Sectigo.com
Shop Enterprise Partners Resources

Configuring the connector

This page describes how to configure the connector for certificate enrollment and management.

Configure AWS programmatic access

After installing the AWS CLI, configure environment variables to use AWS programmatically:

  1. Obtain access credentials associated with your IAM user in the AWS console:

    1. Navigate to the IAM section.

    2. Select Users in the left menu.

    3. Select the user and navigate to the Security credentials tab.

      AWS security credentials

    4. Click Create access key and copy Access key ID and Secret access key (you can also download a CSV file with the values).

      AWS access keys

  2. Specify your access keys and default region name for one or more AWS accounts (you can change the default region at any time) using the aws configure command.

    • Single AWS account

    • Multiple AWS accounts

    aws configure
AWS Access Key ID [None]: "<access_key_id"
AWS Secret Access Key [None]: "<secret_access_key>"
Default region name [None]: "<region_name>"
Default output format [None]: json

    Run the aws configure --profile <profile_name> command for each AWS account where you will install the connector.

    aws configure -- profile <account_name>
AWS Access Key ID [None]: "<access_key_id"
AWS Secret Access Key [None]: "<secret_access_key>"
Default region name [None]: "<region_name>"
Default output format [None]: json

    The profile name and default region are saved to the ~/.aws/config file.

    [default]
region=us-west-2
output=json
[profile aws_account_1]
region=ca-central-1
output=json

    The AWS credentials are saved to the ~/.aws/credentials file.

    [default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[profile aws_account_1]
aws_access_key_id=FLI4IOAFOZNN7EXAPPLE
aws_secret_access_key=cKeprIUhnFJMI/K7VDENG/bPxRfiCYEXAMPLEKEY

Validate the domains

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. (Optional) Navigate to the Organizations page to see if an organization with departments already exists. On this page you can create a new organization or add departments to an existing organization.

    To add an organization:

    1. Click Add.

    2. Complete the fields with the organization’s details, then click Next.

    3. Configure settings for specific types of certificates.

    4. Click Save.

    5. Select the newly created organization from the list of organizations.

    6. Click Add Department and complete the fields with the department’s details.

    7. Click Validate to start the validation process for this organization.

      SCM organizations page

  3. Navigate to the Domains page.

    SCM Domains page

  4. To create a new domain entry, click Add.

  5. Specify the domain name, select the organizations/departments to delegate the domain to, and the allowed certificate types.

    SCM create domain page

  6. Click Save.

  7. If your organization or department requires delegations to be approved:

    1. Select the newly created domain from the list of domains.

    2. Click Approve Delegations.

      SCM Domains tab with the new domain

    3. Select the organization or department, then click Approve.

      To change the organization or department which the domain is delegated to, click Delegate and select the appropriate Organizations/Departments.

  8. (Public CA only) Validate your domain:

    For single-domain DV certificates, domains can be validated by using SCM or ACME challenge validation. All other types of certificates require domains to be validated in SCM.

    1. Select your domain and click Validate.

      SCM validate domain

    2. Select the appropriate DCV method as per your initial setup.

      SCM select DCV Method
      The following steps assume that you selected Email as the DCV method.

    3. Click Next.

    4. In Select an email address, select a registered email.

    5. Click Submit.

      SCM DCV select registered email

      A message confirms that the validation letter was sent to your selected email.

    6. Click OK.

    7. Follow the instructions provided in the email to validate your domain.

      Once the domain is validated, its Status will change to Validated on the Domains page.

      SCM DCV domain validated

Create an ACME account and obtain the EAB values

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. Navigate to Enrollment  ACME.

    Enrollment endpoints

  3. Select your ACME endpoint.

    ACME endpoint

  4. Click Accounts.

  5. Click Add and provide the following details:

    • Name: A name for the ACME account

    • Organization: The organization to be associated with the ACME account

    • Department: (Optional) The department to be associated with the ACME account

      Create ACME account page

  6. Click Save.

    External Account Binding (EAB) is now created for the new ACME account.

    Make a note of the following ACME account details for client registration:

    • ACME URL

    • Key ID

    • HMAC Key

    Once the client is successfully registered, these values will be erased from the system.
    SCM ACME account details

  7. Click Close.

Extract the contents

The following steps must be met before running the script:

  1. Extract the contents of the SectigoAWSCM archive to the current path.

  2. Navigate to the ./sectigo_awscm_iac directory.

  3. Give the execute permission to the install.sh file using the chmod +x install.sh command.

Configure the ACME accounts file

Configure the acme_accounts.yaml file.

The acme-account.yaml file is uploaded to the S3 bucket. This file contains EAB information for the ACME accounts, which is sensitive data and must be protected. To edit or redeploy the file, use the AWS CLI commands. You can also work with the file using the AWS console.
Sample ACME accounts file
accounts:
  scm_demo:
    -
      acme-endpoint: "https://acme.demo.sectigo.com"
      eab-hmac-key: "cXJpUlh2OTZFcW11cEIwcFVrWWtCOFRRYWJzTnVqejhrMDd3MWR6TzBkVnpvaTVY"
      eab-key: "dfd846050852841ffaaf87cfa64b53e1"
      email: [email protected]
      RenewBeforeDays: 30
      KeyType: RSA
      KeySize: 2048
  scm_demo2:
    ...

The following table describes the parameters in the file.

Parameter Description

<scm_demo>

An arbitrary alias for your ACME account

acme-endpoint

The URL of the ACME server

eab-hmac-key

The HMAC key for external account binding

eab-key

The key ID for external account binding

email

The email address for ACME account registration and recovery contact

RenewBeforeDays

The number of days prior to certificate expiration that a renewal process is initiated. The default expiry window is 30 days.

KeyType

The key algorithm to use for certificate enrollment. The possible values are RSA and ECDSA.

KeySize

The key size to use for certificate enrollment. The possible values are 2048 and 4096 for RSA, and 256, 384, and 521 for ECDSA.