Sectigo.com
Shop Enterprise Partners Resources

Configuring the connector

This page describes how to configure the connector to automate the certificate lifecycle management for Akamai.

Authenticate with Akamai

Create an .edgerc file in your home directory (~/.edgerc) with the secret, access_token, host, and client_token information for authentication through EdgeGrid.

To generate the credentials:

  1. Log in to the Control Center.

  2. Select your profile at top right, then select User settings on the Users tab.

  3. Click Create API client, then click Quick or Advanced.

  4. Copy the values to an .edgerc file in your home directory.

    [default]
client_secret = A113nt53KF3TM6N90yVuAgICgIRwsObLi0E67/N8eRN=
host = akab-h05tnam3wl42son7nktnlnnx-kbob3i3v.luna.akamaiapis.net
access_token = akab-acc35t3k3nokujqunph3w0hzp7-gtq6ij
client_token = akab-c111ntt3k3n4qtari202bfxxbsl-yksej

  5. Add a pointer to your .edgerc file in the provider block of your akamai.tf file.

    provider "akamai" {
  edgerc         = "~/.edgerc"
  config_section = "default"
}

For more details, see Add authentication in Akamai documentation.

Validate the domains

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. (Optional) Navigate to the Organizations page to see if an organization with departments already exists. On this page you can create a new organization or add departments to an existing organization.

    To add an organization:

    1. Click Add.

    2. Complete the fields with the organization’s details, then click Next.

    3. Configure settings for specific types of certificates.

    4. Click Save.

    5. Select the newly created organization from the list of organizations.

    6. Click Add Department and complete the fields with the department’s details.

    7. Click Validate to start the validation process for this organization.

      SCM organizations page

  3. Navigate to the Domains page.

    SCM Domains page

  4. To create a new domain entry, click Add.

  5. Specify the domain name, select the organizations/departments to delegate the domain to, and the allowed certificate types.

    SCM create domain page

  6. Click Save.

  7. If your organization or department requires delegations to be approved:

    1. Select the newly created domain from the list of domains.

    2. Click Approve Delegations.

      SCM Domains tab with the new domain

    3. Select the organization or department, then click Approve.

      To change the organization or department which the domain is delegated to, click Delegate and select the appropriate Organizations/Departments.

  8. (Public CA only) Validate your domain:

    For single-domain DV certificates, domains can be validated by using SCM or ACME challenge validation. All other types of certificates require domains to be validated in SCM.

    1. Select your domain and click Validate.

      SCM validate domain

    2. Select the appropriate DCV method as per your initial setup.

      SCM select DCV Method
      The following steps assume that you selected Email as the DCV method.

    3. Click Next.

    4. In Select an email address, select a registered email.

    5. Click Submit.

      SCM DCV select registered email

      A message confirms that the validation letter was sent to your selected email.

    6. Click OK.

    7. Follow the instructions provided in the email to validate your domain.

      Once the domain is validated, its Status will change to Validated on the Domains page.

      SCM DCV domain validated

Obtain the SCM API credentials

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. Select Enrollment  REST. Make a note of the URL value under SSL Certificates REST API. You will need to assign it to the scm_url parameter in the scm_config.yaml file.

    SSL certificates REST API

  3. Select SSL Certificates REST API and click Accounts.

  4. Select your account and click Edit.

    SSL certificates REST accounts

  5. Click Reset Secret and confirm resetting the client secret.

    SSL certificates REST accounts

    Make a note of the values under Client ID and Application (client) Secret. You will need to assign them to the client_id and client_secret parameters in the scm_config.yaml file.

    Client ID and secret

Set up the config file

Configure the scm_config.yaml file.

Sample config file
client_id: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
client_secret: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
scm_url: https://scmqa.enroll.demo.sectigo.com/api/v1

The following table describes parameters in the file.

Parameter Description

client_id

The client ID of the SCM user

client_secret

The client secret of the SCM user

scm_url

The URL of the SCM account

Configure Terraform

Configure the Terraform variables in the ./module/variables.tf file and/or example/main.tf file:

  • If you have only one domain, you can edit the variables.tf file and remove the ./example/main.tf file.

  • If you have two or more domains, create a directory with any name you prefer for each domain and copy the ./example/main.tf file to this directory.

    The ./example/main.tf file contains only a handful of variables, such as the domain name or key type. It’s assumed that most certificate attributes will have the same values, which can be defined in the variables.tf file. If you need custom values for each domain, you can add more variables to ./example/main.tf, which overrides the default values from variables.tf.

The following table describes the variables that you need to configure for certificate issuance. Some of them will likely have values defined on a per-certificate basis (for example, SAN values), while for others you may want to define default values in the variable.tf file (for example, the contact details of the Akamai administrator).

For a full list of available variables and their values, see DV third-party enrollment.

Variable Description

contract_id

The Akamai contract ID

domain_name

The domain name included in the certificate Common Name (CN) field

sans

A comma-separated list of subject alternative names (SAN) included in the certificate subjectAltName field

csr

The certificate signing request (CSR) information

  • country_code: The country name included in the certificate Country (C) field

  • city: The locality name included in the certificate Locality (L) field

  • organization: The organization name included in the certificate Organization (O) field

  • organizational_unit: The name of a department within the organization

  • state: The state or province name included in the certificate State (ST) field

key_type

The key algorithm to use for certificate enrollment. The possible values are rsa (RSA 2048-bit) and ecdsa (ECDSA P-256). The default value is ecdsa.

network_configuration

The network information and TLS metadata

organization

The details of the organization

tech_contact

The details of the Akamai administrator contact at your company

admin_contact

The details of the certificate administrator contact at your company