Sectigo.com
Shop Enterprise Partners Resources

Configuring the Ansible role

The Ansible role requires that certain variables are provided. The variables required are dependent on the specific use case. The variables can be specified as a variable .yml file to the playbook using the role.

Some variables contain sensitive values. For these variables, we strongly encourage the use of ansible-vault for encryption. For more information on using ansible-vault, see the Ansible Vault documentation.

Customer specific parameters

You must provide the following parameters for all SSL and client certificate use cases.

It is also possible to specify the customer specific parameters as environment variables. The names of the environment variables are the same names as parameters but in uppercase—​for example, SECTIGO_CM_USER for sectigo_cm_user.

Values specified as environment variables have precedence over values specified in playbooks. It is suggested that you familiarize yourself with the Ansible variables precedence rules.
Parameter Type Description

sectigo_cm_user

Mandatory

The user ID to access your URI

sectigo_cm_password

Mandatory

The password to access your URI

sectigo_cm_uri

Mandatory

Your specific URI

sectigo_cm_org_id

Mandatory

Your Organization ID (numeric)

sectigo_cm_base_url

Mandatory

The base URL of the Sectigo Certificate Authority

CSR parameters

The following CSR parameters are required for all SSL and client certificate use cases.

Parameter Type Description

sectigo_csr_domain

Conditional

A single value for a domain which is included in the certificate Common Name (CN) field.

Required if sectigo_csr_subject is not provided.

sectigo_csr_subject

Conditional

The certificate signing request subject. If this parameter is provided, then you generate the default RSA 2048-bit private key to be used for the CSR.

Required if the other parameters for the CSR have not been provided.

sectigo_csr_country

Conditional

The country name which is included in the certificate Country (C) field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr_state

Conditional

The state/province name which is included in the certificate State (ST) field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr_location

Conditional

The location name which is included in the certificate Location (L) field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr_organization

Conditional

The organization name which is included in the certificate Organization (O) field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr_organization_unit

Conditional

The organization unit which is included in the certificate Organization Unit (OU) field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr_email_address

Conditional

The email address which is included in the certificate emailAddress field.

Required if sectigo_csr_subject or sectigo_csr is not defined.

sectigo_csr

Conditional

The full path of the certificate signing request file. If this is provided, then the subject parameters will be ignored.

sectigo_csr_key_algo

Optional

The private key algorithm to use to generate the private key. The possible values are RSA and ECC. The default value is RSA.

sectigo_csr_key_size

Optional

The size of the TLS/SSL key to generate. The possible values are:

  • RSA: 2048, 3072, and 4096

  • ECC: secp256r1, secp384r1, and secp521r1

The default value is RSA 2048-bit.

Certificate issuance parameters

The SSL and client certificate issuance use cases support different scenarios that require different parameters.

Parameter Type Description

SSL certificates

sectigo_ssl_cert_file_path

Mandatory

The location where the certificate is to be stored. The same location is used to store the CSR, private key, and enrollment IDs.

sectigo_ssl_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the private key, CSR, and enrollment IDs.

sectigo_ssl_cert_type

Mandatory

The type of SSL certificate (numeric). This is the ID of the SSL certificate type.

sectigo_ssl_cert_validity

Mandatory

The certificate validity period in days (numeric). The available values are dependent on sectigo_ssl_cert_type.

sectigo_ssl_cert_format_type

Optional

The format type for the SSL certificate. The supported values are:

  • x509: X509, Base64 encoded (default)

  • x509CO: X509 Certificate only, Base64 encoded

  • x509IO: X509 Intermediates/Root only, Base64 encoded

  • base64: PKCS#7, Base64 encoded

  • bin: PKCS#7, Bin encoded

  • x509IOR: X509 Intermediates/Root only reverse, Base64 encoded

sectigo_ssl_cert_comments

Optional

Comments for certificate enrollment

sectigo_ssl_cert_num_servers

Conditional

The number of server licenses (numeric)

sectigo_ssl_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

Updating custom fields will trigger the issuance of a new certificate during the next check of the certificate’s renewal status.

sectigo_ssl_cert_server_type

Optional

The server type ID (numeric)

sectigo_ssl_cert_subject_alt_names

Optional

A list of subject alternative names (SAN).

Updating SAN will trigger the issuance of a new certificate during the next check of the certificate’s renewal status.

sectigo_ssl_cert_external_requester

Optional

A comma separated list of emails

SSL certificate autorenewal

sectigo_auto_renew

Optional

If true, the auto-renewal option is enabled. The default value is true.

If a certificate was revoked, it cannot be renewed—​a new certificate will be enrolled.

sectigo_ssl_cert_expiry_window

Optional

The period of days (numeric) prior to expiration that a new SSL certificate enrollment process will be initiated if a playbook is executed.

Note: The default expiry window is 7 days.

Client certificates

sectigo_client_cert_file_path

Mandatory

The location where the certificate, CSR, private key, and enrollment IDs are stored.

sectigo_client_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the private key, the CSR, and enrollment IDs.

sectigo_client_cert_first_name

Mandatory

The user’s first name

sectigo_client_cert_middle_name

Conditional

The user’s middle name

sectigo_client_cert_last_name

Mandatory

The user’s last name. The combined length of the first, middle, and last name fields cannot exceed 64 characters.

sectigo_client_cert_email

Mandatory

A valid user email that is less than 256 characters

sectigo_client_cert_type

Mandatory

The type of certificate (numeric). This is the ID of the client certificate type.

sectigo_client_cert_validity

Mandatory

The certificate validity period in days (numeric). The available values depend on sectigo_client_cert_type.

sectigo_client_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

Updating custom fields will trigger the issuance of a new certificate during the next check of the certificate’s renewal status.

Client certificate autorenewal

sectigo_auto_renew

Optional

If true, the auto-renewal option is enabled. The default value is true.

If a certificate was revoked, it cannot be renewed—​a new certificate will be enrolled.

sectigo_client_cert_expiry_window

Optional

The period of days (numeric) prior to expiration that a new client certificate enrollment process will be initiated if a playbook is executed. The default expiry window is 7 days.

Certificate revocation parameters

SSL and client certificates can be revoked by setting the sectigo_state variable to absent. The SSL and client revocation use cases support the use of the following parameters.

If a certificate was revoked, it cannot be renewed—​a new certificate be enrolled during the next check of the certificate’s renewal status.

Parameter Type Description

SSL certificates

sectigo_ssl_cert_ssl_id

Mandatory

The ID of the SSL certificate to be revoked

sectigo_reason

Mandatory

The reason why a certificate is to be revoked

Client certificates

sectigo_client_cert_order_number

Mandatory

The order number of the client certificate to be revoked

sectigo_reason

Mandatory

The reason why a certificate is to be revoked

Other parameters

These additional parameters determine the behavior of the role.

Parameter Type Description

sectigo_loop_period

Optional

The interval (in seconds) between repeated attempts to collect a certificate (numeric). The default value is 30.

sectigo_max_timeout

Optional

The maximum time (in seconds) during which repeated attempts to collect a certificate will be made (numeric). The default value is 600.

sectigo_force

Optional

Used to issue a new certificate even if there is already an existing one on the target server (Boolean). The default is false.

sectigo_reason

Optional

The reason why a certificate is to be revoked