Using the connector
To list all possible options for the connector, run it with the --help option.
python3 main.py --helpView the output
python3 main.py --help
usage: main.py [-h] -a ACTION [-p PROFILE] [--version]
Sectigo Connector Cisco Firepower Threat Defense
Arguments in [] are optional:
-h, --help show this help message and exit
-a ACTION, --action ACTION
enroll : Enroll a certificate and attach it to the SSL policy
renew : Renew an existing certificate. This action creates a new certificate with the same attributes. Use the renew action for revoked or expired certificates
replace : Replace an existing certificate when the certificate attributes (key size, algorithm, SAN, etc.) are changed.
list : List enrolled certificates from Cisco side with details
enc : Encrypt credentials
dec : Decrypt credentials
-p PROFILE, --profile PROFILE
The name of the certificate profile, e.g. mycert.yaml or mycert
--version show program's version number and exit
Enroll a certificate
You can enroll for a specific certificate profile.
python3 main.py -a enroll -p <certificate>.yaml
The configuration files are assumed to be in the /opt/sectigo/CiscoFTD<version>/config folder.
|
Verify SSL enablement
To view the provisioned certificate in Firewall Device Manager:
-
Navigate to the Objects tab.
-
Select .
Renew a certificate
You can renew certificates for a specific certificate profile or for all certificate profiles available in the profile’s path.
python3 main.py -a renewpython3 main.py -a renew -p <certificate>.yamlEnable auto-renewal
You can create a cronjob that will invoke the connector on a schedule (see crontab for cron schedule expressions). To check the certificate’s eligibility for renewal, and if eligible, renew it:
-
Run
crontab -eon the terminal. -
Select an editor.
-
Add a cronjob that will trigger the connector.
The following example triggers the Cisco FTD agent every week.
-
Save the changes and exit.
Revoke or replace a certificate
Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed. The connector imports the new certificate into the certificate management area of Cisco Firepower.
View the logs
The log files are stored in the location indicated in sectigo_log_path parameter of the config.yaml file.
By default, all events are recorded.
View the partial sample log file
2024-05-29 10:41:28,333 - __main__ - INFO - -------------------------------------------------- 2024-05-29 10:41:28,333 - sectigo_sdk.certificate_profile - INFO - Loading certificate profile : config/cert_profile1.yaml 2024-05-29 10:41:30,992 - third_party.ftd_provider - INFO - Getting cert by name in Cisco Appliance 2024-05-29 10:41:32,552 - third_party.ftd_provider - INFO - Checking certificate enrollment is required 2024-05-29 10:41:32,553 - third_party.ftd_provider - INFO - Getting cert by name in Cisco Appliance 2024-05-29 10:41:32,954 - third_party.ftd_provider - INFO - Renewal forced via parameter 2024-05-29 10:41:32,954 - sectigo_sdk.scm_provider - INFO - Checking certificate enrollment is required 2024-05-29 10:41:33,625 - sectigo_sdk.scm_provider - INFO - Renewal forced via parameter 2024-05-29 10:41:33,625 - sectigo_sdk.scm.enrollment.enrollment_provider - INFO - Renew SSL with Enrollment Api 2024-05-29 10:41:41,612 - third_party.ftd_provider - INFO - Certificate updated successfully. 2024-05-29 10:41:41,971 - third_party.ftd_provider - INFO - Deploy changes request sent successfully.