Sectigo.com
Shop Enterprise Partners Resources

Configuring the connector

This page describes how to configure the connector: install the dependencies and set up the configuration files.

Install the dependencies

  1. Install the pip package installer for Python.

    • DEB

    • RPM

    sudo apt-get install python3-pip
    sudo yum install python3-pip

  2. Extract the contents of the kemp-sectigocm-<version>.zip archive to the current directory.

  3. Navigate to the kemp-sectigocm-<version> directory.

  4. Install Python dependencies listed in the requirements.txt file.

    We recommend that you install Python packages into a virtual environment.

    • Virtual environment

    • Global installation

    python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install --upgrade pip
python3 -m pip install -r requirements.txt
    python3 -m pip install --upgrade pip
python3 -m pip install -r requirements.txt

Validate the domains

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. (Optional) Navigate to the Organizations page to see if an organization with departments already exists. On this page you can create a new organization or add departments to an existing organization.

    To add an organization:

    1. Click Add.

    2. Complete the fields with the organization’s details, then click Next.

    3. Configure settings for specific types of certificates.

    4. Click Save.

    5. Select the newly created organization from the list of organizations.

    6. Click Add Department and complete the fields with the department’s details.

    7. Click Validate to start the validation process for this organization.

      SCM organizations page

  3. Navigate to the Domains page.

    SCM Domains page

  4. To create a new domain entry, click Add.

  5. Specify the domain name, select the organizations/departments to delegate the domain to, and the allowed certificate types.

    SCM create domain page

  6. Click Save.

  7. If your organization or department requires delegations to be approved:

    1. Select the newly created domain from the list of domains.

    2. Click Approve Delegations.

      SCM Domains tab with the new domain

    3. Select the organization or department, then click Approve.

      To change the organization or department which the domain is delegated to, click Delegate and select the appropriate Organizations/Departments.

  8. (Public CA only) Validate your domain:

    1. Select your domain and click Validate.

      SCM validate domain

    2. Select the appropriate DCV method as per your initial setup.

      SCM select DCV Method
      The following steps assume that you selected Email as the DCV method.

    3. Click Next.

    4. In Select an email address, select a registered email.

    5. Click Submit.

      SCM DCV select registered email

      A message confirms that the validation letter was sent to your selected email.

    6. Click OK.

    7. Follow the instructions provided in the email to validate your domain.

      Once the domain is validated, its Status will change to Validated on the Domains page.

      SCM DCV domain validated

Obtain the SCM API credentials

  1. Log in to SCM at https://cert-manager.com/customer/<customer_uri> with the MRAO administrator credentials provided to your organization.

    Sectigo runs multiple instances of SCM. The main instance of SCM is accessible at https://cert-manager.com. If your account is on a different instance, adjust the URL accordingly.

  2. Select Enrollment  REST. Make a note of the URL value under SSL Certificates REST API. You will need to assign it to the scm_url parameter in the sectigo_credentials.yaml file.

    SSL certificates REST API

  3. Select SSL Certificates REST API and click Accounts.

  4. Select your account and click Edit.

    SSL certificates REST accounts

  5. Click Reset Secret and confirm resetting the client secret.

    SSL certificates REST accounts

  6. Make a note of the values under Client ID and Application (client) Secret. You will need to assign them to the client_id and client_secret parameters in the sectigo_credentials.yaml file.

    Client ID and secret

Set up the config files

The configuration files are located in the config directory. The values can be stored in plaintext or encrypted form.

Set up the SCM credentials file

Configure the sectigo_credentials.yaml file.

Sample SCM credentials file
SCMDV:
  scm_url: https://scmqa.enroll.demo.sectigo.com/api/v1
  client_id: "e9a4a344-eafd-471d-a9cb-496835ffcb76"
  client_secret: "VWBRVB9eC4PQnAz8p`SNqWb79j9iYpl]"

The following table describes the parameters in the file.

Parameter Description

<SCMDV>

An arbitrary credentials label. This label is referenced in the scm_credentials_label parameter in a certificate profile file. You can have multiple client ID and secret pairs, each with their own label.

scm_url

The URL of the SCM account

client_id

The client ID of the SCM user

client_secret

The client secret of the SCM user

Set up the Kemp profile file

Configure the kemp_profile_1.yaml file. You can create copies of the sample file for different LoadMaster load balancers, just make sure that all filenames start with kemp_.

Sample Kemp profile file
host: https://192.168.220.130
password: "doe123"
username: "john_doe"

The following table describes the parameters in the file.

Parameter Description

host

The domain name or IP address of a LoadMaster instance

password

The password of a user with API access to a LoadMaster instance

username

The name of a user with API access to a LoadMaster instance

Set up the config file

Configure the config.yaml file.

Sample config file
cert_profile_path: "config"
sectigo_sleep_download: 1
sectigo_external_requester: [email protected]
log_file: "sectigo_pycert.log"
log_path: "log_path"
log_level: debug
log_size_mb: 1
logger_count: 10

The following table describes the parameters in the file.

Parameter Description

cert_profile_path

The path to the directory that hosts the certificate profile files.

If you are on Windows, use a double backslash (\\) as a separator.

sectigo_sleep_download

The time (in seconds) between an enrollment request and an attempt to download the provisioned certificate files.

sectigo_external_requester

The email or a comma-separated list of emails of the certificate requester

log_file

The name for the log file. When the log file reaches its maximum size as specified in log_size_mb, the current log file is backed up and a new log file is created.

