Sectigo.com
Shop Enterprise Partners Resources

Integration structure

The integration hides the complexity of the SCM REST API by acting as an adapter between Chef and the Sectigo API. It enables you to request, replace, renew, and revoke certificates on your WorkStation and Client nodes.

Components

The integration is based on the following components:

  • Ruby client library for the Sectigo API handles the communication with the Sectigo REST API. This library is a component of the Chef cookbook. It is not designed or delivered as a general-purpose library.

  • Chef cookbook mediates the interaction between you, the Chef master and client nodes, and the Sectigo REST API. The cookbook mainly consists of a standard Chef execution routine with minimum dependencies. It supports the enrollment, collection, replacement, renewal, and revocation of SSL and client certificates.

Chef cookbook is the only software component that can interact with the library.

Sectigo Chef recipes

The following recipes allow you to interact with SCM and perform different operations. In order to trigger any of these recipes, you must add the recipe that you want to run to the run_list attribute in the used JSON file (the package includes sample JSON files) that includes all the parameters.

Issue a certificate

Use the issue_certificate entry in your run_list in the samples/ssl_params.json or samples/client_params.json file.

"run_list": [
    "recipe[sectigo_chef_cookbook::issue_certificate]"
]

This recipe does the following:

  • Enrolls and collects a certificate from SCM

  • Stores and maintains the .key, .csr, .crt, and .ids files

  • Checks an existing certificate’s validity, auto-renews it if required, and updates the certificated-related files

  • Allows you to generate a private key and a CSR

Replace a certificate

Use the replace_certificate entry in your run_list in the samples/ssl_params.json or samples/client_params.json file.

"run_list": [
    "recipe[sectigo_chef_cookbook::replace_certificate]"
]

This recipe replaces an existing certificate on SCM by using the certificate ID from the .ids file (which must already exist). The replaced certificate is collected and the certificate-related files are updated.

Revoke a certificate

Use the revoke_certificate entry in your run_list in the samples/ssl_params.json or samples/client_params.json file.

"run_list": [
    "recipe[sectigo_chef_cookbook::revoke_certificate]"
]

This recipe revokes a certificate on SCM by using the certificate ID from the IDs file (which must already exist).

Collect a certificate

Use the collect_certificate entry in your run_list in the samples/ssl_collect.json or samples/client_collect.json file.

"run_list": [
    "recipe[sectigo_chef_cookbook::collect_certificate]"
]

This recipe collects a certificate from SCM using the input for sectigo_ssl_cert_ssl_id or sectigo_client_cert_order_number provided to you.

Copy a certificate

Use the copy_certificate entry in your run_list in the samples/ssl_copy.json or samples/client_copy.json file.

"run_list": [
    "recipe[sectigo_chef_cookbook::copy_certificate]"
]

This recipe copies certificate-related files from the Chef server onto a Chef node. When using this recipe, ensure that your existing certificate-related files are under the files subdirectory of your sectigo_chef_cookbook directory. The certificate-related files are then copied to the destination that you specify in your JSON file. If the files subdirectory does not exist, you need to create it and manually add the certificate-related files to it.

In the copy_certificate recipe, ensure that you specify the file name that you want to copy. In other words, ensure that your sectigo_ssl_cert_file_name (or sectigo_client_cert_file_name) parameters for copy_certificate match the parameters that you used in the previous recipe (issue_certificate, replace_certificate, or collect_certificate).