Configuration parameters

This page describes the configuration parameters.

Customer-specific parameters

The following parameters are required to establish connection with SCM.

Parameter Type Description

Parameter	Type	Description
`SECTIGO_CM_USER`	Mandatory	Your Sectigo username
`SECTIGO_CM_PASSWORD`	Mandatory	Your Sectigo password
`SECTIGO_CM_URI`	Mandatory	Your specific Sectigo URI
`sectigo_cm_org_id`	Mandatory	Your organization ID (numeric)
`sectigo_cm_base_url`	Mandatory	The base URL of the Sectigo Certificate Authority

SECTIGO_CM_USER

Mandatory

Your Sectigo username

SECTIGO_CM_PASSWORD

Mandatory

Your Sectigo password

SECTIGO_CM_URI

Mandatory

Your specific Sectigo URI

sectigo_cm_org_id

Mandatory

Your organization ID (numeric)

sectigo_cm_base_url

Mandatory

The base URL of the Sectigo Certificate Authority

CSR parameters

The following parameters are required during the generation of the certificate signing request (CSR).

Parameter Type Description

Parameter	Type	Description
`sectigo_csr_domain`	Conditional	A single value for a domain which is included in the certificate Common Name (CN) field
`sectigo_csr_country`	Conditional	The country name which is included in the certificate Country (C) field
`sectigo_csr_state`	Conditional	The state/province name which is included in the certificate State (ST) field
`sectigo_csr_location`	Conditional	The location name which is included in the certificate Location (L) field
`sectigo_csr_organization`	Conditional	The organization name which is included in the certificate Organization (O) field
`sectigo_csr_organization_unit`	Conditional	The organization unit which is included in the certificate Organization Unit (OU) field
`sectigo_csr_email_address`	Conditional	The email address which is included in the certificate emailAddress field
`sectigo_csr`	Conditional	The full path of the certificate signing request file. If this is provided, then the subject parameters will be ignored.
`sectigo_csr_key_algo`	Optional	The private key algorithm to use to generate the private key. The default value is `RSA`.
`sectigo_csr_key_size`	Optional	The size of the TLS/SSL key to generate. The possible values are: 2048: for 2048-bit (default) 3072: for 3072-bit 4096: for 4096-bit

sectigo_csr_domain

Conditional

A single value for a domain which is included in the certificate Common Name (CN) field

sectigo_csr_country

Conditional

The country name which is included in the certificate Country (C) field

sectigo_csr_state

Conditional

The state/province name which is included in the certificate State (ST) field

sectigo_csr_location

Conditional

The location name which is included in the certificate Location (L) field

sectigo_csr_organization

Conditional

The organization name which is included in the certificate Organization (O) field

sectigo_csr_organization_unit

Conditional

The organization unit which is included in the certificate Organization Unit (OU) field

sectigo_csr_email_address

Conditional

The email address which is included in the certificate emailAddress field

sectigo_csr

Conditional

The full path of the certificate signing request file. If this is provided, then the subject parameters will be ignored.

sectigo_csr_key_algo

Optional

The private key algorithm to use to generate the private key. The default value is RSA.

sectigo_csr_key_size

Optional

The size of the TLS/SSL key to generate. The possible values are:

2048: for 2048-bit (default)
3072: for 3072-bit
4096: for 4096-bit

Certificate issuance parameters

The following parameters are used for certificate issuance. This operation supports different scenarios that require different parameters.

Parameter Type Description

Parameter	Type	Description
SSL certificates
`sectigo_ssl_cert_file_path`	Mandatory	The location where the certificate, CSR, private key, and enrollment IDs are stored.
`sectigo_ssl_cert_file_name`	Mandatory	The name of the certificate file. The same name is used for the private key, CSR, and enrollment IDs.
`sectigo_ssl_cert_type`	Mandatory	The type of the SSL certificate. This is the ID of the SSL certificate type.
`sectigo_ssl_cert_validity`	Mandatory	The certificate validity period in days. The available values are dependent on `sectigo_ssl_cert_type`.
`sectigo_ssl_cert_format_type`	Optional	The format type for the SSL certificate. The allowed values are: x509: X509, Base64 encoded (default) x509CO: X509 Certificate only, Base64 encoded x509IO: X509 Intermediates/Root only, Base64 encoded base64: PKCS#7, Base64 encoded bin: PKCS#7, Bin encoded x509IOR: X509 Intermediates/Root only reverse, Base64 encoded
`sectigo_ssl_cert_comments`	Optional	Comments for certificate enrollment
`sectigo_ssl_cert_num_servers`	Conditional	The number of server licenses
`sectigo_ssl_cert_custom_fields`	Optional	The custom fields to be applied to the requested certificate. The expected format for custom fields is the following. `[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]` If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using `\`.
`sectigo_ssl_cert_server_type`	Optional	The server type ID
`sectigo_ssl_cert_subject_alt_names`	Optional	A comma-separated list of subject alternative names (SAN)
`sectigo_ssl_cert_external_requester`	Optional	A comma-separated list of emails
Client certificates
`sectigo_client_cert_file_path`	Mandatory	The location where the certificate, CSR, private key, and enrollment IDs are stored.
`sectigo_client_cert_file_name`	Mandatory	The name of the certificate file. The same name is used for the private key, the CSR, and enrollment IDs.
`sectigo_client_cert_first_name`	Conditional	The user’s first name
`sectigo_client_cert_middle_name`	Conditional	The user’s middle name
`sectigo_client_cert_last_name`	Conditional	The user’s last name. The combined length of the first, middle, and last name fields cannot exceed 64 characters.
`sectigo_client_cert_email`	Mandatory	A valid user email that is less than 256 characters
`sectigo_client_cert_type`	Mandatory	The type of the certificate. This is the ID of the client certificate type.
`sectigo_client_cert_validity`	Mandatory	The certificate validity period in days. The available values depend on `sectigo_client_cert_type`.
`sectigo_client_cert_subject_alt_names`	Optional	A comma-separated list of subject alternative names (SAN)
`sectigo_client_cert_custom_fields`	Optional	The custom fields to be applied to the requested certificate. The expected format for custom fields is the following. `[{"name":"custom_field_1","value":"value_1"},{"name":"custom_field_2","value":"value_2"}]` If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using `\`.
`sectigo_client_cert_revoke_on_replace`	Mandatory	If `True`, previous certificates will be revoked when replaced. The default value is `False`.
Certificate autorenewal
`sectigo_auto_renew`	Optional	If `True`, the auto-renewal option is enabled. The default value is `True`.
`sectigo_expiry_window`	Optional	The period of days prior to expiration that a new client certificate enrollment process will be initiated if a `salt-run` operation is started. The default expiry window is `7` days.

SSL certificates

sectigo_ssl_cert_file_path

Mandatory

The location where the certificate, CSR, private key, and enrollment IDs are stored.

sectigo_ssl_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the private key, CSR, and enrollment IDs.

sectigo_ssl_cert_type

Mandatory

The type of the SSL certificate. This is the ID of the SSL certificate type.

sectigo_ssl_cert_validity

Mandatory

The certificate validity period in days. The available values are dependent on sectigo_ssl_cert_type.

sectigo_ssl_cert_format_type

Optional

The format type for the SSL certificate. The allowed values are:

x509: X509, Base64 encoded (default)
x509CO: X509 Certificate only, Base64 encoded
x509IO: X509 Intermediates/Root only, Base64 encoded
base64: PKCS#7, Base64 encoded
bin: PKCS#7, Bin encoded
x509IOR: X509 Intermediates/Root only reverse, Base64 encoded

sectigo_ssl_cert_comments

Optional

Comments for certificate enrollment

sectigo_ssl_cert_num_servers

Conditional

The number of server licenses

sectigo_ssl_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1", "value":"value_1"}, {"name":"custom_field_2", "value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

sectigo_ssl_cert_server_type

Optional

The server type ID

sectigo_ssl_cert_subject_alt_names

Optional

A comma-separated list of subject alternative names (SAN)

sectigo_ssl_cert_external_requester

Optional

A comma-separated list of emails

Client certificates

sectigo_client_cert_file_path

Mandatory

The location where the certificate, CSR, private key, and enrollment IDs are stored.

sectigo_client_cert_file_name

Mandatory

The name of the certificate file. The same name is used for the private key, the CSR, and enrollment IDs.

sectigo_client_cert_first_name

Conditional

The user’s first name

sectigo_client_cert_middle_name

Conditional

The user’s middle name

sectigo_client_cert_last_name

Conditional

The user’s last name. The combined length of the first, middle, and last name fields cannot exceed 64 characters.

sectigo_client_cert_email

Mandatory

A valid user email that is less than 256 characters

sectigo_client_cert_type

Mandatory

The type of the certificate. This is the ID of the client certificate type.

sectigo_client_cert_validity

Mandatory

The certificate validity period in days. The available values depend on sectigo_client_cert_type.

sectigo_client_cert_subject_alt_names

Optional

A comma-separated list of subject alternative names (SAN)

sectigo_client_cert_custom_fields

Optional

The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.

[{"name":"custom_field_1","value":"value_1"},{"name":"custom_field_2","value":"value_2"}]

If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using \.

sectigo_client_cert_revoke_on_replace

Mandatory

If True, previous certificates will be revoked when replaced. The default value is False.

Certificate autorenewal

sectigo_auto_renew

Optional

If True, the auto-renewal option is enabled. The default value is True.

sectigo_expiry_window

Optional

The period of days prior to expiration that a new client certificate enrollment process will be initiated if a salt-run operation is started. The default expiry window is 7 days.

Certificate collection parameters

The collection operation may fail if the certificate is still being processed. In such cases, the Sectigo SaltStack integration will try several times before returning a failure. The following parameters are used to configure the frequency and maximum time for additional attempts at certificate collection.

Parameter

Type

Description

sectigo_loop_period

Optional

The interval (in seconds) between repeated attempts to collect a certificate. The default value is 30.

sectigo_max_timeout

Optional

The maximum time (in seconds) during which repeated attempts to collect a certificate will be made. The default value is 600.

Certificate revocation parameters

Certificates can be manually revoked. In order to revoke a certificate, the following parameters are needed.

Parameter Type Description

Parameter	Type	Description
SSL certificates
`sectigo_ssl_cert_revoke`	Mandatory	If `True`, the existing certificate will be revoked. The default value is `False`.
Client certificates
`sectigo_client_cert_revoke`	Mandatory	If `True`, the existing certificate will be revoked. The default value is `False`.

SSL certificates

sectigo_ssl_cert_revoke

Mandatory

If True, the existing certificate will be revoked. The default value is False.

Client certificates

sectigo_client_cert_revoke

Mandatory

If True, the existing certificate will be revoked. The default value is False.

It is suggested that you set sectigo_ssl_cert_revoke back to False following the revocation of a certificate. This will help prevent costs associated with unintended certificate revocations.

Other parameters

The following parameters are used to modify the behavior of the issuance operation.

Parameter Type Description

Parameter	Type	Description
`sectigo_force`	Optional	Used to issue a new certificate even if there is already a certificate on the target server. The default value is `False`. If `True`, the existing certificate will be backed up and any related information (Key, CSR, ID) will be deleted. This option is required if the certificate information (such as domain) has changed and a new certificate is required.
`sectigo_minion_target_name`	Mandatory	Set the target value. For example, if you want to deploy the certificate to a group of minions with similar hostname prefix (`dev1`, `dev2` \| `prod1`, `prod2`), you can use wildcards like `dev` or `prod`. If you wish to deploy to a single minion, use the exact hostname.
`sectigo_reason`	Mandatory	The reason why a certificate is to be revoked or replaced

sectigo_force

Optional

Used to issue a new certificate even if there is already a certificate on the target server. The default value is False.

If True, the existing certificate will be backed up and any related information (Key, CSR, ID) will be deleted. This option is required if the certificate information (such as domain) has changed and a new certificate is required.

sectigo_minion_target_name

Mandatory

Set the target value. For example, if you want to deploy the certificate to a group of minions with similar hostname prefix (dev1, dev2 | prod1, prod2), you can use wildcards like dev* or prod*. If you wish to deploy to a single minion, use the exact hostname.

sectigo_reason

Mandatory

The reason why a certificate is to be revoked or replaced

SaltStack CLI parameters

The following parameters are used in the CLI commands directly.

Parameter Description

Parameter	Description
`sectigo_saltstack_module.main`	The `filename.function_name` that gets executed. Lowercase characters only.
`cert_type`	Can be either `ssl` or `client`
`cert_config_file`	The config file from the `pillar` folder that gets applied
`target`	The host name of the minions (such as `minion1`, `minion2`, `dev1`, `dev2`, `prod1`, `prod2`, `myhostname1`, and `myhostname2`) Note that you can also use wildcard if there is more than one minion with a similar prefix which needs to have the exact configuration. For example, if there are 3 minions with the names: `dev1`, `dev2`, and `dev3` and all these 3 machines need to have the same certificate, then you pass `dev*` as the 'target' in the command. The target is case sensitive and must match the minion hostname exactly.

sectigo_saltstack_module.main

The filename.function_name that gets executed. Lowercase characters only.

cert_type

Can be either ssl or client

cert_config_file

The config file from the pillar folder that gets applied

target

The host name of the minions (such as minion1, minion2, dev1, dev2, prod1, prod2, myhostname1, and myhostname2)

Note that you can also use wildcard if there is more than one minion with a similar prefix which needs to have the exact configuration. For example, if there are 3 minions with the names: dev1, dev2, and dev3 and all these 3 machines need to have the same certificate, then you pass dev* as the 'target' in the command.

The target is case sensitive and must match the minion hostname exactly.