Overview
Sectigo Connector for Java ("the connector") is a certificate management solution developed as an executable file to automate the enrollment and management of SSL/TLS certificates for Java servers. The connector can enroll certificates with both ACME and REST API servers.
The current version of the connector is designed as a standalone solution to enroll and manage certificates that should be manually imported to the Java KeyStore and CACert store on the Java server.
The connector can obtain the following types of SSL/TLS certificates:
-
Domain Validation (DV)
-
Organization Validation (OV)
-
Extended Validation (EV) certificates
The following key types are supported: RSA-2048, RSA-3072, RSA-4096, and ECDSA-256.
Audience
This guide is intended for IT administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with SCM.
Scope
This guide covers instructions on connecting to the Sectigo ACME or REST API servers and enrolling or renewing certificates. Importing the enrolled certificates to a keystore is outside the scope of this guide.
Architecture
Execution workflow
During execution, the connector does the following:
-
Reads the
certificates.yml
file(s) in thedomains
directory and its subdirectories (if any) to get the CSR filename(s) and other certificate enrollment information. If you have multiple CSR files and an error occurs while reading one of them (for example, the file is not found), the tool ignores that file and proceeds to the next. -
Sends the CSR with an enrollment request to Sectigo Certificate Manager (SCM).
-
Downloads the public certificate (
.crt
) and certificate ID (.ids
) files to the directory that hostscertificates.yml
. The entire certificate chain is downloaded from SCM: a common file (which includes the root CA, issuing CA, and server (leaf) certificates), and the same certificates presented as three separate files. Additionally, the server certificate and its chain are converted to a.pem
file.
The configuration information can be stored in plaintext or encrypted form.
Package contents
The package contains the following components:
-
domains: This folder contains the
certificate.yml
file, CSRs, and provisioned certificates. You can change the folder name or location for these files using thedirectory
parameter in theconfig.yml
file.-
certificates.yml: This file contains information for enrolling certificates, such CSR filenames, renewal window, and more. The
certificates.yml
file and your CSR can reside in thedomains
root folder or you can place them in subfolders for specific domains.
-
-
config.yml: This files stores the secrets and configuration
-
SCM Client EULA v1.0.1.txt: The EULA agreement. You need to accept it when running
sectigo-java-agent
for the first time. -
sectigo-java-agent: The connector as an executable file