Configuring the connector

This page describes how to configure the connector to automate the certificate lifecycle management for Akamai.

Authenticate with Akamai

Create an .edgerc file in your home directory (~/.edgerc) with the secret, access_token, host, and client_token information for authentication through EdgeGrid.

To generate the credentials:

Log in to the Control Center.
Select your profile at top right, then select User settings on the Users tab.
Click Create API client, then click Quick or Advanced.

Copy the values to an .edgerc file in your home directory.

[default]
client_secret = A113nt53KF3TM6N90yVuAgICgIRwsObLi0E67/N8eRN=
host = akab-h05tnam3wl42son7nktnlnnx-kbob3i3v.luna.akamaiapis.net
access_token = akab-acc35t3k3nokujqunph3w0hzp7-gtq6ij
client_token = akab-c111ntt3k3n4qtari202bfxxbsl-yksej

Add a pointer to your .edgerc file in the provider block of your akamai.tf file.

provider "akamai" {
  edgerc         = "~/.edgerc"
  config_section = "default"
}

For more details, see Add authentication in Akamai documentation.

Obtain the SCM Audit API key

If you have not already obtained your SCM API key, do so now.

Log in to SCM with the MRAO administrator credentials provided to your organization.
Navigate to Integrations Audit API Keys.
Select the audit API key you want to view, and click Edit.
If needed, reset the client secret.

If you reset a client secret, clients using this API key must be updated to use the new client secret.
1. Click the Edit icon.
2. Click OK.
Make a note of the values under Client ID and Client Secret. You will need to assign them to the client_id and client_secret parameters in the scm_config.yaml file.
Click Save.

Set up the config file

Configure the scm_config.yaml file.

Sample config file

client_id: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
client_secret: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
scm_url: https://scmqa.enroll.demo.sectigo.com/api/v1

The following table describes parameters in the file.

Parameter Description

Parameter	Description
`client_id`	The client ID of the SCM user
`client_secret`	The client secret of the SCM user
`scm_url`	The URL of the SCM account

client_id

The client ID of the SCM user

client_secret

The client secret of the SCM user

scm_url

The URL of the SCM account

Set up additional certificate fields

To include non-CSR fields in the certificate, (e.g., external requester, comments, custom fields), use the additional_fields.yaml file located in the example folder.

For examples of how to format, see the additional_fields_example.yaml file.

Configure Terraform

Configure the Terraform variables in the ./module/variables.tf file and/or example/main.tf file. Refer to the table below.

If you have only one domain, you can edit the variables.tf file and remove the ./example/main.tf file.
If you have two or more domains, create a directory for each domain and copy the ./example/main.tf file to those directories.

The ./example/main.tf file contains only a handful of variables, such as the domain name or key type. It’s assumed that most certificate attributes will have the same values, which can be defined in the variables.tf file. If you need custom values for each domain, you can add more variables to ./example/main.tf, which will override the default values from variables.tf.

The following table describes the variables that you need to configure for certificate issuance. Some of them will likely have values defined on a per-certificate basis (for example, SAN values), while for others you may want to define default values in the variable.tf file (for example, the contact details of the Akamai administrator).

For a full list of available variables and their values, see DV third-party enrollment.

Variable Description

Variable	Description
`contract_id`	The Akamai contract ID
`domain_name`	The domain name included in the certificate Common Name (CN) field
`sans`	A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field
`csr`	The certificate signing request (CSR) information country_code: The country name included in the certificate Country (C) field city: The locality name included in the certificate Locality (L) field organization: The organization name included in the certificate Organization (O) field organizational_unit: The name of a department within the organization state: The state or province name included in the certificate State (ST) field
`key_type`	The key algorithm to use for certificate enrollment. The possible values are `rsa` (RSA 2048-bit) and `ecdsa` (ECDSA P-256). The default value is `ecdsa`.
`network_configuration`	The network information and TLS metadata
`organization`	The details of the organization
`tech_contact`	The details of the Akamai administrator contact at your company
`admin_contact`	The details of the certificate administrator contact at your company
`expiry_window`	The number of days prior to expiration that a certificate renewal process is initiated. If you have not defined the `expiry_window` variable in Terraform, then the default value of `0` will be used. When `expiry_window` equals `0`, or `certificate remaining days` is less then or equal to `expiry_window`, then a new renewal process will be initiated: a new CSR generated in Akamai enrollment, and a new certificate enrolled in SCM and inserted to Akamai. If `certificate remaining days` is more than `expiry_window` then the execution will stop and exit.
`acknowledge_change_management`	If set to `false`, the certificate is deployed only to staging. Production deployment must be done manually via the Akamai UI. Default: `true`.
`sni_only`	Enables Server Name Indication (SNI) for the enrollment. Default: `true`.

contract_id

The Akamai contract ID

domain_name

The domain name included in the certificate Common Name (CN) field

sans

A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field

csr

The certificate signing request (CSR) information

country_code: The country name included in the certificate Country (C) field
city: The locality name included in the certificate Locality (L) field
organization: The organization name included in the certificate Organization (O) field
organizational_unit: The name of a department within the organization
state: The state or province name included in the certificate State (ST) field

key_type

The key algorithm to use for certificate enrollment. The possible values are rsa (RSA 2048-bit) and ecdsa (ECDSA P-256). The default value is ecdsa.

network_configuration

The network information and TLS metadata

organization

The details of the organization

tech_contact

The details of the Akamai administrator contact at your company

admin_contact

The details of the certificate administrator contact at your company

expiry_window

The number of days prior to expiration that a certificate renewal process is initiated.

If you have not defined the expiry_window variable in Terraform, then the default value of 0 will be used.
When expiry_window equals 0, or certificate remaining days is less then or equal to expiry_window, then a new renewal process will be initiated: a new CSR generated in Akamai enrollment, and a new certificate enrolled in SCM and inserted to Akamai.
If certificate remaining days is more than expiry_window then the execution will stop and exit.

acknowledge_change_management

If set to false, the certificate is deployed only to staging. Production deployment must be done manually via the Akamai UI.

Default: true.

sni_only

Enables Server Name Indication (SNI) for the enrollment.

Default: true.