Installing CA connectors

Installation requirements

To install a CA connector, the following requirements must be satisfied:

An SCM account and MRAO administrator permissions
Administrator permissions for the CA
Microsoft Windows Server 2016, 2019, or 2022 (64-bit) and local admin permissions to install the CA connector
Hardware:
- CPU — 1.4GHz 64-bit or 32-bit (minimum)
- RAM — 2 GB (minimum)
Internet access:
- Outbound network access to https://cbcc.enterprise.sectigo.com on TCP port 443
- Outbound network access to https://dist.sectigo.com on TCP port 443
- Outbound network access to the appropriate SCM instance on TCP port 443:
  - https://cert-manager.com
  - https://hard.cert-manager.com
  - https://eu.cert-manager.com

CA requirements

In addition to the general prerequisites, there are additional requirements that must be met depending on which CA you are using.

AWS Private CA
DigiCert
Entrust
GCP CA Service
Microsoft CA

The following requirements must be met before using a CA connector with ACM:

You have an active AWS account with a private CA.
You have configured an AWS user to represent the CA connector.
- This user must be provided with at least the following permissions:
  - IssueCertificate, GetCertificate, GetCertificateAuthorityCertificate, RevokeCertificate, and DescribeCertificateAuthority for the specific CAs being used
  - ListCertificateAuthorities for all CAs
    
    For information about configuring ACM access permissions, see Identity and Access Management for AWS Certificate Manager Private Certificate Authority.
- You have this user’s aws_access_key_id and aws_secret_access_key
  
  For information about AWS access key IDs and secret access keys, see Understanding and getting your AWS credentials.

The following requirements must be met before using a CA connector with the DigiCert CA:

You have an active DigiCert account with validated organizations and domains.

SCM shows the validation status of your organization and will not enroll certificates if the organization is not valid. SCM does not show the validation status of your domains and will allow enrollment to proceed but the order requires that the DCV is then completed in DigiCert.

You have configured a DigiCert user to represent the CA connector.
- This user must have the Manager or Administrator role.
- This user must be linked to a DigiCert API key with at least the following permissions:
  - view_organizations
  - manage_orders
  - place_orders
  - view_orders
  - manage_requests
  - review_requests
  - create_longer_validity_order
    
    This API key must be saved for use when configuring the CA connector.
    
    For information about generating DigiCert API keys, see Generate an API key.

The following requirements must be met before using a CA connector with the Entrust CA:

You have an active Entrust account with validated organizations and domains.

You have configured an Entrust user with an active Entrust certificate to represent the CA connector.
- This user must have the administrator role.
- This user’s certificate must be linked to an Entrust API key.
  
  This API key must be saved for use when configuring the CA connector.
  
  For information about generating Entrust API keys, see Adding and editing an API key.

The following requirements must be met before using a CA connector with GCP CA Service:

You have an active GCP account with an Enterprise tier CA.
You have configured a GCP service account to represent the CA connector.
- This account must be provided with at least the following permissions:
  - privateca.caPools.get, privateca.caPools.list, privateca.certificateAuthorities.get, privateca.certificateAuthorities.list, privateca.certificates.create, privateca.certificates.get, privateca.certificates.update, privateca.certificateTemplates.get, privateca.certificateTemplates.list, privateca.certificateTemplates.use
    
    For information about GCPCAS Identity and Access Management roles, see Permissions and roles.
- You have created a service account key.
  
  For information about GCP service account keys, see Create and manage service account keys.

The following requirements must be met before using a CA connector with the Microsoft CA:

You have installed Active Directory and configured the Certificate Services role as an Enterprise CA.
The machine that the CA connector is installed on must be granted the following permissions on the CA you are issuing certificates from:
- Manage CA
- Issue and Manage Certificates
An Enrollment Agent (Computer) template or its duplicate has been added to the CA.
- The machine that the CA connector is installed on is added to the template with the following permissions:
  - Read
  - Enroll

Add a CA connector to SCM

Navigate to Integrations CA Connectors and click the Add icon.
In the Add CA Connector dialog, provide a name to help identify the connector.
(Optional) Provide comments with additional details about the connector.
Click Next.
Copy the installation token for use during installation.

