Managing SSL/TLS automation module endpoints

Orchestration gateways are deployed within your internal network to allow SSL certificate auto-installation on added endpoints.

Orchestration gateways can be configured for certificate installation in the following ways:

Local — An orchestration gateway is installed on the same host as the endpoint. The orchestration gateway uses local commands to interact with the endpoint software and configuration.
Remote — A single orchestration gateway is installed on a central server and configured with the details of the other endpoints on your network. The orchestration gateway uses remote connections that require authentication to interact with the endpoint software and configuration.

Orchestration gateway connection types are limited as outlined in the following table.

Endpoint Type	Gateway Installation on Windows OS	Gateway Installation on Linux OS	Gateway Installation on Docker
Apache 2.4	Remote auto-installation	Local/Remote auto-installation	Remote auto-installation
Tomcat 9.x, 10.x, 11.x	Local/Remote auto-installation	Local/Remote auto-installation	Remote auto-installation
Microsoft IIS 10	Local/Remote auto-installation	Remote auto-installation	Remote auto-installation
F5 BIG-IP 15.1, 16.1, 17.1	Remote auto-installation	Remote auto-installation	Remote auto-installation
Nginx	Local/Remote auto-installation	Local/Remote auto-installation	Remote auto-installation
P12, JKS, PEM	Local/Remote auto-installation	Local/Remote auto-installation	Remote auto-installation

Endpoint Type

Gateway Installation on Windows OS

Gateway Installation on Linux OS

Gateway Installation on Docker

Apache 2.4

Remote auto-installation

Local/Remote auto-installation

Remote auto-installation

Tomcat 9.x, 10.x, 11.x

Local/Remote auto-installation

Remote auto-installation

Microsoft IIS 10

Local/Remote auto-installation

Remote auto-installation

F5 BIG-IP 15.1, 16.1, 17.1

Remote auto-installation

Nginx

Local/Remote auto-installation

Remote auto-installation

P12, JKS, PEM

Local/Remote auto-installation

Remote auto-installation

P12, JKS, and PEM endpoints support the use of custom scripts following certificate installation or endpoint restart. For more information, see Custom scripts.

Adding endpoints to an orchestration gateway

Endpoint requirements

Microsoft IIS
Apache
Apache Tomcat
F5 BIG-IP
Nginx
P12 / JKS / PEM

To add Microsoft IIS servers to an orchestration gateway, the following requirements must be satisfied:

The Microsoft IIS server type is enabled for your account.
User is part of local Administrators Group

To add Apache servers to an orchestration gateway, the following requirements must be satisfied:

The Apache server type is enabled for your account.
Local:
- The sectigo-orchestration-gateway service has, by default, all required permissions to manage an Apache web server.
Remote:
- The account specified for remote access must have permissions on the remote Apache web server to do the following:
  - Execute apachectl
  - Read and write site configuration files in ServerRoot
  - Write certificate files to a remote certificates directory (default /var/sectigo-orchestration-gateway-certs)

To add Apache Tomcat servers to an orchestration gateway, the following requirements must be satisfied:

The Apache Tomcat server type is enabled for your account.
Local:
- The sectigo-orchestration-gateway service has, by default, all required permissions to manage an Apache Tomcat web server.
Remote:
- The account specified for remote access must have permissions on the remote Apache Tomcat web server to do the following:
  - Start and stop the Apache Tomcat service
  - Read and write site configuration files in the Tomcat installation folder
  - Write JKS certificate files to the Tomcat installation folder

To add F5 BIG-IP servers to an orchestration gateway, the following requirements must be satisfied:

The F5 BIG-IP server type is enabled for your account.
User must have the Administrator role with CLI enabled in the F5 BIG-IP application.
User must add a valid certificate and ensure it is trusted by the orchestration gateway machine.

To add Nginx servers to an orchestration gateway, the following requirements must be satisfied:

The Nginx server type is enabled for your account.
Local:
- The sectigo-orchestration-gateway service has, by default, all required permissions to manage an Nginx web server.
Remote:
- The account specified for remote access must have permissions on the remote Nginx web server to do the following:
  - Manage the nginx systemd unit, for example by running systemctl reload nginx.service
  - Read and write site configuration files in nginx_config_path (by default /etc/nginx/)
  - Write certificate files to the remote certificates directory (by default the Nginx configuration directory, for example /etc/nginx/)

To add p12, jks, or pem endpoints to an orchestration gateway, the following requirements must be satisfied:

The p12, jks, or pem endpoint type is enabled for your account.
The required p12, jks, or pem file already exists on the orchestration gateway machine.
(Optional) When using custom scripts, the following requirements must be satisfied:
- The script must be manually added to each connected endpoint.
- For local connections, scripts must be run by the root or administrator user.
- For remote connections, the specified user account must have sufficient permissions to access and execute the custom script on the endpoint machine(s).

Add an endpoint

Microsoft IIS
Apache
Apache Tomcat
F5 BIG-IP
Nginx
P12
JKS
PEM

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add a Microsoft IIS server using the orchestration gateway based on your system.

Unused options must be removed from the command.

The command options are outlined in the following table.

Windows

Sectigo-og.exe tls add iis --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Linux

./sectigo-og tls add iis --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add iis --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Option Description

Option	Description
`--name`	The name of the server. Must be between 1 and 32 characters.
`--connection_type`	The connection type. The valid types are: `local` `ssh_windows` `winrm_http` `winrm_https` `winrm_https_insecure`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--help`, `-h`	Displays the help information.

--name

The name of the server.

Must be between 1 and 32 characters.

--connection_type

The connection type.

The valid types are:

local
ssh_windows
winrm_http
winrm_https
winrm_https_insecure

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add an Apache server using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

Sectigo-og.exe tls add apache --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --apachectl_path <apachectl-path>

Linux

./sectigo-og tls add apache --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --apachectl_path <apachectl-path>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add apache --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --apachectl_path <apachectl-path>

Option Description

Option	Description
`--name`	The name of the server. Must be between 1 and 32 characters.
`--connection_type`	The connection type. The valid types are: `local` `ssh`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--apachectl_path`	The path to `apachectl`. Must be between 1 and 4096 characters.
`--help`, `-h`	Displays the help information.

--name

The name of the server.

Must be between 1 and 32 characters.

--connection_type

The connection type.

The valid types are:

local
ssh

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--apachectl_path

The path to apachectl.

Must be between 1 and 4096 characters.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add an Apache Tomcat server using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

Sectigo-og.exe tls add tomcat --name <server_name> --tomcat_dir <tomcat-path> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Linux

./sectigo-og tls add tomcat --name <server_name> --tomcat_dir <tomcat-path> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add tomcat --name <server_name> --tomcat_dir <tomcat-path> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Option Description

Option	Description
`--name`	The name of the server. Must be between 1 and 32 characters.
`--tomcat_dir`	The path to the Tomcat directory, for example `/opt/tomcat`. Must be at least 1 character long.
`--connection_type`	The connection type. The valid types are: `local` `ssh` `winrm_http` `winrm_https` `winrm_https_insecure`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--help`, `-h`	Displays the help information.

--name

The name of the server.

Must be between 1 and 32 characters.

--tomcat_dir

The path to the Tomcat directory, for example /opt/tomcat.

Must be at least 1 character long.

--connection_type

The connection type.

The valid types are:

local
ssh
winrm_http
winrm_https
winrm_https_insecure

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add an F5 BIG-IP server using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

Sectigo-og.exe tls add f5 --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Linux

./sectigo-og tls add f5 --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add f5 --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id>

Option Description

Option	Description
`--name`	The name of the server. Must be between 1 and 32 characters.
`--connection_type`	The connection type. The valid types are: `rest` `rest_insecure`
`--host`	The server hostname. Must be between 1 and 255 characters.
`--port`	The server port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--help`, `-h`	Displays the help information.

--name

The name of the server.

Must be between 1 and 32 characters.

--connection_type

The connection type.

The valid types are:

rest
rest_insecure

--host

The server hostname.

Must be between 1 and 255 characters.

--port

The server port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add an Nginx server using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

Sectigo-og.exe tls add nginx --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --nginx_config_path <nginx-config-file-path>

Linux

./sectigo-og tls add nginx --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --nginx_config_path <nginx-config-file-path>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add nginx --name <server_name> --connection_type <connection_type> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --nginx_config_path <nginx-config-file-path>

Option Description

Option	Description
`--name`	The name of the server. Must be between 1 and 32 characters.
`--connection_type`	The connection type. The valid types are: `local` `ssh`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--nginx_config_path`	The path to the Nginx config file. Must be between 1 and 4096 characters.
`--help`, `-h`	Displays the help information.

--name

The name of the server.

Must be between 1 and 32 characters.

--connection_type

The connection type.

The valid types are:

local
ssh

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--nginx_config_path

The path to the Nginx config file.

Must be between 1 and 4096 characters.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add a p12 endpoint using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

sectigo-og.exe tls add p12 --name <name> --connection_type <connection_type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path> --is_legacy <true-or-false>

Linux

./sectigo-og tls add p12 --name <name> --connection_type <connection_type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path> --is_legacy <true-or-false>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add p12 --name <name> --connection_type <connection_type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path> --is_legacy <true-or-false>

Option Description

Option	Description
`--name`	The name of the endpoint. Must be between 1 and 32 characters.
`--path`	The path to the keystore or certificate file.
`--store_password`	The keystore password.
`--connection_type`	The connection type. The valid types are: `local` `ssh` `ssh_windows` `winrm_http` `winrm_https` `winrm_https_insecure`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--install_script`	The path to the install script.
`--restart_script`	The path to the restart script.
`--is_legacy`	Specifies which password-based encryption (PBE) scheme is used to encrypt the `PKCS#8` private key inside the `PKCS#12` `ShroudedKeyBag`. The valid values are: `true`: old `PKCS#12` legacy PBE. `false`: (recommended) modern `PKCS#5` PBES2. The value defaults to `false`.
`--help`, `-h`	Displays the help information.

--name

The name of the endpoint.

Must be between 1 and 32 characters.

--path

The path to the keystore or certificate file.

--store_password

The keystore password.

--connection_type

The connection type.

The valid types are:

local
ssh
ssh_windows
winrm_http
winrm_https
winrm_https_insecure

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--install_script

The path to the install script.

--restart_script

The path to the restart script.

--is_legacy

Specifies which password-based encryption (PBE) scheme is used to encrypt the PKCS#8 private key inside the PKCS#12 ShroudedKeyBag.

The valid values are:

true: old PKCS#12 legacy PBE.
false: (recommended) modern PKCS#5 PBES2.

The value defaults to false.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Modify and run the following command to add a jks endpoint using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

sectigo-og.exe tls add jks --name <name> --connection_type <connection-type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Linux

./sectigo-og tls add jks --name <name> --connection_type <connection-type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add jks --name <name> --connection_type <connection-type> --path <file-path> --store_password <password> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Option Description

Option	Description
`--name`	The name of the endpoint. Must be between 1 and 32 characters.
`--path`	The path to the keystore or certificate file.
`--store_password`	The keystore password.
`--connection_type`	The connection type. The valid types are: `local` `ssh` `ssh_windows` `winrm_http` `winrm_https` `winrm_https_insecure`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--install_script`	The path to the install script.
`--restart_script`	The path to the restart script.
`--help`, `-h`	Displays the help information.

--name

The name of the endpoint.

Must be between 1 and 32 characters.

--path

The path to the keystore or certificate file.

--store_password

The keystore password.

--connection_type

The connection type.

The valid types are:

local
ssh
ssh_windows
winrm_http
winrm_https
winrm_https_insecure

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--install_script

The path to the install script.

--restart_script

The path to the restart script.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Open the command line.

If using Windows, you must open the command line as an administrator.
Navigate to the orchestration gateway installation directory.

Run the following command to add a pem endpoint using the orchestration gateway based on your system.

Unused options must be removed from the command.

Windows

sectigo-og.exe tls add pem --name <name> --connection_type <connection-type> --path <file-path> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Linux

./sectigo-og tls add pem --name <name> --connection_type <connection-type> --path <file-path> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Docker

docker exec <container> /opt/sectigo-orchestration-gateway/bin/sectigo-og tls add pem --name <name> --connection_type <connection-type> --path <file-path> --host <server_host> --port <port> --user <user> --password <password> --ssh_key_path <ssh-key-path> --ssh_key_password <ssh-key-password> --store <credential-store-name> --store_cred_id <credential-store-id> --install_script <custom-install-script-path> --restart_script <custom-restart-script-path>

Option Description

Option	Description
`--name`	The name of the endpoint. Must be between 1 and 32 characters.
`--path`	The path to the file.
`--connection_type`	The connection type. The valid types are: `local` `ssh` `ssh_windows` `winrm_http` `winrm_https` `winrm_https_insecure`
`--host`	The remote hostname or address. Must be between 1 and 255 characters.
`--port`	The remote port. Must be an integer between `1` and `65535`.
`--user`	The username for authentication.
`--password`	The password for authentication.
`--ssh_key_path`	The path to the SSH key file.
`--ssh_key_password`	The password for the SSH key.
`--store`	The credential store name.
`--store_cred_id`	The credential store ID.
`--install_script`	The path to the install script.
`--restart_script`	The path to the restart script.
`--help`, `-h`	Displays the help information.

--name

The name of the endpoint.

Must be between 1 and 32 characters.

--path

The path to the file.

--connection_type

The connection type.

The valid types are:

local
ssh
ssh_windows
winrm_http
winrm_https
winrm_https_insecure

--host

The remote hostname or address.

Must be between 1 and 255 characters.

--port

The remote port.

Must be an integer between 1 and 65535.

--user

The username for authentication.

--password

The password for authentication.

--ssh_key_path

The path to the SSH key file.

--ssh_key_password

The password for the SSH key.

--store

The credential store name.

--store_cred_id

The credential store ID.

--install_script

The path to the install script.

--restart_script

The path to the restart script.

--help, -h

Displays the help information.

After you run the command, the terminal should return a success message and instance ID.

In SCM, navigate to Integrations Orchestration Gateway.
Select your orchestration gateway and click Sync Modules.

Once an endpoint is added to an orchestration gateway, you must complete the following steps:

Delegate the endpoint to the appropriate organization or department. For more information, see Delegate an endpoint.
Discover nodes associated with the endpoint. For more information, see Discover nodes.

Delegate an endpoint

Navigate to Integrations SSL/TLS Automation Modules.
Select the endpoint you want to delegate.
Click Edit.
In the SSL/TLS Automation Module dialog, select the organization and department you want to assign to the endpoint.
Click Save.

Managing nodes

Discover nodes

Navigate to Integrations SSL/TLS Automation Modules.
Select your endpoint.
Click Discover Nodes.

You need to assign an organization or a department to the endpoint before you can discover nodes.

View nodes

Navigate to Integrations SSL/TLS Automation Modules.
Select your endpoint.
Click Nodes to view the nodes associated with the endpoint.

Each node is displayed as a collapsible heading that shows the name of the node, the vendor, and the node state.

Column Name	Description
Name	The name of the node.
Alias	The alias for the node (if available).
Protocol	Whether the node is connected through HTTP or HTTPS.
IP Address	The IP address of the node.
Port	The port used to connect to the node.
SSL	The order number of the SSL certificate associated with the node. Discovered certificates that have not been assigned to an organization or department are displayed as External.

Column Name

Description

Name

The name of the node.

Alias

The alias for the node (if available).

Protocol

Whether the node is connected through HTTP or HTTPS.

IP Address

The IP address of the node.

Port

The port used to connect to the node.

SSL

The order number of the SSL certificate associated with the node.

Discovered certificates that have not been assigned to an organization or department are displayed as External.

Click the value in the SSL column for any given node to view or manage the associated SSL certificate.

Restart an endpoint

The auto-installation of an SSL certificate on Apache or Tomcat servers requires the web server to be restarted following certificate deployment. This is required for new certificates, and any time an auto-installation certificate is manually or automatically renewed.

Servers can be restarted from the SSL Certificates page.

Navigate to Certificates SSL Certificates.
Select the certificate installed on the server you want to restart, and click View.
In the SSL Certificate dialog, select the Management tab, and expand the Auto-Installation section.
Locate the server you want to restart, and click Restart.

Custom scripts

When adding P12, JKS, or PEM endpoints to an orchestration gateway, you can optionally configure custom scripts for specific actions.

Installation script — When configured, the script runs after the certificate and private key entries have been successfully created in the target keystore. This script is for any specific post-installation actions and it is invoked with the alias of the newly created keystore entry.
Restart script — When configured, this script runs when Restart is clicked in SCM. This script is for specific actions that should be triggered explicitly as an independent step rather than as part of the installation process.