Overview

Sectigo Connector for Java ("the connector") is a certificate management solution developed as an executable file to automate the enrollment and management of SSL/TLS certificates for Java servers. The connector can enroll certificates with both ACME and REST API servers.

The current version of the connector is designed as a standalone solution to enroll and manage certificates that should be manually imported to the Java KeyStore and CACert store on the Java server.

The connector can obtain the following types of SSL/TLS certificates:

  • Domain Validation (DV)

  • Organization Validation (OV)

  • Extended Validation (EV) certificates

The following key types are supported: RSA-2048, RSA-3072, RSA-4096, and ECDSA-256.

Audience

This guide is intended for IT administrators and system administrators who have knowledge of IT security, cloud security, and are also familiar with SCM.

Scope

This guide covers instructions on connecting to the Sectigo ACME or REST API servers and enrolling or renewing certificates. Importing the enrolled certificates to a keystore is outside the scope of this guide.

Architecture

Sectigo Java Connector architecture

Execution workflow

During execution, the connector does the following:

  1. Reads the certificates.yml file(s) in the domains directory and its subdirectories (if any) to get the CSR filename(s) and other certificate enrollment information. If you have multiple CSR files and an error occurs while reading one of them (for example, the file is not found), the tool ignores that file and proceeds to the next.

  2. Sends the CSR with an enrollment request to Sectigo Certificate Manager (SCM).

  3. Downloads the public certificate (.crt) and certificate ID (.ids) files to the directory that hosts certificates.yml. The entire certificate chain is downloaded from SCM: a common file (which includes the root CA, issuing CA, and server (leaf) certificates), and the same certificates presented as three separate files. Additionally, the server certificate and its chain are converted to a .pem file.

The configuration information can be stored in plaintext or encrypted form.

Package contents

The package contains the following components:

  • domains: This folder contains the certificate.yml file, CSRs, and provisioned certificates. You can change the folder name or location for these files using the directory parameter in the config.yml file.

    • certificates.yml: This file contains information for enrolling certificates, such CSR filenames, renewal window, and more. The certificates.yml file and your CSR can reside in the domains root folder or you can place them in subfolders for specific domains.

  • config.yml: This files stores the secrets and configuration

  • SCM Client EULA v1.0.1.txt: The EULA agreement. You need to accept it when running sectigo-java-agent for the first time.

  • sectigo-java-agent: The connector as an executable file