Installing CA connectors

Installation requirements

To install a CA connector, the following requirements must be satisfied:

  • An SCM account and MRAO administrator permissions

  • Administrator permissions for the CA

  • Microsoft Windows Server 2016, 2019, or 2022 (64-bit) and local admin permissions to install the CA connector

  • Hardware:

    • CPU — 1.4GHz 64-bit or 32-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://cbcc.enterprise.sectigo.com on TCP port 443

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

CA requirements

In addition to the general prerequisites, there are additional requirements that must be met depending on which CA you are using.

  • AWS Private CA

  • DigiCert

  • Entrust

  • GCP CA Service

  • Microsoft CA

The following requirements must be met before using a CA connector with ACM:

  • You have an active AWS account with a private CA.

  • You have configured an AWS user to represent the CA connector.

The following requirements must be met before using a CA connector with the DigiCert CA:

  • You have an active DigiCert account with validated organizations and domains.

    SCM shows the validation status of your organization and will not enroll certificates if the organization is not valid. SCM does not show the validation status of your domains and will allow enrollment to proceed but the order requires that the DCV is then completed in DigiCert.
  • You have configured a DigiCert user to represent the CA connector.

    • This user must have the Manager or Administrator role.

    • This user must be linked to a DigiCert API key with at least the following permissions:

      • view_organizations

      • manage_orders

      • place_orders

      • view_orders

      • manage_requests

      • review_requests

      • create_longer_validity_order

        This API key must be saved for use when configuring the CA connector.
        For information about generating DigiCert API keys, see Generate an API key.

The following requirements must be met before using a CA connector with the Entrust CA:

  • You have an active Entrust account with validated organizations and domains.

    SCM shows the validation status of your organization and will not enroll certificates if the organization is not valid. SCM does not show the validation status of your domains and will allow enrollment to proceed but the order requires that the DCV is then completed in Entrust.
  • You have configured an Entrust user with an active Entrust certificate to represent the CA connector.

    • This user must have the administrator role.

    • This user’s certificate must be linked to an Entrust API key.

      This API key must be saved for use when configuring the CA connector.
      For information about generating Entrust API keys, see Adding and editing an API key.

The following requirements must be met before using a CA connector with GCP CA Service:

  • You have an active GCP account with an Enterprise tier CA.

  • You have configured a GCP service account to represent the CA connector.

    • This account must be provided with at least the following permissions:

      • privateca.caPools.get, privateca.caPools.list, privateca.certificateAuthorities.get, privateca.certificateAuthorities.list, privateca.certificates.create, privateca.certificates.get, privateca.certificates.update, privateca.certificateTemplates.get, privateca.certificateTemplates.list, privateca.certificateTemplates.use

        For information about GCPCAS Identity and Access Management roles, see Permissions and roles.
    • You have created a service account key.

      For information about GCP service account keys, see Create and manage service account keys.

The following requirements must be met before using a CA connector with the Microsoft CA:

  • You have installed Active Directory and configured the Certificate Services role as an Enterprise CA.

  • The machine that the CA connector is installed on must be granted the following permissions on the CA you are issuing certificates from:

    • Manage CA

    • Issue and Manage Certificates

  • An Enrollment Agent (Computer) template or its duplicate has been added to the CA.

    • The machine that the CA connector is installed on is added to the template with the following permissions:

      • Read

      • Enroll

Add a CA connector to SCM

  1. Navigate to Integrations  CA Connectors and click the Add icon.

    CA Connector Add icon
  2. In the Add CA Connector dialog, provide a name to help identify the connector.

  3. (Optional) Provide comments with additional details about the connector.

  4. Click Next.

  5. Copy the installation token for use during installation.

    CA connector Installation Token
    If your installation fails, subsequent attempts require the use of a new registration token.
  6. Click the Windows installation package link.

  7. Click Save.

The connector should now be listed on the CA Connectors page with a status of Pending.

Install a CA connector

  • Windows

  • Windows ( CLI )

  1. (Optional) If required, move the SectigoCBCS.msi file to the CA connector machine.

  2. Right-click SectigoCBCS.msi and click Install.

  3. In the setup wizard, click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

    If no destination folder is selected, the CA connector and library will be installed in C:\Program Files\Sectigo Limited\SectigoCBCS.
  6. Click Next, and paste the connector installation token.

    If needed, you can retrieve the installation token from the Edit CA Connector dialog for your connector.
  7. Click Next.

  8. In the Proxy Settings window, select Direct Internet connection (no proxy), or select Manual proxy configuration and enter your configuration details based on the information provided in the following table.

    Field Description

    Address

    The IP address or the DNS name of the proxy server.

    Port

    The listening port of the proxy server.

    Username

    The username used to connect to the proxy server.

    Password

    The password used to connect to the proxy server.

    Click Test Connection to confirm your connection.
  9. Click Install.

  10. Click Yes to allow the installation to complete on the server.

  11. Click Finish.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoCBCS.

The connector should now be listed on the CA Connectors page with a status of Connected.

  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the installation package.

  3. Modify the installation command as needed.

    msiexec.exe /i /q SectigoCBS.msi TOKEN= PROXY_TYPE= PROXY_ADDR= PROXY_PORT= PROXY_USER= PROXY_PASSWORD=
    Unused options must be removed from the command.

    The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the bootstrap application.

    /q

    Runs the installation in silent mode so no interaction is required.

    TOKEN

    The mandatory installation token.

    PROXY_TYPE

    Indicates whether you are using a proxy server.

    • 1 (Yes)

    • 0 (No)

    PROXY_ADDR

    The hostname or IP address of your proxy server.

    This option is required if you are using a proxy server.

    PROXY_PORT

    The port number used by your proxy server.

    This option is required if you are using a proxy server.

