 1. Linux
# Define variables
host=$1
emailaddress=$2
eabkeyidentifier=$3
eabkeyhmac=$4
key=$5
directoryuri=$6

# Remove double quotes from ACME URL
value=$directoryuri
value=${value#\"}
directoryuri=${value%\"}

# Run Certbot
certbot certonly --server $directoryuri --config-dir ./acme/ --eab-kid $eabkeyidentifier --eab-hmac-key $eabkeyhmac --force-renew --agree-tos --no-redirect --expand -d $host --email $emailaddress --no-autorenew --preferred-challenges http --standalone --key-type $key -n --no-verify-ssl

# Complete script
returnCode=$?
echo "The command exit status : ${returnCode}"
exit $returnCode

voorbeeld 2. Windows
directoryuri=%1
host=%2
emailaddress=%3
eabkeyidentifier=%5
eabkeyhmac=%6
acmeConfigDirectory="./%eabkeyidentifier%"
certbot --server %directoryuri% --config-dir %acmeConfigDirectory% --eab-kid %eabkeyidentifier%  --eab-hmac-key %eabkeyhmac% -m %emailaddress% --force-renew --agree-tos --no-redirect --expand -d %host% --no-verify-ssl --no-autorenew 
set returnCode=%errorlevel%
EXIT /B %returnCode%

Usage notes

Variable definitions at the top of these shell scripts set the required ACME request parameters:

  • These must match up with the ACME arguments you configure for the custom application in Trust Lifecycle Manager (see below).

  • During an automation event, values for these arguments are supplied to the shell script by the local DigiCert agent.

Commands used in the shell script:

  • Must include all mandatory parameters.

  • Must not exceed 512 characters.

  • Must not include special directives like rm -rf or rmdir

The shell script filename:

  • Must end with .sh or .bat.

  • Must not exceed 255 characters.

Configureer de instellingen voor de beheerde automatisering

To add a custom automation script in Trust Lifecycle Manager:

  1. In the Trust Lifecycle Manager menu, go to Discovery & automation tools > Scripts > DigiCert agents.

  2. Open the Add script for dropdown on the top-right, and select DigiCert agents.

  3. Complete the Add new script sidebar:

    • Name: Enter a user-friendly name for referencing the script.

    • Operating system: Select the applicable operating system (Linux or Windows).

    • Script type: Select Custom automation.

    • Upload script: Drag and drop or browse to select the script to upload. Once uploaded, the name of the script appears below the widget.

    • Description: (Optional) Enter an optional description for the script to help identify it in Trust Lifecycle Manager.

    • Command-line arguments: Enter a space-separated list of general ACME parameters to use with your custom automation script.

      Bijvoorbeeld:

      {acmeDirectoryUrl} {hosts} {email} {key} {extActKid} {extActHmac}

      Merk op dat:

      • Elk argument exact zoals hier weergegeven moet worden ingevoerd.

      • De volgorde van de argumenten moet overeenkomen met hoe ze in uw shellscript worden gebruikt.

      • Tijdens een automatiseringsgebeurtenis worden de vereiste waarden voor deze argumenten automatisch verkregen uit het geselecteerde automatiseringsprofiel.

      Uitleg van ACME-argumenten die worden ondersteund door de beheerde automatisering van CertCentral:

      • {acmeDirectoryUrl} – ACME directory URL-instellingen.

      • {hosts} – Gegevens certificaathost.

      • {email} – E-mailadres voor meldingen.

      • {key} – Sleutelalgoritme (RSA of ECC).

      • {extActKid} – KID van externe account gebruikt in de URL.

      • {extActHmac} – HMAC sleutel voor het ondertekenen van het antwoord.

  4. Select Add and verify script to verify the script in Trust Lifecycle Manager. Once verified, the script is available for assignment.

Let op

For more information about how to add and manage agent scripts in Trust Lifecycle Manager, see Agent scripts.

Step 5: Assign script to the applicable agent IP/port targets

To complete the custom automation configuration, assign the script to any DigiCert agents that will manage certificates for the custom application:

  1. From the Trust Lifecycle Manager menu, go to Discovery & automation tools > Agents.

  2. Select the agent by name to view the details for it.

  3. On the details page, select the pencil icon on the right to edit the agent configuration.

  4. In the IP/port targets section for the agent, locate any IP/port targets where the custom application is running and configure them as follows:

    • Application: Select Custom.

    • Custom automation script: Select the custom automation script by the name assigned to it in Trust Lifecycle Manager.

  5. Select the Update button at the bottom to save your changes.

What's next

After enabling managed automation for your custom application, you can manage certificate deployments for it as you would any other server application in Trust Lifecycle Manager.

When you need a new certificate for your custom application:

  1. You submit the request through the Trust Lifecycle Manager web console or REST API.

  2. The DigiCert agent on the local system processes the certificate request and invokes your custom shell script with the required parameters.

  3. Your custom shell script invokes the Certbot ACME client to complete the request and install the new certificate for your application.

In deze sectie: