-
Notifications
You must be signed in to change notification settings - Fork 39
CA handler for Digicert CertCentral
This handler can be used to enroll certificates from DigiCert CertCentral.
- you'll need:
- a DigiCert CertCentral subscription :-)
- an API-Key for Authentication and Authorization
- an Organization
- a whitelisted domain
- modify the server configuration (
acme_srv.cfg) and add the first thre of the below mentioned parameters
[CAhandler]
handler_file: examples/ca_handler/digicert_ca_handler.py
api_key: <api_key>
organization_name: <organization_name>
allowed_domainlist: <allowed_domainlist>
api_url: <api_url>
organization_id: <organization_id>
cert_type: <cert_type>
signature_hash: <signature_hash>
order_validity: <order_validity>
request_timeout: <seconds>
eab_profiling: <True|False>
- api_key - required - API key to access the API
- organization_name - required - Organization name as specified in DigiCert CertCentral
- allowed_domainlist: list of domain-names allowed for enrollment in json format (example: ["bar.local$, bar.foo.local])
- api_url - optional - URL of the CertCentral API
- organization_id - optional - organization id - configuration prevents additional rest-lookups
- cert_type - optional - certificte type to be isused. (default: ssl_basic)
- signature_hash - optional - hash algorithm used for certificate signing - (default: sha256)
- order_validity - optional - oder validity (default: 1 year)
- request_timeout - optional - requests timeout in seconds for requests (default: 5s)
- eab_profiling - optional - activate eab profiling (default: False)
Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the disclaimer section of our README file
Important: the DigiCert API expectes a CommonName to be set. Hence, certbot cannot be used for certificate enrollment.
The handler makes use of the header_info_list feature allowing an acme-client to specify a certificate type to be used during certificate enrollment. This feature is disabled by default and must be activate in acme_srv.cfg as shown below
[Order]
...
header_info_list: ["HTTP_USER_AGENT"]
The acme-client can then specify the cert_type as part of its user-agent string.
Example for acme.sh:
docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent cert_type=ssl_securesite_pro --debug 3 --output-insecureExample for lego:
docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "[email protected]" --user-agent cert_type=ssl_securesite_pro -d <fqdn> --http runThis handler can use the eab profiling feture to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in acme_srv.cfg
[EABhandler]
eab_handler_file: examples/eab_handler/kid_profile_handler.py
key_file: <profile_file>
[CAhandler]
eab_profiling: Truebelow an example key-file used during regression testing:
{
"keyid_00": {
"hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
"cahandler": {
"cert_type": ["ssl_basic", "ssl_securesite_pro", "ssl_securesite_flex"],
"allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
"organization_name": "acme2certifier"
}
},
"keyid_01": {
"hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
"cahandler": {
"allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
"cert_type": "ssl_securesite_pro"
}
},
"keyid_02": {
"hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
"cahandler": {
"allowed_domainlist": ["www.example.com", "www.example.org"]
}
},
"keyid_03": {
"hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
}
}