Configuration parameters

The integration provides various parameters that you can use in different scenarios.

Customer-specific parameters

The following table lists parameters that are required for establishing a connection with SCM.

Parameter Type Description

sectigo_cm_user

Mandatory

Your Sectigo username

sectigo_cm_password

Mandatory

Password to access your URI

sectigo_cm_uri

Mandatory

Your Sectigo specific URI

sectigo_cm_base_url

Mandatory

The base URL of the Sectigo CA

CSR parameters

The following table lists parameters that are required for the generation of the CSR.

Parameter Type Description

sectigo_csr_domain

Conditional

A single value for a domain included in the certificate Common Name (CN) field.

Required if sectigo_csr is not defined.

sectigo_csr_country

Conditional

The country name included in the certificate Country (C) field.

Required if sectigo_csr is not defined.

sectigo_csr_state

Conditional

The state or province name included in the certificate State (ST) field.

Required if sectigo_csr is not defined.

sectigo_csr_location

Conditional

The location name included in the certificate Location (L) field.

Required if sectigo_csr is not defined.

sectigo_csr_organization

Conditional

The organization name included in the certificate Organization (O) field.

Required if sectigo_csr is not defined.

sectigo_csr_organization_unit

Conditional

The organization unit included in the certificate Organization Unit (OU) field.

Required if sectigo_csr is not defined.

sectigo_csr_email_address

Conditional

The email address included in the certificate emailAddress field.

Required if sectigo_csr is not defined.

sectigo_csr

Conditional

The full path to the CSR file. If provided, then the subject parameters are ignored.

sectigo_csr_key_algo

Optional

The private key algorithm to use to generate the private key. The default value is RSA.

sectigo_csr_key_size

Optional

The size of the TLS/SSL key to generate. The possible values are:

  • 2048: for 2048-bit (default)

  • 3072: for 3072-bit

  • 4096: for 4096-bit

Certificate issuance parameters

The following table lists parameters that are used for certificate issuance.

Parameter Type Description

SSL certificates

sectigo_cm_org_id

Mandatory

Your organization ID

sectigo_ssl_cert_file_path

Mandatory (with default)

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs. The default file path is the one where the command is executed.

sectigo_ssl_cert_file_name

Mandatory (with default)

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs. The default file name is sectigo_ssl.

sectigo_ssl_cert_external_requester

Optional

A comma-separated list of emails

sectigo_ssl_cert_comments

Optional

Comments for certificate enrollment

sectigo_ssl_cert_num_servers

Conditional

The number of server licenses

sectigo_ssl_cert_server_type

Optional

The server type ID

sectigo_ssl_cert_subject_alt_names

Optional

A comma-separated list of subject alternative names (SAN)

sectigo_ssl_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

sectigo_ssl_cert_format_type

Optional

The format type for the SSL certificate. The supported values are:

  • x509: X509, Base64 encoded

  • x509CO: X509 Certificate only, Base64 encoded (default)

  • x509IO: X509 Intermediates/Root only, Base64 encoded

  • base64: PKCS#7 Base64 encoded

  • bin: PKCS#7 Bin encoded

  • x509IOR: X509 Intermediates/Root only, reverse, Base64 encoded

sectigo_ssl_cert_validity

Mandatory

The certificate validity period in days. The values available are dependent on the selected sectigo_ssl_cert_type.

sectigo_ssl_cert_type

Mandatory

The type of SSL certificate. This is the ID of the SSL certificate type.

Client certificates

sectigo_cm_org_id

Mandatory

Your organization ID

sectigo_client_cert_file_path

Mandatory (with default)

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs. The default file path is the one where the command is executed.

sectigo_client_cert_file_name

Mandatory (with default)

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs. The default filename is sectigo_client.

sectigo_client_cert_type

Mandatory

The type of client certificate. This is the ID of the client certificate type.

sectigo_client_cert_validity

Mandatory

The certificate validity period in days. The values available are dependent on the selected sectigo_ssl_cert_type.

sectigo_client_cert_email

Mandatory

A valid user email that is less than 256 characters

sectigo_client_cert_first_name

Mandatory

The user’s first name

sectigo_client_cert_middle_name

Conditional

The user’s middle name

sectigo_client_cert_last_name

Mandatory

The user’s last name. The combined length of the first, middle, and last name fields cannot exceed 64 characters.

sectigo_client_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

sectigo_client_cert_subject_alt_names

Optional

A comma-separated list of subject alternative names (SAN)

sectigo_client_cert_revoke_on_replace

Optional

If True, previous certificates will be revoked when replaced. The default value is False.

Certificate auto-renewal

sectigo_expiry_window

Optional

The period of days prior to expiration that a new certificate enrollment process will be initiated if a task is started. The default expiry window is 7 days.

sectigo_auto_renew

Optional

If set to true, the auto-renewal option is enabled. The default value is true.

