Overview

Sectigo Connector for Java ("the connector") is a certificate management solution for automating the enrollment and management of SSL/TLS certificates on Java servers. The connector imports the provisioned certificates into a Java KeyStore on a remote server. Communication with a remote server occurs through an embedded SSH client. SCM credentials can be stored in plaintext or encrypted form.

The following certificate types are supported:

  • Domain Validation (DV): Single-domain, multi-domain, and wildcard certificates issued by Sectigo

  • Organization Validation (OV): Single-domain, multi-domain, and wildcard certificates issued by Sectigo

  • Extended Validation (EV): Single-domain and multi-domain certificates issued by Sectigo

  • Private SSL: Private SSL certificates issued by Sectigo

The following key types are supported:

  • RSA: RSA-2048, RSA-3072, and RSA-4096

  • ECDSA: ECDSA-256 and ECDSA-384

Audience

This guide is intended for IT administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with Sectigo Certificate Manager (SCM).

Scope

This guide covers instructions on using the Sectigo REST API to enroll certificates and import them into a Java KeyStore on a remote server.

Additional resources

Architecture

Sectigo Java Connector architecture

Execution workflow

During execution, the connector does the following:

  1. Reads the certificates.yaml file(s) from the ./domains directory and its subdirectories (if any) to get the certificate enrollement information.

  2. Generates a key pair and a CSR on the local machine.

  3. Sends the CSR with an enrollment request to SCM.

  4. Downloads the entire certificate chain in the CRT format to the local machine.

  5. Saves the certificate name and ID to the cache.csv file on the local machine.

  6. Imports the certificate into a Java KeyStore (JKS) file on the local machine.

  7. Sends the JKS file to the remote machine through SSH.

  8. Deletes the temporary files, such as the CRT and JKS files, from the local machine.

Package contents

The package contains the following components:

  • domains: This directory and it subdirectories store the certificate.yaml files.

    • certificates.yaml: This file contains certificate enrollment information: CSR parameters, renewal window, and more. The certificates.yaml file can reside in the ./domains root directory or you can copy it to subdirectories for specific domains.

  • configs: This directory stores the SCM credentials and remote machine credentials files.

    • scm.yaml: This file contains the SCM credentials.

    • servers.yaml: This file contains essential details about the remote (or local) machine.

  • SCM Client EULA v1.0.1.txt: The EULA agreement. You need to accept it when you run the connector for the first time.

  • sectigo-java-agent: The connector in the form of a binary executable file.