Sectigo.com
Shop Enterprise Partners Resources

Overview

Sectigo Connector for Akamai ("the connector") is a standalone solution created as a Terraform module to provide a secure automation layer for enrolling and managing Sectigo SSL/TLS certificates in Akamai Certificate Provisioning System (CPS).

The connector facilitates the automatic generation of a certificate signing request (CSR) with Akamai CPS and the enrollment, uploading, and management of certificates issued by Sectigo or a third-party certificate authority (CA)

The following certificate types are supported:

  • Domain Validation (DV): Single-domain, multi-domain, and wildcard certificates issued by Sectigo

  • Organization Validation (OV): Single-domain, multi-domain, and wildcard certificates issued by Sectigo or a third-party CA

  • Extended Validation (EV): Single-domain and multi-domain certificates issued by Sectigo or a third-party CA

  • Private SSL: Private SSL certificates issued by Sectigo or a third-party CA for internal use

The following CAs are supported:

  • Public CA: Sectigo, Entrust, and Digicert

  • Private CA: Sectigo, Microsoft CA, AWS Private CA, and Google Cloud CA Service

The following key types are supported: RSA 2048-bit and ECDSA P256r1.

Akamai CPS supports the SHA-1 and SHA-256 hash functions (we recommend using SHA-256).

Once the Sectigo certificates are available on the CDN  Certificates page, they can be used to enable HTTPS communication for your secure content delivery network (CDN) applications. The connector also supports automatic certificate renewal before the certificate expiry or upon revocation.

The connector manages only the certificate enrollment with Sectigo SCM REST APIs and uploading the certificates to CPS. Deploying the provisioned certificates for your CDN applications is not in the scope of this solution.

Audience

This guide is intended for Akamai administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with Sectigo Certificate Manager (SCM).

Scope

This guide covers instructions on generating a CSR with Akamai, connecting to Sectigo SCM to provision certificates, and uploading certificates to Akamai CPS. Deploying the certificates for your CDN applications for SSL/TLS enablement is outside the scope of this guide.

Additional resources

Architecture

SectigoAKAMAISCM architecture

Execution workflow

  1. Enrollment request for a third-party certificate is sent to Akamai CPS with information required for generating a CSR (if it’s a renewal operation for an existing certificate, the certificate revocation and expiration status is checked).

  2. Akamai generates a CSR for the certificate, and the connector downloads the CSR.

  3. The CSR is sent to the Sectigo CA.

  4. The enrolled certificate and certificate chain files are downloaded from the CA.

  5. The certificate files are uploaded to Akamai CPS.

Package contents

The package contains the following components:

  • module: This directory contains the Terraform module files.

    • main.tf: The main set of configuration for the solution

    • output.tf: The output values of the Terraform resources (for example, the enrollment_id of the certificate)

    • variables.tf: The Terraform variables, predefined static values for the certificate management

  • scripts: This directory contains an enrollment.sh bash script that calls the SCM API. The script is managed by Terraform.

  • scm_config.yaml: This configuration file contains the Sectigo API credentials.

  • example: This directory contains a sample main.tf file for users. For every certificate provisioned, create a directory with a copy of main.tf.

  • eula: This directory contains the SCM EULA agreement file SCM Client EULA v1.0.1.txt. You need to accept the agreement when you run the enrollment.sh script for the first time.

  • logs: This directory contains the <domain_name>.log files created by the enrollment.sh script.