Skip to main content

Schedule automation events

Use the Automated IPs menu to schedule certificate lifecycle automation events for configured ACME agents and sensors. Schedule automation events after automation clients are installed, configured, and associated with automation profiles.

Before you begin

  • Automation clients must be installed, activated, and configured. See Set up managed automation.

  • At least one automation profile must be created. See Create and manage automation profiles.

  • Domain and organization validation must be current for the certificate type being automated.

  • For Citrix ADC HTTP automations, configure server bindings on the HTTP site before scheduling the automation event.

    Notice

    For Citrix ADC automations, certificates with an IP unreachable status cannot be scheduled. Confirm the certificate status before proceeding.

  • Confirm that the organization associated with the automation profile includes country, state, and locality details. CertCentral requires this information to generate the CSR and automate the load balancer.

  • To redirect traffic after automation on the HTTP port, enter the HTTPS redirect port of the HTTP instance for the virtual IP address.

    Notice

    Automation creates an HTTPS virtual server with a new certificate. On success, automation redirects traffic to the HTTPS instance on the specified port.

Schedule an automation event

  1. In the CertCentral main menu, go to Automation > Automated IPs.

  2. On the Automated IPs page, locate the certificate or IP address you want to automate.

  3. In the Actions column, select the appropriate action:

    • Request new certificate: Request a certificate when no certificate is configured for the IP/port yet.

    • Renew certificate: Renew a certificate that is expiring or expired.

      • For non-Multi-year Plans: When a certificate is expiring or expired within 90 days.

      • For Multi-year Plans: When an order or plan is expiring or expired within 90 days.

    • Replace certificate: Replace a certificate issued by a non-DigiCert certificate authority with a DigiCert certificate. Also available when an active certificate is revoked or missing.

    • Reissue certificate:

      • For non-Multi-year Plans: Reissue a certificate that is missing or has been revoked. The reissued certificate retains the remaining validity of the original certificate for non-Multi-year Plans.

      • For Multi-year Plans: Reissue a certificate issued from an active Multi-year Plan that needs replacement, is revoked, or is missing. The reissued certificate uses the maximum allowed certificate validity or the remaining Multi-year Plan validity, whichever applies.

    • Get your next certificate: Available for Multi-year Plans when an active certificate is expiring within 30 days. Reissue or replace the certificate at no cost each time it reaches the end of its validity period, until the Multi-year Plan expires.

    • Submit manual request: Request a certificate through the manual workflow instead of automation.

  4. Enter the common name and SANs for the certificate.

  5. Select the automation profile to use.

  6. To issue a duplicate certificate using an existing order, select Issue a duplicate certificate using an existing order.

    This option is available only if duplicate certificates are enabled in your account automation settings.

  7. Set the time for automation to begin: immediately or scheduled in advance.

  8. To enable automatic renewal near the end of the certificate validity period, select the auto-renew option.

  9. Review and accept the Certificate Services Agreement.

  10. Select Start automation or Schedule automation.

Use case notes: DV certificate automations

Before scheduling DV certificate automation events:

  • Create a DNS integration to automate DV certificates on load balancers.

  • Enable the domain validation settings for specific domains:

    1. In the CertCentral main menu, go to Settings > Preferences.

    2. Expand Advanced Settings.

    3. Under Domain Control Validation, in the Validation Scope section, select Submit exact domain names for validation.

    4. Select Save Settings.

DV certificate limitations

DV certificates do not support:

  • Bulk certificate automation retry if a DNS integration fails

  • Duplicate certificate issuance

Do not select Issue a duplicate certificate using an existing order when creating DV certificate automation events — duplicate issuance is not supported for DV certificates.

DNS integration selection

Optionally, select DNS integration or provider to validate the DNS challenge for domain ownership. The list includes all integrations added to the sensor.

Important

DNS integrations or providers marked Critical had issues setting the DNS challenge previously and may fail again. As a best practice, select another integration or provider.

Notice

By default, certificates on the load balancer inherit the associated DNS integration. To override, select a different DNS integration. The updated DNS integration for scheduled automation becomes effective immediately. For auto-renewal, the updated DNS integration is only effective from the next scheduled automation event.

DV certificate issuance workflows

  • Authkey-enabled accounts: After submitting a DV certificate automation request, CertCentral immediately approves the request and issues the certificate. Automation then installs the certificate.

  • Non-Authkey accounts: After submitting a DV certificate automation request, the request moves to Approval pending status. Complete DCV for the domains on the request before CertCentral issues the DV certificate. Automation then installs the certificate.

Schedule automation events for F5 BIG-IP load balancers

When scheduling automation events for F5 BIG-IP load balancers, configure the private key security type:

Notice

Confirm that all certificate and key files uploaded to the F5 BIG-IP load balancer include .crt and .key file extensions in their filenames. Automation events return an IP unreachable error when these extensions are missing.

  • Normal: Store the private key in the F5 BIG-IP load balancer itself.

  • FIPS: Store the private key in the FIPS-enabled module of the F5 BIG-IP load balancer.

  • NetHSM: Store the private key in the Hardware Security Module (HSM) device connected to the F5 BIG-IP load balancer.

Troubleshooting

For known issues and troubleshooting tips, see Troubleshoot automation issues

Importante

If you need help or to report errors related to CertCentral managed automation, contact Support.

What's next

Automate certificate deployment and key management to deploy certificates to supported environments after issuance and renewal

Nesta secção: