API-based enrollment
Follow these steps to get certificates from DigiCert® Trust Lifecycle Manager into your Chef nodes using the Trust Lifecycle Manager REST API.
The integration involves the following Chef components:
Chef workstation: Local development system where you configure a custom Chef cookbook for requesting certificates from Trust Lifecycle Manager via its REST API.
Chef server: Centralized hub where you upload the custom Chef cookbook for use by your production Chef nodes.
Chef nodes: Client systems that request certificates from Trust Lifecycle Manager using the custom cookbook on the Chef server.
Before you begin
You need an API token for an active DigiCert ONE user or service user with access to Trust Lifecycle Manager and a user role of Manager
or User and certificate manager
. See API access for more details.
In Trust Lifecycle Manager, you need a certificate profile with the REST API
enrollment method and 3rd Party app
authentication method. Gather the following parameters from the profile details page to use when configuring the integration:
Profile ID: Get it from the
GUID
field or DigiCert ONE URL of the profile details page.REST API endpoint (API KEY auth): Copy it from the
REST URL
dropdown at the top of the profile details page.
Integration workflow
Download the Chef integration package to get the following sample files:
recipe/default.rb: Sample recipe file to request certificates from Trust Lifecycle Manager via its REST API.
attributes/default.rb: Sample attributes file to configure your DigiCert API credentials.
注意
The downloadable sample files are also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Chef.
Use the sample files to create a custom Chef cookbook for requesting certificates from Trust Lifecycle Manager via its REST API.
To configure the cookbook on your Chef workstation:
Run the following command to create a custom cookbook, supplying a friendly name for the cookbook as the final argument.
chef generate cookbook <custom_cookbook_name>
Copy the sample recipe/default.rb file into the recipes sub-directory for the custom cookbook, replacing the default default.rb file there.
Copy the sample attributes/default.rb file into the attributes sub-directory for the custom cookbook, replacing the default default.rb file there.
Update the copied attributes/default.rb file in the custom cookbook to supply values for the following parameters:
default['csr_path']
: Directory path where the CSR should be stored on Chef nodes.default['private_key_path']
: Directory path where the private key should be stored on Chef nodes.default['output-certificate-path']
: Directory path where the issued certificate should be stored on Chef nodes.default['profile_id']
: GUID of the API-enabled certificate profile to issue the certificate from in Trust Lifecycle Manager.default['rest_api_url']
: The REST API endpoint (API KEY auth) copied from the certificate profile details page in Trust Lifecycle Manager.default['common_name']
: Common name of the certificate to issue.
Enclose the parameter values in single quotes in the file. For example, for the common name parameter:
default['common_name'] = 'my-app.example.com'
Use the following command to upload the custom cookbook to the active Chef server. Supply the custom cookbook name as the final argument.
knife cookbook upload <custom_cookbook_name>
With the custom Chef cookbook in place on the Chef server, you are ready to request certificates from Trust Lifecycle Manager for your Chef nodes.
Use the following command on a Chef node to run the cookbook from the Chef server including the recipe for the custom API-based certificate request:
sudo chef-client
What's next
After a successful certificate request, the certificate files are found on the Chef node in the directory configured in the default['output-certificate-path']
parameter in the attributes/default.rb file for the custom cookbook.
The certificate also appears in the Trust Lifecycle Manager Inventory view so you can monitor it and set up notifications.