Ansible
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager through an Ansible playbook, using the ACMEv2 protocol to generate requests and download the issued certificates.
Voordat je begint
In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client
enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:
ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.
Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.
HMAC key: Used to encrypt and authenticate your account key during certificate requests.
On the Ansible end, make sure you have the community.crypto collection, which provides the following two modules required for the integration:
acme_account
module to create an account using external account binding.acme_certificate
module to issue a certificate.Waarschuwing
Use the latest version of the community.crypto collection to avoid a known issue in earlier versions of the
acme_certificate
module where some certificates issued through Ansible with ACME had a missing common name or SANs in a different order than requested.
Integration workflow
Download the Ansible integration package to get the following files:
digicert_acme_cert_main.yml: Sample Ansible playbook script for getting certificates from Trust Lifecycle Manager. Update it with your custom values before requesting certificates.
get-cert.yml: Helper script to submit certificate requests to DigiCert via ACMEv2. Keep it in the same directory as the Ansible playbook.
ReadMe.txt: Instructions and technical details to help you set up the integration.
Let op
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Ansible.
To request a certificate from Trust Lifecycle Manager, update the vars
section in the sample Ansible playbook file digicert_acme_cert_main.yml to supply values for the following parameters:
acme_dir_url
: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.eab_kid
: Sleutelidentificatie van de externe accountbinding (EAB).eab_key
: HMAC-sleutel van de externe accountbinding (EAB).cert_cn
: Algemene naam van het certificaat.contact_email
: E-mailadres van de beheerder.
Optioneel kunt u andere parameters opgeven en de standaardinstellingen bijwerken:
data_dir
: Locatie van de standaardgegevensmap in de installatiemap waar alle gegenereerde sleutels en uitgegeven certificaten worden opgeslagen. U kunt deze wijzigen naar uw voorkeurslocatie.subject_alt_name
: Geef de Subject Alternative Names (SAN's) op die u met dit certificaat wilt beveiligen.
Place your customized Ansible playbook file and the helper script get-cert.yml in the directory where you want to install the certificate.
Ga naar de installatiemap en voer de Ansible playbook-opdracht uit:
Als rootgebruiker:
ansible-playbook digicert_acme_cert_main.yml
Als niet-rootgebruiker:
ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml
What's next
If the Ansible playbook ran successfully, the data subdirectory contains a series of files for the new certificate identified by its common name:
<common_name>.csr
<common_name>.key
<common_name>.pem
<common_name>-chain.pem
<common_name>-fullchain.pem
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.