Sectigo.com
Shop Enterprise Partners Resources

Using the connector

This page provides commands for enrolling and managing certificates using the Akamai CPS CLI. Every time you run the connector to enroll or manage certificates, it checks whether all required tools and modules are installed on the system, and installs them if not found.

If you haven’t provided the execute permission to the connector, run the commands as follows.

bash certificate.sh <command>

To list all possible commands and options, run the following command.

certificate.sh --help

Enroll a certificate

  • Single-domain certificate

  • Multi-domain ( SAN ) certificate

  • Wildcard certificate

To enroll a certificate for a domain, specify the certificate profile file located in the ./domains/options directory.

certificate.sh enroll <domain_name>.yaml

  1. Uncomment the following lines in the ./domains/options/<domain_name.yaml file and add SAN values.

    csr_sans:
- example.com
- www.example.com

  2. Run the connector with the domain name specified in the Common Name field.

    certificate.sh enroll example.com

To enroll a wildcard certificate, add an asterisk and a dot (*.) before the domain name.

certificate.sh enroll *.example.com

The connector performs the following actions:

  1. Collects values from the ./domains/options/<domain_name>.yaml file and creates a ./domains/yamls/<domain_name>.yaml file.

    Don’t delete the ./domains/options/<domain_name>.yaml file after enrolling a certificate. The connector uses this file for renewing the certificate.

  2. Sends an enrollment request to Akamai CPS using the information from the ./domains/yamls/<domain_name>.yaml file. Akamai accepts this request and creates a certificate record in CPS.

  3. Downloads the CSR file from Akamai CPS.

  4. Sends the CSR to SCM. SCM signs the CSR and generates a certificate and trust chain.

    The agent also adds the SSL ID of the certificate (certificate_id) to the ./domains/options/<domain_name>.yaml file. Don’t change this section in the file manually since it may break the renewal process.

  5. Downloads the certificate and trust chain files from SCM.

  6. Uploads the certificate and trust chain files to Akamai CPS.

  7. Deploys the certificate to the production environment on Akamai. The certificate cannot be used in production without this step.

    Deploying a certificate on Akamai may take 10-15 minutes.

Possible errors include:

  • Invalid or empty values in the ./domains/options/<domain_name>.yaml or ./domains/yamls/<domain_name>.yaml file

  • Authentication or authorization issues with the Sectigo API request

  • Akamai may take a long time to respond.

The following image shows provisioned certificates in Akamai CPS.

Provisioned certificates in Akamai CPS

Renew a certificate

The renew action enrolls a new certificate with the same attributes and values as in the existing certificate, even if you changed the values in the ./domains/options/<domain_name>.yaml file. The old certificate remains valid if you don’t revoke it manually in SCM. To update an existing certificate with new attributes or values, use the replace action.

  • All certificates

  • Single-domain certificate

  • Multi-domain ( SAN ) certificate

  • Wildcard certificate

certificate.sh renew-all
certificate.sh renew example.com

Run the connector with the domain name that is specified in the Common Name field.

certificate.sh renew example.com

To renew a wildcard certificate, add an asterisk and a dot (*.) before the domain name.

certificate.sh renew *.example.com

The connector performs the following actions:

  1. Checks whether the certificate and ./domains/yamls/<domain_name>.yaml files for this domain name exist.

  2. Checks the certificate revocation status: if the certificate is revoked, the connector informs you and force renews the certificate. If the certificate is not revoked, the connector checks whether the certificate is within the expiry window, and starts the renewal process. You can adjust the expiry window.

  3. Updates the certificate status in Akamai CPS. The certificate status is updated with its ./domains/yamls/<domain_name>.yaml file, then Akamai generates a new CSR.

  4. Downloads the CSR file from Akamai CPS.

  5. Sends the CSR to SCM. SCM signs the CSR and generates a certificate and trust chain.

  6. Downloads the certificate and trust chain files from SCM.

  7. Uploads the certificate and trust chain files to Akamai CPS.

  8. Deploys the certificate to the production environment on Akamai. The certificate cannot be used in production without this step.