For example, if the log filename is sectigo_pycert.log, backed up log files will be named as sectigo_pycert.log.1, sectigo_pycert.log.2, and so on.

log_path

The path to the directory that hosts the log files.

If you are on Windows, use a double backslash (\\) as a separator.

log_level

The log level. The supported values are CRITICAL, ERROR, WARNING, INFO, DEBUG, and NOTSET.

The default value is DEBUG.

log_size_mb

The maximum size (in megabytes) of a log file. The default value is 1.

logger_count

The maximum number of log files. The default value is 10.

Set up the certificate profile file

Configure the cert_profile_1.yaml file. You can create copies of the sample file for different certificate profiles, just make sure that all filenames start with cert_.

Each certificate profile file provides enrollment information for one certificate. We recommend that you keep the certificate template files outside the connector’s directory on the client machine. Use the cert_profile_path parameter in the config.yaml file to specify the location of the certificate template files.
Sample certificate profile file
profile_name: kemp_profile_1
scm_credentials_label: SCMDV
ssl_cert_type: DV
ssl_cert_comments: Certificate for LoadMaster
ssl_cert_subject_alt_names: example.com, www.example.com
ssl_cert_custom_fields: {"Servers Public IP (or IP Subnet)":"192.168.220.130"}
csr_domain: example.com
csr_country: CA
csr_state: ON
csr_location: Ottawa
csr_organization: JohnDoe
csr_email_address: [email protected]
csr_key_type: RSA
csr_key_size: 4096
force_renewal: False
expiry_window: 30
auto_renew: True
virtualserver:
  - name: 192.168.220.130
    port: 80
    protocol: tcp

The following table describes the parameters in the file.

Parameter Description

profile_name

The name of the Kemp profile file

scm_credentials_label

The credentials label from the sectigo_credentials file

ssl_cert_type

The type of the SSL certificate. The supported values are DV, OV, and EV.

ssl_cert_comments

(Optional) Comments for certificate enrollment

ssl_cert_subject_alt_names

A comma-separated list of subject alternative names (SAN)

ssl_cert_custom_fields

(Optional) Custom fields to be applied to the requested certificate. The expected format for custom fields is the following: [{"name":"custom_field_1","value":"value_1"},{"name":"custom_field_2","value":"value_2"}]. If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

csr_domain

A single value for a domain included in the certificate Common Name (CN) field

csr_country

The country name included in the certificate Country (C) field

csr_state

The state or province name included in the certificate State (ST) field

csr_location

The locality name included in the certificate Location (L) field

csr_organization

The organization name included in the certificate Organization (O) field

csr_email_address

The email address included in the certificate emailAddress field

csr_key_type

The private key algorithm to use to generate the private key. The possible values are RSA and ECDSA.

csr_key_size

The size of the private key to generate. The possible values are 2048 and 4096 for RSA, and 256 and 384 for ECDSA.

force_renewal

If True, the certificate is forcibly renewed regardless of its expiration status. The default value is False.

expiry_window

The number of days prior to expiration that a certificate renewal process is initiated. The default expiry window is 30 days.

auto_renew

If True, the certificate is renewed automatically. The default value is True.

virtualservers

A list of virtual services to associate the SSL/TLS certificate with

name

The IP address of the virtual service

port

The port of the virtual service

protocol

The protocol to use for communicating with the virtual service. The possible values are tcp and udp.

Encrypt the config files

If you want to encrypt credentials, run the script with the -a enc option. This action encrypts the client_secret parameter value(s) in the sectigo_credentials.yaml file and the password parameter value in the <kemp_profile_1.yaml> file(s).

If you want to encrypt an additional parameter value in a specific file, such as client_id, append _enc to the parameter name—​for example, client_id_enc.

  • Encrypt all files

  • Encrypt specific files

python3 main.py -a enc
python3 main.py -a enc -p <kemp_profile_1.yaml> [,<sectigo_credentials.yaml>]

When you run the script for the first time, it does the following:

  1. Generates a private key for each file to be encrypted.

  2. Stores the key(s) in the config directory.

  3. Encrypts the values of the parameters with the key(s).

  4. Adds the names of the key(s) to the encrypted parameter of the files.

When a script reads an encrypted config file, it uses the private key specified in the encrypted parameter to decrypt the value.

Sample plaintext Kemp profile file
host: https://192.168.220.130
password: "doe123"
username: "john_doe"
Sample encrypted Kemp profile file
host: https://192.168.220.130
password_enc: "h\xCA/\x97\N\x0F\f\xF5\xB5\x8C\t0\x88\xE2\xB0v\0\xB0\x9C3@\x02\x06\xFD\
\x86i4\xF3\xA3\xFF\xD5\x9F*\b\x97c\xDA\xF14A\xBFy\xE8\x87\x7FY\xBC\xE7\t\xF8\xE0\
\x83u\xD6\xA1\xAF\x92\xB0rS\xE6g\xA1\xAA\xC3\x95\xB8\xE9\f\xFC^\x15K:X\xCC\xD3\x9F\
\x98I\xC8\N\xA9\xF5\xD6r\xFF|\xEF\\-rP\xF6C \x1F#\xC9\x9C\x19\xB6\xEB\xB3\xE3w\v\
\x84\x8B\xDF\x81\ve\x1CH^S\xA6\x1F\x87^v\x9B\x14\eQR\f"
username: "john_doe"
encrypted: kemp_profile_1.key

To decrypt all files, run python3 main.py -a dec.

To decrypt a specific file, run python3 main.py -a dec -p <kemp_profile_1.yaml> [,<kemp_profile_2.yaml>].