If your installation fails, subsequent attempts require the use of a new registration token.
Click the Windows installation package link.
Click Save.

The connector should now be listed on the CA Connectors page with a status of Pending.

Install a CA connector

Windows
Windows ( CLI )

(Optional) If required, move the SectigoCBCS.msi file to the CA connector machine.
Right-click SectigoCBCS.msi and click Install.
In the setup wizard, click Next.
Read the EULA, select I accept the terms in the License Agreement, and click Next.
(Optional) Specify an installation location.

If no destination folder is selected, the CA connector and library will be installed in C:\Program Files\Sectigo Limited\SectigoCBCS.
Click Next, and paste the connector installation token.

If needed, you can retrieve the installation token from the Edit CA Connector dialog for your connector.
Click Next.

In the Proxy Settings window, select Direct Internet connection (no proxy), or select Manual proxy configuration and enter your configuration details based on the information provided in the following table.

Field	Description
Address	The IP address or the DNS name of the proxy server.
Port	The listening port of the proxy server.
Username	The username used to connect to the proxy server.
Password	The password used to connect to the proxy server.

Field

Description

Address

The IP address or the DNS name of the proxy server.

Port

The listening port of the proxy server.

Username

The username used to connect to the proxy server.

Password

The password used to connect to the proxy server.

Click Test Connection to confirm your connection.

Click Install.
Click Yes to allow the installation to complete on the server.
Click Finish.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoCBCS.

The connector should now be listed on the CA Connectors page with a status of Connected.

Once installed, the CA connector must be configured to connect to your CA provider. For more information, see Configure a CA connector.

To be notified in the event that a connector is disconnected, add the CA Connector Disconnected notification. For more information, see Adding notifications.

Open the Windows command prompt.
In the command line, navigate to the download location of the installation package.

Modify the installation command as needed.

msiexec.exe /i /q SectigoCBS.msi TOKEN= PROXY_TYPE= PROXY_ADDR= PROXY_PORT= PROXY_USER= PROXY_PASSWORD=

Unused options must be removed from the command.

The command options are outlined in the following table.

Option Description

Option	Description
`/i`	Initiates installation of the agent through the bootstrap application.
`/q`	Runs the installation in silent mode so no interaction is required.
`TOKEN`	The mandatory installation token.
`PROXY_TYPE`	Indicates whether you are using a proxy server. `1` (Yes) `0` (No)
`PROXY_ADDR`	The hostname or IP address of your proxy server. This option is required if you are using a proxy server.
`PROXY_PORT`	The port number used by your proxy server. This option is required if you are using a proxy server.
`PROXY_USER`	The username for accessing the proxy server. This option is required if your proxy server is configured to use credentials.
`PROXY_PASSWORD`	The password for accessing the proxy server, if configured to use credentials. This option is required if your proxy server is configured to use credentials.

/i

Initiates installation of the agent through the bootstrap application.

/q

Runs the installation in silent mode so no interaction is required.

TOKEN

The mandatory installation token.

PROXY_TYPE

Indicates whether you are using a proxy server.

1 (Yes)
0 (No)

PROXY_ADDR

The hostname or IP address of your proxy server.

This option is required if you are using a proxy server.

PROXY_PORT

The port number used by your proxy server.

This option is required if you are using a proxy server.

PROXY_USER

The username for accessing the proxy server.

This option is required if your proxy server is configured to use credentials.

PROXY_PASSWORD

The password for accessing the proxy server, if configured to use credentials.

This option is required if your proxy server is configured to use credentials.

Run the modified installation command.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoCBCS.

The connector should now be listed on the CA Connectors page with a status of Connected.

Once installed, the CA connector must be configured to connect to your CA provider. For more information, see Configure a CA connector.

To be notified in the event that a connector is disconnected, add the CA Connector Disconnected notification. For more information, see Adding notifications.