Configuring the connector

This page describes how to configure the Sectigo connector, allowing you to manage certificates using Jira issues and workflows.

Obtain your SCM API credentials

You will need your SCM API credentials to configure the Sectigo Profile Settings in Jira.

Log in to SCM with the MRAO administrator credentials provided to your organization.
Select Enrollment REST.
Select SSL Certificates REST API, and click Accounts.
Select your account and click Edit.
Click Reset Secret, and confirm resetting the client secret.
Make a copy of the values under Client ID and Application (client) Secret.

You will need to assign them to the Client ID and Client Secret parameters in Sectigo Profile Settings.

Configure Sectigo Profile Settings

Profile credentials are used to connect to data on the SCM Enrollment REST API.

To create, rename, or remove a profile:

Navigate to Jira Administration, and select Manage Apps.
From the list of functions on the left side of the screen, select Sectigo Profile Settings.

Configure the profile settings based on the information in the following table.

Field	Description
Select Profile	Select an existing profile or create a new one.
Client ID	Your SCM client ID.
Client Secret	Your SCM client secret.
SCM URL	The URL of your SCM instance.
SSL Cert Comments	Optional comments.
Force Renewal	Select to force renewal of certificates for this profile within the next 24 hours.
Expiry Window (days)	Enter the number of days until the certificate expires. Not necessary if you selected Force Renewal.
Auto Renew	Select to automate certificate renewal before they expire. Not necessary if you selected Force Renewal.

Field

Description

Select Profile

Select an existing profile or create a new one.

Client ID

Your SCM client ID.

Client Secret

Your SCM client secret.

SCM URL

The URL of your SCM instance.

SSL Cert Comments

Optional comments.

Force Renewal

Select to force renewal of certificates for this profile within the next 24 hours.

Expiry Window (days)

Enter the number of days until the certificate expires. Not necessary if you selected Force Renewal.

Auto Renew

Select to automate certificate renewal before they expire. Not necessary if you selected Force Renewal.

Click Save.

Configure logging

Navigate to Jira Administration, and select System.
Under System Support, click Logging and profiling.
Scroll down to Default Loggers, and click Configure.
Enter com.sectigo, select INFO, and click Add.

Configure webhook for certificate expiry notification

This feature enables the Jira plugin to receive SSL certificate expiration notifications directly from SCM via webhook and automatically create a Jira issue in the Certificate Management Project.

SCM sends the webhook without authentication. The Jira server requires authentication to use the webhook URL.

There are two ways to get authentication:

Configure SCM to send webhook
- For example, http://admin:[email protected]:8080/plugins/servlet/sectigo-notification-webhook
Configure NGINX as a reverse proxy and add basic authentication for just the webhook endpoint.

Configure SCM to send webhook

Navigate to SCM Settings Notification Templates.
Click Add.
In Recipient Type, select Webhook.
In Notification Type, select SSL Certificate Expiration.
Click Next.
Select JSON.

Replace the existing text with the following:

{
  "certificateId": "${certID}",
  "commonName": "${commonName}",
  "expirationDate": "${expiresDate}",
  "certificateComments": "${comments}",
  "certificateOrgDept": "${organization}/${department}",
  "certificateRequesterEmail": "${requesterEmail}"
}

Click Save.
Navigate to SCM Settings Notifications
In Name, enter a name for the notification.
Select Active.
In Notification Type, select SSL Certificate Expiration.
Click Next.
In the Recipients tab, click the plus sign to add Additional recipients.
Select type: Webhook.
In the Value field, enter the URL.
Click Next, then click Save.

Configure NGINX

The other way to get authentication for Jira to use the webhook URL is to configure NGINX as a reverse proxy which adds the authorization headers during requests.

If you are using a different web server, you can adapt the configuration accordingly using this NGINX example as a reference. You can also restrict public access to the URL and add rules to only allow requests coming from the SCM webhook. For more information, see your webserver documentation.

In your NGINX webserver, generate a base64 credential.
echo -n 'yourUser:yourPass' | base64
Configure NGINX as a reverse proxy and add basic authentication for just the webhook endpoint:

location /plugins/servlet/sectigo-notification-webhook {
    proxy_pass http://localhost:8080;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Add Basic Authorization Header ONLY for this endpoint
    proxy_set_header Authorization "Basic YWRtaW46YWRtaW4=";
}