Managing CA connectors

Configure a CA connector

Each CA has specific configuration instructions that must be completed once the CA connector is installed.

AWS Private CA
DigiCert
Entrust
GCP CA Service
Microsoft CA

In a command prompt window, navigate to the CA connector install location.

Create a new backend.

sectigo-cbcs.exe backend add -name <backend_name> -type acmpca -accesskeyid <key_id> -secretaccesskey <secret_access_key> -region <region>

The command options are outlined in the following table.

Option Description

Option	Description
`name`	The name used to represent the CA backend.
`type`	The type of CA that is being connected to. For ACM the value must be `acmpca`.
`accesskeyid`	The AWS access key ID generated when adding a user to AWS.
`secretaccesskey`	The AWS secret access key generated when adding a user to AWS.
`region`	The region specified during CA creation.

name

The name used to represent the CA backend.

type

The type of CA that is being connected to.

For ACM the value must be acmpca.

accesskeyid

The AWS access key ID generated when adding a user to AWS.

secretaccesskey

The AWS secret access key generated when adding a user to AWS.

region

The region specified during CA creation.

Sample command

sectigo-cbcs.exe backend add -name test-acmpca -type acmpca -accesskeyid AKIAIOSFODNN7EXAMPLE -secretaccesskey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -region us-east-1

In a command prompt window, navigate to the CA connector install location.

Create a new backend.

sectigo-cbcs.exe backend add -name <backend_name> -type digicert -apikey <digicert_api_key>

The command options are outlined in the following table.

Option Description

Option	Description
`name`	The name used to represent the CA backend.
`type`	The type of CA that is being connected to. For DigiCert the value must be `digicert`.
`apikey`	The DigiCert API key.

name

The name used to represent the CA backend.

type

The type of CA that is being connected to.

For DigiCert the value must be digicert.

apikey

The DigiCert API key.

Sample command

sectigo-cbcs.exe backend add -name DigiCertCA -type digicert -apikey 49ca638f-ec73-40fa-a6f6-6a85e997a5a7

In a command prompt window, navigate to the CA connector install location.

Create a new backend.

sectigo-cbcs.exe backend add -name <backend_name> -type entrust -username <username> -apikey <entrust_api_key> -cert <path_to_user_certificate> -key <path_to_user_certificate_private_key>

The command options are outlined in the following table.

Option Description

Option	Description
`name`	The name used to represent the CA backend.
`type`	The type of CA that is being connected to. For Entrust the value must be `entrust`.
`username`	The username given on Entrust Enterprise UI.
`apikey`	API key that was generated.
`cert`	The path to the user’s active Entrust certificate.
`key`	The path to the private key that corresponds to the active Entrust certificate.

name

The name used to represent the CA backend.

type

The type of CA that is being connected to.

For Entrust the value must be entrust.

username

The username given on Entrust Enterprise UI.

apikey

API key that was generated.

cert

The path to the user’s active Entrust certificate.

key

The path to the private key that corresponds to the active Entrust certificate.

Sample command

sectigo-cbcs.exe backend add -name EntrustCA -type entrust -username SampleAdminUser -apikey 49ca638f-ec73-40fa-a6f6-6a85e997a5a7 -cert C:/Users/sampleuser/Downloads/authfile.cer -key C:/Users/sampleuser/Downloads/myprivatekey.pkcs8

(Optional) Delete the cert and key files.

All required information is copied and encrypted from these files during the creation of the backend CA.

In a command prompt window, navigate to the CA connector install location.

Create a new backend.

sectigo-cbcs.exe backend add -name <backend_name> -type gcpcas -project <project_id> -location <location> -key <path_to_key_file>

The command options are outlined in the following table.

Option Description

Option	Description
`name`	The name used to represent the CA backend.
`type`	The type of CA that is being connected to. For GCP CA Service the value must be `gcpcas`.
`project`	The GCP Project ID.
`location`	The location specified during CA creation.
`key`	The path to the service account key `.json` file.

name

The name used to represent the CA backend.

type

The type of CA that is being connected to.

For GCP CA Service the value must be gcpcas.

project

The GCP Project ID.

location

The location specified during CA creation.

key

The path to the service account key .json file.

Sample command

sectigo-cbcs.exe backend add -name GoogleCA -type gcpcas -project private-ca-342871 -location us-east-1 -key C:/Users/sampleuser/Downloads/service-account-key.json

(Optional) Delete the service account key file.

All required information is copied and encrypted from this file during the creation of the backend CA.

In a command prompt window, navigate to the CA connector install location.

Create a new backend.

sectigo-cbcs.exe backend add -name <backend_name> -type msca -server <server> -ca <ca_common_name>

The command options are outlined in the following table.

Option Description

Option	Description
`name`	The name used to represent the CA backend.
`type`	The type of CA that is being connected to. For Microsoft CA the value must be `msca`.
`server`	The hostname of the server hosting the Microsoft CA.
`ca`	The CA’s Common Name.

name

The name used to represent the CA backend.

type

The type of CA that is being connected to.

For Microsoft CA the value must be msca.

server

The hostname of the server hosting the Microsoft CA.

ca

The CA’s Common Name.

Sample command

sectigo-cbcs.exe backend add -name MSCA1 -type msca -server SectigoTestCA -ca local-SectigoTestCA-CA

Generate the Enrollment Agent (EA) key pair and enroll the Enrollment Agent Certificate.
```
sectigo-cbcs.exe backend msca enroll-agent-cert -name <backend_name> -ca <ca_common_name>
```
You can specify an alternative EA template by adding the -template <your_ea_name> option.

You can view additional CLI commands with the help command.

sectigo-cbcs help

Restore a CA connector

CA Connectors that are offline for over 30 days may lose the ability to connect to SCM. In most cases, this connectivity can be restored by doing the following:

Log in to SCM.
Navigate to Integrations CA Connectors.
Select the connector to be restored, and click Restore.
Click OK.
Save the displayed token, and close the Restore Connector dialog.
In a command prompt window, navigate to the CA connector install location.
Restore the connector.

register -token <registration_token> -force

Update a CA connector

Log in to SCM.
From the left-hand menu, select About.
Click the Download CA Connector icon.
(Optional) If required, move the SectigoCBCS.msi file to the CA connector machine.
Right-click SectigoCBCS.msi and click Install.

The package automatically recognizes that there’s an existing version of the CA connector and initiates an update instead of a new install.
Read the EULA, select I accept the terms in the License Agreement, and click Next.
(Optional) Specify an installation location.
Click Next, Install, and Close.
In SCM, navigate to the CA Connectors page and verify that the connector is connected and showing the correct version.

Uninstall a CA connector

In Windows, navigate to Settings Apps & features.
Search for Sectigo.
Select the Sectigo CA Backend Connector and click Uninstall.
(Optional) Delete the files and logs associated with the CA connector.
1. Navigate to C:\ProgramData\Sectigo Limited.
2. Delete the SectigoCBCS folder.
  
  This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the CA connector.
In SCM, navigate to Integrations CA Connectors.
Select the connector you want to delete.
Click the Delete icon.
Click Delete.

CA connector service commands

Command Description

Command	Description
Start	Start a CA connector: `sc start SectigoCBCS`
Stop	Stop a CA connector: `sc stop SectigoCBCS`
Query	Query the status of a CA connector: `sc query SectigoCBCS`

Start

Start a CA connector:

sc start SectigoCBCS

Stop

Stop a CA connector:

sc stop SectigoCBCS

Query

Query the status of a CA connector:

sc query SectigoCBCS