Skip to main content

Ansible

Follow these steps to get certificates from Trust Lifecycle Manager through an Ansible playbook, using the ACMEv2 protocol to generate requests and download the issued certificates.

Before you begin

In Trust Lifecycle Manager, you need a certificate profile with the 3rd-party ACME client enrollment method. The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:

  • ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.

  • Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.

  • HMAC key: Used to encrypt and authenticate your account key during certificate requests.

On the Ansible end, make sure you have the community.crypto collection, which provides the following two modules required for the integration:

  • acme_account module to create an account using external account binding.

  • acme_certificate module to issue a certificate.

    Warning

    Use the latest version of the community.crypto collection to avoid a known issue in earlier versions of the acme_certificate module where some certificates issued through Ansible with ACME had a missing common name or SANs in a different order than requested.

Integration workflow

  1. Download the integration package: Download the sample files to help set up the integration.

  2. Configure the Ansible playbook: Use the sample files to configure the integration in your Ansible environment.

  3. Request a certificate: Run your customized Ansible playbook to get certificates from DigiCert.

Note

The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Ansible.

Step 1. Download the integration package

Download the Ansible integration package and extract the contents of the ZIP archive to get the following files:

  • digicert_acme_cert_main.yml: Sample Ansible playbook script for getting certificates from Trust Lifecycle Manager. Update it with your custom values before requesting certificates.

  • get-cert.yml: Helper script to submit certificate requests to DigiCert via ACMEv2. Keep it in the same directory as the Ansible playbook.

  • ReadMe.txt: Instructions and technical details to help you set up the integration.

Step 2. Configure the Ansible playbook

To request a certificate from Trust Lifecycle Manager, update the vars section in the sample Ansible playbook file digicert_acme_cert_main.yml to supply values for the following parameters:

  • acme_dir_url: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.

  • eab_kid: ACME EAB key identifier (KID) for the certificate profile.

  • eab_key: ACME EAB HMAC key for the certificate profile.

  • cert_cn: Common name of the certificate to issue.

  • contact_email: Email address of the administrative contact.

Optionally, update the following parameters in the playbook file to further customize your certificate request:

  • data_dir: Location of the subdirectory where keys and certificates get stored within the installation directory where you run the Ansible playbook. By default, the resulting assets will get stored in the data subdirectory.

  • subject_alt_name: Specify the Subject Alternative Names (SANs) you wish to secure with this certificate. By default, the SAN extension in issued certificates will include the certificate common name with and without the www prefix.

Step 3. Request a certificate

Place your customized Ansible playbook file and the helper script get-cert.yml in the directory where you want to install the certificate.

Run the Ansible playbook as follows:

  • As root user: ansible-playbook digicert_acme_cert_main.yml

  • As non-root user: ansible-playbook --become-user <BECOME_USER> digicert_acme_cert_main.yml

What's next

If the Ansible playbook ran successfully, the data subdirectory contains a series of files for the new certificate identified by its common name:

  • <common_name>.csr

  • <common_name>.key

  • <common_name>.pem

  • <common_name>-chain.pem

  • <common_name>-fullchain.pem

The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.

: