Configuring the connector

This page describes how to configure the connector to automate the certificate lifecycle management for Akamai.

Authenticate with Akamai

Create an .edgerc file in your home directory (~/.edgerc) with the secret, access_token, host, and client_token information for authentication through EdgeGrid.

To generate the credentials:

Log in to the Control Center.
Select your profile at top right, then select User settings on the Users tab.
Click Create API client, then click Quick or Advanced.

Copy the values to an .edgerc file in your home directory.

[default]
client_secret = A113nt53KF3TM6N90yVuAgICgIRwsObLi0E67/N8eRN=
host = akab-h05tnam3wl42son7nktnlnnx-kbob3i3v.luna.akamaiapis.net
access_token = akab-acc35t3k3nokujqunph3w0hzp7-gtq6ij
client_token = akab-c111ntt3k3n4qtari202bfxxbsl-yksej

Add a pointer to your .edgerc file in the provider block of your akamai.tf file.

provider "akamai" {
  edgerc         = "~/.edgerc"
  config_section = "default"
}

For more details, see Add authentication in Akamai documentation.

Obtain your SCM API credentials

You will need your SCM API credentials to configure the Sectigo Profile Settings in Akamai.

Log in to SCM with the MRAO administrator credentials provided to your organization.
Select Enrollment REST.
Select SSL Certificates REST API, and click Accounts.
Select your account and click Edit.
Click Reset Secret, and confirm resetting the client secret.
Make a copy of the values under Client ID and Application (client) Secret.

You will need to assign them to the Client ID and Client Secret parameters in Sectigo Profile Settings.

Set up the config file

Configure the scm_config.yaml file.

Sample config file

client_id: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
client_secret: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
scm_url: https://scmqa.enroll.demo.sectigo.com

The following table describes parameters in the file.

Parameter Description

Parameter	Description
`client_id`	The client ID of the SCM user.
`client_secret`	The client secret of the SCM user.
`scm_url`	The URL of the SCM account.

client_id

The client ID of the SCM user.

client_secret

The client secret of the SCM user.

scm_url

The URL of the SCM account.

Set up additional certificate fields

To include non-CSR fields in the certificate, (e.g., external requester, comments, custom fields), use the additional_fields.yaml file located in the example folder.

For examples of how to format, see the additional_fields_example.yaml file.

Configure Terraform

Configure the Terraform variables in the ./module/variables.tf file and/or example/main.tf file. Refer to the table below.

If you have only one domain, you can edit the variables.tf file and remove the ./example/main.tf file.
If you have two or more domains, create a directory for each domain and copy the ./example/main.tf file to those directories.

The ./example/main.tf file contains only a handful of variables, such as the domain name or key type. It’s assumed that most certificate attributes will have the same values, which can be defined in the variables.tf file. If you need custom values for each domain, you can add more variables to ./example/main.tf, which will override the default values from variables.tf.

The following table describes the variables that you need to configure for certificate issuance. Some of them will likely have values defined on a per-certificate basis (for example, SAN values), while for others you may want to define default values in the variable.tf file (for example, the contact details of the Akamai administrator).

For a full list of available variables and their values, see DV third-party enrollment.

Variable Description

Variable	Description
`contract_id`	The Akamai contract ID.
`domain_name`	The domain name included in the certificate Common Name (CN) field.
`sans`	A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field.
`csr`	The certificate signing request (CSR) information. country_code: The country name included in the certificate Country (C) field. city: The locality name included in the certificate Locality (L) field. organization: The organization name included in the certificate Organization (O) field. organizational_unit: The name of a department within the organization. state: The state or province name included in the certificate State (ST) field.
`key_type`	The key algorithm to use for certificate enrollment. The possible values are: `rsa` (RSA 2048-bit) (default) `ecdsa` (ECDSA P-256)
`network_configuration`	The network information and TLS metadata.
`organization`	The details of the organization.
`tech_contact`	The details of the Akamai administrator contact at your company.
`admin_contact`	The details of the certificate administrator contact at your company.
`expiry_window`	The number of days prior to expiration that a certificate renewal process is initiated. If you have not defined the `expiry_window` variable in Terraform, then the default value of `0` will be used. When `expiry_window` equals `0`, or `certificate remaining days` is less then or equal to `expiry_window`, then a new renewal process will be initiated: a new CSR generated in Akamai enrollment, and a new certificate enrolled in SCM and inserted to Akamai. If `certificate remaining days` is more than `expiry_window` then the execution will stop and exit.
`acknowledge_change_management`	If set to `false`, the certificate is deployed only to staging. Production deployment must be done manually via the Akamai UI. Default: `true`.
`sni_only`	Enables Server Name Indication (SNI) for the enrollment. Default: `true`.

contract_id

The Akamai contract ID.

domain_name

The domain name included in the certificate Common Name (CN) field.

sans

A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field.

csr

The certificate signing request (CSR) information.

country_code: The country name included in the certificate Country (C) field.
city: The locality name included in the certificate Locality (L) field.
organization: The organization name included in the certificate Organization (O) field.
organizational_unit: The name of a department within the organization.
state: The state or province name included in the certificate State (ST) field.

key_type

The key algorithm to use for certificate enrollment.

The possible values are:

rsa (RSA 2048-bit)
(default) ecdsa (ECDSA P-256)

network_configuration

The network information and TLS metadata.

organization

The details of the organization.

tech_contact

The details of the Akamai administrator contact at your company.

admin_contact

The details of the certificate administrator contact at your company.

expiry_window

The number of days prior to expiration that a certificate renewal process is initiated.

If you have not defined the expiry_window variable in Terraform, then the default value of 0 will be used.
When expiry_window equals 0, or certificate remaining days is less then or equal to expiry_window, then a new renewal process will be initiated: a new CSR generated in Akamai enrollment, and a new certificate enrolled in SCM and inserted to Akamai.
If certificate remaining days is more than expiry_window then the execution will stop and exit.

acknowledge_change_management

If set to false, the certificate is deployed only to staging. Production deployment must be done manually via the Akamai UI.

Default: true.

sni_only

Enables Server Name Indication (SNI) for the enrollment.

Default: true.