Sectigo.com
Shop Enterprise Partners Resources

Integration structure

The integration hides the complexity of the SCM REST API by acting as an adapter between Puppet and the Sectigo API. It enables you to issue, collect, replace, renew, and revoke certificates on your master and agent nodes.

Components

The integration is based on the following components:

  • Ruby library for the Sectigo API handles the communication with the Sectigo REST API. This library is delivered as a component of the Puppet module. It is not designed nor delivered as a general-purpose library.

    The Puppet module is the only software component that can interact with the library.

  • Sectigo Puppet module mediates the interaction between you, the Puppet master and agent nodes, and the Sectigo REST API. The module mainly consists of a standard Puppet execution routine with minimum dependencies. It supports the issuance, collection, replacement, renewal, and revocation of SSL and client certificates.

  • Facter contains all the required parameters for SSL and client executions in JSON format. In addition, it contains the account JSON file which consists of the account’s Facter files and certificate generation-specific option.

Tasks

The integration generates certificates on a master server and, in the case of SSL certificates, distributes them onto agent nodes. The integration uses Puppet modules that are typically located in the /etc/puppetlabs/code/environment/<environment_name>/modules/sectigo_puppet_module/ directory.

Additionally, the integration allows you to generate certificates directly on agent nodes by using the deferred functions concept of Puppet. All of the inclusions are made in the main manifest file site.pp located in the /etc/puppetlabs/code/environment/<environment_name>/manifest/site.pp directory which serves as a catalog to the servers addressed within it.

The following tasks are available through Puppet:

  • issue: Obtains a new certificate using parameters that correspond to SSL or client certificates, along with certificate-related files. The certificate’s name is defined by the sectigo_ssl_cert_file_name or sectigo_client_cert_file_name parameter in the sectigo_ssl_cert_file_path or sectigo_client_cert_file_path directory, respectively.

    This task also collects certificates that are issued and supports the auto-renewal of certificates.

  • collect: Collects the certificates. You must ensure that the value of the sectigo_ssl_cert_ssl_id or sectigo_client_cert_order_number parameter is defined in the Facter files.

  • replace: Replaces the certificates. You must ensure that the sectigo_ssl.ids or sectigo_client.ids file exists on the required file path.

  • revoke: Revokes the certificates. You must ensure that the sectigo_ssl.ids or sectigo_client.ids file exists on the required file path.