Sectigo.com
Shop Enterprise Partners Resources

Configuring the connector

This page describes how to configure the connector to automate the certificate lifecycle management for Akamai.

Extract the contents

The following steps must be performed before running the script:

  1. Extract the contents of the sectigo-akamai-cm-<version>.zip archive to the current path.

  2. Navigate to the root directory containing the solution files.

  3. Give execute permission to the certificate.sh file.

    chmod +x certificate.sh

Install the Akamai CLI

When you enroll a certificate, the certificate.sh script checks whether the Akamai CLI and needed tools are installed, and installs them automatically if not found.

If you decide to install the Akamai CLI and related tools manually, run the following commands.

wget https://github.com/akamai/cli/releases/download/v1.4.2/akamai-v1.4.2-linuxamd64 --quiet
chmod +x akamai-v1.4.2-linuxamd64
sudo mv akamai-v1.4.2-linuxamd64 /usr/local/bin/akamai
sudo apt update
sudo apt install python3-pip -y
sudo apt install python3-venv -y
akamai install cps
akamai cps setup --section default

For more information about CPS CLI installation and usage, see cli-cps.

Authenticate with Akamai

After installing the Akamai CPS CLI and before executing the script, you must authenticate your requests using a valid .edgerc file that needs to be created in your home directory (~/.edgerc). This file contains the secret, access_token, host, and client_token information for authentication through EdgeGrid.

To generate the credentials:

  1. Log in to the Control Center.

  2. Select your profile at top right, then select User settings on the Users tab.

  3. Click Create API client, then click Quick or Advanced.

  4. Copy and paste the values to the .edgerc file into your home directory.

For more details, see Create authentication credentials in Akamai documentation.

Set the Akamai contract ID

Set your Akamai contract ID as an environment variable.

export CONTRACT_ID='<contract_id>'
source ~/.bash_profile

Validate the domains

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. (Optional) Navigate to the Organizations page to see if an organization with departments already exists. On this page you can create a new organization or add departments to an existing organization.

    To add an organization:

    1. Click Add.

    2. Complete the fields with the organization’s details, then click Next.

    3. Configure settings for specific types of certificates.

    4. Click Save.

    5. Select the newly created organization from the list of organizations.

    6. Click Add Department and complete the fields with the department’s details.

    7. Click Validate to start the validation process for this organization.

      SCM organizations page

  3. Navigate to the Domains page.

    SCM Domains page

  4. To create a new domain entry, click Add.

  5. Specify the domain name, select the organizations/departments to delegate the domain to, and the allowed certificate types.

    SCM create domain page

  6. Click Save.

  7. If your organization or department requires delegations to be approved:

    1. Select the newly created domain from the list of domains.

    2. Click Approve Delegations.

      SCM Domains tab with the new domain

    3. Select the organization or department, then click Approve.

      To change the organization or department which the domain is delegated to, click Delegate and select the appropriate Organizations/Departments.

  8. (Public CA only) Validate your domain:

    For single-domain DV certificates, domains can be validated by using SCM or ACME challenge validation. All other types of certificates require domains to be validated in SCM.

    1. Select your domain and click Validate.

      SCM validate domain

    2. Select the appropriate DCV method as per your initial setup.

      SCM select DCV Method
      The following steps assume that you selected Email as the DCV method.

    3. Click Next.

    4. In Select an email address, select a registered email.

    5. Click Submit.

      SCM DCV select registered email

      A message confirms that the validation letter was sent to your selected email.

    6. Click OK.

    7. Follow the instructions provided in the email to validate your domain.

      Once the domain is validated, its Status will change to Validated on the Domains page.

      SCM DCV domain validated

Obtain the SCM API credentials

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. Select Enrollment  REST. Make a note of the URL value under SSL Certificates REST API. You will need to assign it to the scm_url parameter in the config.yaml file.

    SSL certificates REST API

  3. Select SSL Certificates REST API and click Accounts.

  4. Select your account and click Edit.

    SSL certificates REST accounts

  5. Click Reset Secret and confirm resetting the client secret.

    SSL certificates REST accounts

    Make a note of the values under Client ID and Application (client) Secret. You will need to assign them to the client_id and client_secret parameters in the config.yaml file.

    Client ID and secret

Set up the config file

Configure the config.yaml file.

Sample config file
client_id: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
client_secret: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
scm_url: https://scmqa.enroll.demo.sectigo.com/api/v1
expiry_window: 30
renew_revoked_certificate: true

The following table describes parameters in the file.

Parameter Description

client_id

The client ID of the SCM user

client_secret

The client secret of the SCM user

scm_url

The URL of the SCM account

expiry_window

The number of days prior to expiration that a certificate renewal process is initiated. The default expiry window is 30 days.

renew_revoked_certificate

Specifies whether to renew revoked certificates. The possible values are true or false. The default value is true.

Set up the certificate profile file

Configure the example.com file in the ./domains/options directory. You can create copies of the sample file for different certificate profiles.

Sample certificate profile file
domain_name: "example.com"
cert_type: ecc
secureNetwork: standard-tls
geography: core
techContact_email: [email protected]
techContact_firstName: John
techContact_lastName: Doe
techContact_phone: "+994515373029"
adminContact_email: [email protected]
adminContact_firstName: John
adminContact_lastName: Doe
adminContact_phone: "+12505550199"
org_addressLineOne: 401 COUNTY ROAD 2
org_city: Ottawa
org_country: CA
org_name: JohnDoe
org_phone: "+12505550199"
org_postalCode: K1A 0C4
org_region: ON
csr_c: CA
csr_o: DoePrivateCA
csr_st: Ontario
csr_sans:
 - blog.example.com
 - mail.example.com

The following table describes the parameters in the file.

Parameter Description

domain_name

The domain name included in the certificate Common Name (CN) field

secureNetwork

The type of secure network where you want to deploy the certificate. The possible values are standard-tls (a standard secure network) and enhanced-tls (an enhanced security network). The default value is standard-tls.

cert_type

The key algorithm to use for certificate enrollment. The possible values are rsa(RSA 2048-bit) and ecc (ECDSA P-256). The default value is ecc.

geography

Specifies the region where you want to deploy the certificate. You can include China and Russia if your Akamai contract specifies your ability to do so and you have approval from the Chinese and Russian government. The default value is core.

The possible values are:

  • core: Deploy the certificate worldwide (includes China and Russia).

  • china+core: Deploy the certificate worldwide and for China, but not for Russia.

  • russia+core: Deploy the certificate worldwide and for Russia, but not for China.

techContact_email

The email address of the Akamai administrator who you want to use as a contact at your company

techContact_firstName

The first name of the Akamai administrator who you want to use within Akamai

techContact_lastName

The last name of the Akamai administrator who you want to use within Akamai

adminContact_email

The email or a comma-separated list of emails of the certificate requester

adminContact_firstName

The first name of the certificate administrator who you want to use as a contact at your company

adminContact_lastName

The last name of the certificate administrator who you want to use as a contact at your company

adminContact_phone

The phone number of the certificate requester

org_addressLineOne

The address of your organization

org_city

The locality name included in the certificate Locality (L) field

org_country

The country where your organization resides

org_name

The name of your organization

org_phone

The phone number of your organization

org_postalCode

The postal code of your organization

org_region

The region of your organization, typically a state or province

csr_c

The country name included in the certificate Country (C) field

csr_o

The organization name included in the certificate Organization (O) field

csr_st

The state or province name included in the certificate State (ST) field

csr_sans

A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field