    Deploying a certificate on Akamai may take 10-15 minutes.

Possible errors include:

  • Missing certificate record for this domain

  • Invalid or empty values in the ./domains/options/<domain_name>.yaml or ./domains/yamls/<domain_name>.yaml file

  • Authentication or authorization issues with the Sectigo API request

  • Akamai may take a long time to respond.

Enable auto-renewal

You can create a cronjob that will invoke the connector on a schedule to check whether the certificate is eligible for renewal:

  1. Run crontab -e on the terminal.

  2. Select an editor.

  3. Add a cronjob that will trigger the connector.

    The following examples trigger certificate.sh every month.

    • All certificates

    • Single-domain certificate

    • Multi-domain ( SAN ) certificate

    • Wildcard certificate

    0 0 1 * * /home/ubuntu/sectigo-akamai-cm/certificate.sh renew-all
    0 0 1 * * /home/ubuntu/sectigo-akamai-cm/certificate.sh renew example.com

    Run the connector with the domain name that is specified in the Common Name field.

    0 0 1 * * /home/ubuntu/sectigo-akamai-cm/certificate.sh renew example.com

    To renew a wildcard certificate, add an asterisk and a dot (*.) before the domain name.

    0 0 1 * * /home/ubuntu/sectigo-akamai-cm/certificate.sh renew *.example.com

  4. Save the crontab file.

Replace a certificate

The replace action updates an existing certificate with new attributes or values. The validity period remains the same.

  • All certificates

  • Single-domain certificate

  • Multi-domain ( SAN ) certificate

  • Wildcard certificate

certificate.sh replace
certificate.sh replace example.com

Run the connector with the domain name that is specified in the Common Name field.

certificate.sh replace example.com

To replace a wildcard certificate, add an asterisk and a dot (*.) before the domain name.

certificate.sh replace *.example.com

The connector performs the following actions:

  1. Checks whether the certificate and ./domains/yamls/<domain_name>.yaml files for this domain name exist.

  2. Updates the certificate status in Akamai CPS. The certificate status is updated with its ./domains/yamls/<domain_name>.yaml file, then Akamai generates a new CSR.

  3. Downloads the CSR file from Akamai CPS.

  4. Sends the CSR to SCM for replacement. SCM signs the CSR and generates a certificate and trust chain.

  5. Downloads the certificate and trust chain files from SCM.

  6. Uploads the certificate and trust chain files to Akamai CPS.

  7. Deploys the certificate to the production environment on Akamai. The certificate cannot be used in production without this step.

    Deploying a certificate on Akamai may take 10-15 minutes.

Possible errors include:

  • Missing certificate record for this domain

  • Invalid or empty values in the ./domains/options/<domain_name>.yaml or ./domains/yamls/<domain_name>.yaml file

  • Authentication or authorization issues with the Sectigo API request

  • Akamai may take a long time to respond.

List existing certificates

This command retrieves information on existing certificates from Akamai CPS.

List all certificates on Akamai CPS.

certificate.sh list --all

View the details of a specific certificate.

certificate.sh list --details example.com

List certificates deployed to production.

certificate.sh list --deployed

List certificates enrolled, but not yet deployed.

certificate.sh list --enrolled

Delete a certificate

To delete a certificate from Akamai CPS, run the following command.

certificate.sh delete example.com

The connector deletes the following files:

  • The certificate from Akamai CPS (this might take a few hours)

  • The ./domains/options/<domain_name>.yaml file from the local machine

  • The ./domains/yamls/<domain_name>.yaml file from the local machine

  • The ./logs/<domain_name>.log file from the local machine

View the logs

The logs are stored in the ./logs/<domain_name>.log file. We recommend keeping the logs throughout the certificate lifecycle.