Using the connector

This page provides commands for enrolling and managing certificates using the Akamai Terraform Provider.

Enrolling certificates

You can enroll a certificate with or without automatic approval. For details, see Enroll a certificate with auto approval or Enroll a certificate without auto approval.

In either case, the connector performs the following actions:

Collects information from the Terraform variables.
Sends an enrollment request to Akamai CPS. Akamai accepts this request and creates a certificate record in CPS.
Downloads the CSR file from Akamai CPS.
Sends the CSR to SCM. SCM signs the CSR and generates a certificate and trust chain.
Downloads the certificate and trust chain files from SCM.
Uploads the certificate and trust chain files to Akamai CPS.
Deploys the certificate to the production environment on Akamai. The certificate cannot be used in production without this step.

Deploying a certificate on Akamai may take 10-15 minutes.

During certificate download, a script will create records in the cert.ids file with one of the following statuses:

Status Description

Status	Description
issued	Certificate was requested, enrolled in SCM, and downloaded. The log shows response_code = 200.
not_issued	Certificate was requested in SCM, but was not downloaded. The log shows response_code = 404.
problem	There is something wrong, details will be added in the `scm.log` file. The log shows response_code not in (200,404). If there is a row in the `cert.ids` file with status problem, it will be deleted at the begining of the next execution.

issued

Certificate was requested, enrolled in SCM, and downloaded. The log shows response_code = 200.

not_issued

Certificate was requested in SCM, but was not downloaded. The log shows response_code = 404.

problem

There is something wrong, details will be added in the scm.log file. The log shows response_code not in (200,404).

If there is a row in the cert.ids file with status problem, it will be deleted at the begining of the next execution.

If not successful, the certificate will be marked as not issued. Possible reasons for this include:

Invalid or empty values in the variables.tf or ./example/main.tf files.
Authentication or authorization issues with the Sectigo API request.
Akamai may take a long time to respond.
- If status_code != 200 appears during certificate enrollment, then the script will stop execution and notify the user. Details will be included in the output and the scm.log file.

Enroll a certificate with auto approval

When you perform the enroll action, the cert.ids file is checked for an existing record. If a certificate exists with the status issued, the row will be deleted before a new enrollment occurs.

Create a folder in the solution root directory.
Copy the example/main.tf file to this folder and change or add your values for the certificate.
- For enrollment, set action_type = enroll.
- For key type, set key_type variable = ecdsa or rsa.
- To export Terraform logs, set the export TF_LOG_PATH variable = file-name.txt.
  
  The log file will generate in this folder.
To enroll a certificate for a domain, navigate to the directory that contains the main.tf file for your domain (for example, ./example/main.tf) and run these Terraform commands.

terraform init
terraform plan
terraform apply

Enroll a certificate without auto approval

When you perform the enroll action, the cert.ids file is checked for an existing record. If a certificate exists with the status issued, the row will be deleted before a new enrollment occurs.

Create a folder in the solution root directory.
Copy the example/main.tf file to this folder and change or add your values for the certificate.
- For enrollment, set action_type = enroll.
- For key type, set key_type variable = ecdsa or rsa.
- To export Terraform logs, set the export TF_LOG_PATH variable = file-name.txt.
  
  The log file will generate in this folder.
To enroll a certificate for a domain, navigate to the directory that contains the main.tf file for your domain (for example, ./example/main.tf) and run these Terraform commands.

terraform init
terraform plan
terraform apply

The certificate will be enrolled but not issued, and you can’t download it.

The certificate will be marked as not_issued in the cert.ids file.

Once the certificate is approved in SCM you can repeat the terraform apply command without any changes to the main.tf file, and the certificate will be dowloaded to your PC and uploaded to Akamai.

Renew a certificate

Navigate to the directory which was used for certificate enrollment.
Run terraform apply.

This will enroll a new certificate with the same attributes and values as in the existing certificate. The old certificate remains valid if you don’t revoke it manually in SCM.

Deploying a certificate on Akamai may take 10-15 minutes.

Replace a certificate

This action will work only for Public CA certificates.

The replace action updates an existing certificate with new attributes or values. The validity period remains the same.

Navigate to the directory that contains the main.tf file for the existing certificate.
Update the value of the sans or any other variable and change the value of the key_type variable to replace.
Run these Terraform commands.

terraform init
terraform plan
terraform apply

Deploying a certificate on Akamai may take 10-15 minutes.

Delete a certificate

To delete a certificate from Akamai CPS, navigate to the ./example directory and run terraform destroy.

Deleting a certificate from Akamai CPS may take a few hours. The old certificate remains valid in SCM if you don’t revoke it manually.

View the logs

The SCM logs are stored in the ./example/scm.log file.

To enable Terraform log generation, set the TF_LOG_PATH environment variable.

export TF_LOG_PATH=./terraform.log

We recommend that you keep the logs throughout the certificate lifecycle.