Configuring the connector

This page describes how to configure the connector for certificate enrollment and management.

Authenticate to Google Cloud using a service account

After installing Google Cloud CLI and before executing the script, authenticate to Google Cloud using a service account key file:

Create a service account:
1. Navigate to the Create service account page in the Google Cloud console.
2. Select your project.
3. In the Service account name field, enter a name. The Google Cloud console generates a Service account ID based on this name. Edit the ID if necessary. You cannot change the ID later.
4. (Optional) In the Service account description field, enter a description.
5. Click Create and continue to proceed to the next step and set access controls.
Grant IAM roles to your service account in Project Owner:
1. In the Select a role list, select the basic Owner role or click Add another role and add these roles:
  - roles/cloudfunctions.admin: Cloud Functions Admin
  - roles/storage.admin: Storage Admin
  - roles/compute.loadBalancerAdmin: Compute Load Balancer Admin
  - roles/cloudscheduler.admin: Cloud Scheduler Admin
  - roles/iam.serviceAccountCreator: Create Service Accounts
2. Click Continue.
3. Click Done to finish creating the service account.
Create a service account key file:
1. In the Cloud Console, click the email address for your service account.
2. Click Keys.
3. Click Add key, then click Create new key.
4. Click Create. A JSON key file will be downloaded to your computer.
5. Click Close.

Authorize access to Google Cloud with the service account.

gcloud auth activate-service-account \
--key-file=<path_to_the_service_account_key_file>

Set the environment variable to provide authentication credentials for Terraform.
```
export GOOGLE_APPLICATION_CREDENTIALS=<path_to_the_service_account_key_file>
```

Specify the project ID

If you have multiple projects in your GCP account, specify the ID of the project where the connector will be deployed.

gcloud projects list                     # retrieves a list of your projects
gcloud config set project <project_id>   # sets the `project` property in the core section

Validate the domains

Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.
(Optional) Navigate to the Organizations page to see if an organization with departments already exists. On this page you can create a new organization or add departments to an existing organization.

To add an organization:
1. Click Add.
2. Complete the fields with the organization’s details, then click Next.
3. Configure settings for specific types of certificates.
4. Click Save.
5. Select the newly created organization from the list of organizations.
6. Click Add Department and complete the fields with the department’s details.
7. Click Validate to start the validation process for this organization.
Navigate to the Domains page.
To create a new domain entry, click Add.
Specify the domain name, select the organizations/departments to delegate the domain to, and the allowed certificate types.
Click Save.
If your organization or department requires delegations to be approved:
1. Select the newly created domain from the list of domains.
2. Click Approve Delegations.
3. Select the organization or department, then click Approve.
  
  To change the organization or department which the domain is delegated to, click Delegate and select the appropriate Organizations/Departments.
(Public CA only) Validate your domain:

For single-domain DV certificates, domains can be validated by using SCM or ACME challenge validation. All other types of certificates require domains to be validated in SCM.
1. Select your domain and click Validate.
2. Select the appropriate DCV method as per your initial setup.
  
  The following steps assume that you selected Email as the DCV method.
3. Click Next.
4. In Select an email address, select a registered email.
5. Click Submit.
  
  A message confirms that the validation letter was sent to your selected email.
6. Click OK.
7. Follow the instructions provided in the email to validate your domain.
  
  Once the domain is validated, its Status will change to Validated on the Domains page.

Create an ACME account and obtain the EAB values

Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.
Navigate to Enrollment ACME.
Select your ACME endpoint.
Click Accounts.
Click Add and provide the following details:
- Name: A name for the ACME account
- Organization: The organization to be associated with the ACME account
- Department: (Optional) The department to be associated with the ACME account

Click Save.

External Account Binding (EAB) is now created for the new ACME account.

Make a note of the following ACME account details for client registration:

ACME URL
Key ID
HMAC Key

Once the client is successfully registered, these values will be erased from the system.

Click Close.

Extract the contents

The following steps must be performed before running the script:

Extract the contents of the SectigoGCPCM.zip archive to the current path.
Navigate to the ./sectigo_gcpcm_iac directory.
Give the execute permission to the install.sh file using the chmod +x install.sh command.

Configure the ACME accounts file

Configure the acme_accounts.yaml file.

The acme-account.yaml file is uploaded to Cloud Storage bucket. This file contains EAB information for the ACME accounts, which is sensitive data and must be protected. To edit or redeploy the file, use the Google CLI commands. You can also work with the file using the Google Cloud console.

Sample ACME accounts file

accounts:
  demo2:
    -
      acme-endpoint: "https://acme.demo.sectigo.com"
      eab-hmac-key: "cXJpUlh2OTZFcW11cEIwcFVrWWtCOFRRYWJzTnVqejhrMDd3MWR6TzBkVnpvaTVY"
      eab-key: "dfd846050852841ffaaf87cfa64b53e1"
      email: [email protected]
      RenewBeforeDays: 30
      KeyType: RSA
      KeySize: 2048

The following table describes the parameters in the file.

Parameter Description

Parameter	Description
`<account_name>`	An arbitrary alias for your ACME account
`acme-endpoint`	The URL of the ACME server
`eab-hmac-key`	The HMAC key for external account binding
`eab-key`	The key ID for external account binding
`email`	The email address for ACME account registration and recovery contact
`RenewBeforeDays`	The number of days prior to certificate expiration that a renewal process is initiated. The default expiry window is `30` days.
`KeyType`	The key algorithm to use for certificate enrollment. The possible values are `RSA` and `ECDSA`.
`KeySize`	The key size to use for certificate enrollment. The possible values are `2048` for `RSA` and `P-256` for `ECDSA`.

<account_name>

An arbitrary alias for your ACME account

acme-endpoint

The URL of the ACME server

eab-hmac-key

The HMAC key for external account binding

eab-key

The key ID for external account binding

email

The email address for ACME account registration and recovery contact

RenewBeforeDays

The number of days prior to certificate expiration that a renewal process is initiated. The default expiry window is 30 days.

KeyType

The key algorithm to use for certificate enrollment. The possible values are RSA and ECDSA.

KeySize

The key size to use for certificate enrollment. The possible values are 2048 for RSA and P-256 for ECDSA.