Sectigo.com
Shop Enterprise Partners Resources

Using the connector

To list all possible options for the connector, run it with the --help option.

sectigo-java-agent --help

Enroll a certificate

sectigo-java-agent

Don’t remove the .csr and .ids files after enrolling a certificate. The connector uses the information herein to check the certificate’s expiration date and renew the certificate.

The filename of a provisioned certificate includes the Common Name and expiry date.

Provisioned certificates in working directory

These are the same certificates in SCM.

Provisioned certificates in SCM

You can view the details of a provisioned certificate by running sectigo cert info -f </domains/cert-file>.crt.

Provisioned certificate details

Import a certificate to a keystore/truststore

To add a certificate to a keystore or truststore using keytool, run the following command.

  • Keystore

  • Truststore

keytool -import -alias foo -file certificate.crt -storetype JKS \
-keystore mycerts.jks -storepass johndoe
keytool -import -alias foo -file certificate.crt -storetype cacerts \
-keystore mycerts.jks -storepass johndoe

The server certificate must be imported to a keystore (-storetype JKS), and the CA certificates must be imported to a truststore (-storetype cacerts).

Renew a certificate

Set the renewal period in the renewBeforeDays parameter of the certificates.yml file and run the connector.

sectigo-java-agent

The renewBeforeDays parameter doesn’t affect the renewal process for revoked certificates—​if the connector identifies a revoked certificate, it enrolls a new certificate using the information from the certificate configuration file.

Enable auto-renewal

You can create a cronjob that will invoke the connector on a schedule (see crontab for cron schedule expressions) to check whether the certificate is eligible for renewal:

  1. Run crontab -e on the terminal.

  2. Select an editor.

  3. Add a cronjob that will trigger the connector.

    The following example triggers the connector every week.

    0 0 * * 7 cd /home/ubuntu/sectigo-java-agent && ./sectigo-java-agent

Revoke and replace a certificate

Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed.

View the logs

The log files are stored in the ./logs directory.

Partial sample log file
time="2023-01-22T13:20:45+04:00" level=debug msg="processing directory ./domains"
time="2023-01-22T13:20:45+04:00" level=debug msg="reading certificates config domains/certificates.yml..."
time="2023-01-22T13:20:45+04:00" level=debug msg="configuration from domains/certificates.yml file loaded!"
...
time="2023-01-22T13:20:48+04:00" level=debug msg="writing ids file: domains/domain1/101010_ccmqa_com.ids"
time="2023-01-22T13:20:48+04:00" level=debug msg="writing crt file: domains/domain1/101010_ccmqa_com.crt"
time="2023-01-22T13:20:48+04:00" level=debug msg="writing pem file: domains/domain1/101010_ccmqa_com.pem"