    PROXY_USER

    The username for accessing the proxy server.

    This option is required if your proxy server is configured to use credentials.

    PROXY_PASSWORD

    The password for accessing the proxy server if configured to use credentials.

    This option is required if your proxy server is configured to use credentials.

  4. Run the modified installation command.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoCBCS.

The connector should now be listed on the CA Connectors page with a status of Connected.

Configure a CA connector

Each CA has specific configuration instructions that must be completed once the CA connector is installed.

  • AWS Private CA

  • DigiCert

  • Entrust

  • GCP CA Service

  • Microsoft CA

  1. In a command prompt window, navigate to the CA connector install location.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type acmpca -accesskeyid <key_id> -secretaccesskey <secret_access_key> -region <region>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend.

    type

    The type of CA that is being connected to.

    For ACM the value must be acmpca.

    accesskeyid

    The AWS access key ID generated when adding a user to AWS.

    secretaccesskey

    The AWS secret access key generated when adding a user to AWS.

    region

    The region specified during CA creation.

    Sample command
    sectigo-cbcs.exe backend add -name test-acmpca -type acmpca -accesskeyid AKIAIOSFODNN7EXAMPLE -secretaccesskey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -region us-east-1
  1. In a command prompt window, navigate to the CA connector install location.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type digicert -apikey <digicert_api_key>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend.

    type

    The type of CA that is being connected to.

    For DigiCert the value must be digicert.

    apikey

    The DigiCert API key.

    Sample command
    sectigo-cbcs.exe backend add -name DigiCertCA -type digicert -apikey 49ca638f-ec73-40fa-a6f6-6a85e997a5a7
  1. In a command prompt window, navigate to the CA connector install location.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type entrust -username <username> -apikey <entrust_api_key> -cert <path_to_user_certificate> -key <path_to_user_certificate_private_key>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend.

    type

    The type of CA that is being connected to.

    For Entrust the value must be entrust.

    username

    The username given on Entrust Enterprise UI.

    apikey

    API key that was generated.

    cert

    The path to the user’s active Entrust certificate.

    key

    The path to the private key that corresponds to the active Entrust certificate.

    Sample command
    sectigo-cbcs.exe backend add -name EntrustCA -type entrust -username SampleAdminUser -apikey 49ca638f-ec73-40fa-a6f6-6a85e997a5a7 -cert C:/Users/sampleuser/Downloads/authfile.cer -key C:/Users/sampleuser/Downloads/myprivatekey.pkcs8
  3. (Optional) Delete the cert and key files.

    All required information is copied and encrypted from these files during the creation of the backend CA.
  1. In a command prompt window, navigate to the CA connector install location.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type gcpcas -project <project_id> -location <location> -key <path_to_key_file>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend.

    type

    The type of CA that is being connected to.

    For GCP CA Service the value must be gcpcas.

    project

    The GCP Project ID.

    location

    The location specified during CA creation.

    key

    The path to the service account key .json file.

    Sample command
    sectigo-cbcs.exe backend add -name GoogleCA -type gcpcas -project private-ca-342871 -location us-east-1 -key C:/Users/sampleuser/Downloads/service-account-key.json
  3. (Optional) Delete the service account key file.

    All required information is copied and encrypted from this file during the creation of the backend CA.
  1. In a command prompt window, navigate to the CA connector install location.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type msca -server <server> -ca <ca_common_name>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend.

    type

    The type of CA that is being connected to.

    For Microsoft CA the value must be msca.

    server

    The hostname of the server hosting the Microsoft CA.

    ca

    The CA’s Common Name.

    Sample command
    sectigo-cbcs.exe backend add -name MSCA1 -type msca -server SectigoTestCA -ca local-SectigoTestCA-CA
  3. Generate the Enrollment Agent (EA) key pair and enroll the Enrollment Agent Certificate.

    sectigo-cbcs.exe backend msca enroll-agent-cert -name <backend_name> -ca <ca_common_name>
    You can specify an alternative EA template by adding the -template <your_ea_name> option.

You can view additional CLI commands with the help command.

sectigo-cbcs help

Restore a CA connector

CA Connectors that are offline for over 30 days may lose the ability to connect to SCM. In most cases, this connectivity can be restored by doing the following:

  1. Log in to SCM.

  2. Navigate to Integrations  CA Connectors.

  3. Select the connector to be restored, and click Restore.

  4. Click OK.

  5. Save the displayed token, and close the Restore Connector dialog.

  6. In a command prompt window, navigate to the CA connector install location.

  7. Restore the connector.

    register -token <registration_token> -force

Update a CA connector

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download CA Connector icon.

  4. (Optional) If required, move the SectigoCBCS.msi file to the CA connector machine.

  5. Right-click SectigoCBCS.msi and click Install.

    The package automatically recognizes that there’s an existing version of the CA connector and initiates an update instead of a new install.

  6. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  7. (Optional) Specify an installation location.

  8. Click Next, Install, and Close.

  9. In SCM, navigate to the CA Connectors page and verify that the connector is connected and showing the correct version.

Uninstall a CA connector

  1. In Windows, navigate to Settings  Apps & features.

  2. Search for Sectigo.

  3. Select the Sectigo CA Backend Connector and click Uninstall.

  4. (Optional) Delete the files and logs associated with the CA connector.

    1. Navigate to C:\ProgramData\Sectigo Limited.

    2. Delete the SectigoCBCS folder.

      This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the CA connector.
  5. In SCM, navigate to Integrations  CA Connectors.

  6. Select the connector you want to delete.

  7. Click the Delete icon.

  8. Click Delete.

CA connector service commands

Command Description

Start

Start a CA connector:

sc start SectigoCBCS

Stop

Stop a CA connector:

sc stop SectigoCBCS

Query

Query the status of a CA connector:

sc query SectigoCBCS