Collect certificate

sectigo_loop_period

Optional

The interval (in seconds) between repeated attempts to collect a certificate. The default value is 30.

sectigo_max_timeout

Optional

The maximum time (in seconds) during which repeated attempts to collect a certificate will be made. The default value is 600.

In addition to the parameters listed in the preceding table, you are required to pass CSR parameters.

Certificate collection parameters

The following table lists parameters that are used for collecting a certificate. The collection operation may fail if the certificate is still being processed. In such cases, the operation attempts to collect the certificate several times before returning a failure. The parameters allow you to configure the frequency and maximum time for additional attempts during certificate collection.

Parameter Type Description

SSL certificates

sectigo_ssl_cert_format_type

Mandatory (with default)

The format type for the SSL certificate. The supported values are:

  • x509: X509, Base64 encoded (default)

  • x509CO: X509 certificate only, Base64 encoded

  • x509IO: X509 intermediates and root only, Base64 encoded

  • base64: PKCS#7 Base64 encoded

  • bin: PKCS#7 Bin encoded

  • x509IOR: X509 intermediates and root only, reverse, Base64 encoded

sectigo_loop_period

Optional

The interval (in seconds) between repeated attempts to collect a certificate. The default value is 30.

sectigo_max_timeout

Optional

The maximum time (in seconds) during which repeated attempts to collect a certificate will be made. The default value is 600.

sectigo_ssl_cert_ssl_id

Conditional

The SSL ID of the certificate to be collected. Mandatory if the selected Facter task is collect.

sectigo_ssl_cert_file_path

Optional

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs. The default file path is the one where the command is executed.

sectigo_ssl_cert_file_name

Optional

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs. The default file name is sectigo_ssl.

Client certificates

sectigo_loop_period

Optional

The interval (in seconds) between repeated attempts to collect a certificate. The default value is 30.

sectigo_max_timeout

Optional

The maximum time (in seconds) during which repeated attempts to collect a certificate will be made. The default value is 600.

sectigo_client_cert_file_name

Optional

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs. The default file name is sectigo_client.

sectigo_client_cert_file_path

Optional

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs. The default file path is the one where the command is executed.

sectigo_client_cert_order_number

Conditional

The order number of the certificate to be collected. Mandatory if the selected Facter task is collect.

Certificate replacement parameters

The following table lists parameters that are used for replacing a certificate.

Parameter Type Description

SSL certificates

sectigo_replace_reason

Mandatory

Reason for replacing the certificate

sectigo_ssl_cert_common_name

Mandatory

A single value for a domain included in the certificate Common Name (CN) field

sectigo_generate_key_if_missing

Mandatory (with default)

If true, generates the private key if it is missing. The default value is true.

Client certificates

sectigo_replace_reason

Mandatory

Reason for replacing the certificate

sectigo_client_cert_revoke_on_replace

Mandatory (with default)

If true, previous certificates will be revoked when replaced. The default value is true.

sectigo_generate_key_if_missing

Mandatory (with default)

If true, generates the private key if it is missing. The default value is true.

In addition to the parameters listed in the preceding table, you are required to pass CSR parameters, as per your replacement requirement. For more information, see Replacing certificates.

Certificate revocation parameters

The following table lists parameters that are used for manually revoking a certificate.

Parameter Type Description

SSL certificates

sectigo_revoke_reason

Mandatory

The reason why a certificate is to be revoked

sectigo_ssl_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs.

sectigo_ssl_cert_file_path

Mandatory

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs.

Client certificates

sectigo_revoke_reason

Mandatory

The reason why a certificate is to be revoked

sectigo_client_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the CSR, private key, and enrollment IDs.

sectigo_client_cert_file_path

Mandatory

The location where the certificate is to be stored. The same location is used to store CSR, private key, and enrollment IDs.

Miscellaneous parameters

The following table lists parameters that are used for renewing a certificate.

Parameter Type Description

sectigo_force

Optional

Issues a new certificate even if there is already a certificate on the target server. The default value is false. If set to true, the existing certificate is backed up and any related information (key, CSR, ID) is deleted. This option is required if the certificate information (such as domain) has changed and a new certificate is required.

sectigo_cert_type

Mandatory

Indicates the type of the certificate. Should be set to ssl for SSL certificates and to client for client certificates.

generate_cert_on

Mandatory

Determines where the certificates are to be generated. Accepts either master or node as a value.

Puppet command-line interface parameters

The following table lists parameters that are used directly in the command-line interface commands.

Parameter Description Case-sensitive

FACTER_task

A task that is to be executed. The value can be one of issue/collect/replace/revoke.

Yes. FACTER in upper case. The rest in lower case.

FACTER_type

The value can be either ssl or client, as in supported certificate types.

Yes. FACTER in upper case. The rest in lower case.

site.pp

Configuration file from the applied manifest folder

Yes. Everything is typically in lower case.