Sectigo.com
Shop Enterprise Partners Resources

Configuring the Terraform provider

The Terraform provider can be configured by a normal user without root privileges.

  1. Unzip the Terraform integration package and navigate to the Sectigo-Terraform-Integration-Linux/terraform-provider-sectigo directory.

  2. Create the plugin directories. On linux the path may be ~/.terraform.d/plugins/<my_domain>/<my_spacename>/sectigo/2.x.x/linux_amd64.

  3. Copy the terraform-provider-sectigo_v2.x.x plugin into the created plugin directory.

  4. Add the execution permission to the provider. On linux the command is shown below.

    chmod +x terraform-provider-sectigo_v2.x.x

  5. Add the following configuration block at the beginning of the main.tf file.

    "terraform {
  required_providers {
    sectigo = {
      source  = ""<my_domain>/<my_namespace>/sectigo""
      version = "">= 2.x.x""
    }
  }
}"

  6. Add one of the following provider blocks to the main.tf file depending on the type of authentication used.

    #Username and password authentication.
provider "sectigo" {
    username     = var.SECTIGO_CM_LOGIN
    password     = var.SECTIGO_CM_PWD
    customer_uri = var.SECTIGO_CM_CUSTOMERURI
}

#Client certificate authentication.
provider "sectigo" {
    username     = var.SECTIGO_CM_LOGIN
    customer_uri = var.SECTIGO_CM_CUSTOMERURI
    auth_type    = var.SECTIGO_CM_AUTH_TYPE
    client_cert  = var.SECTIGO_CM_CLIENT_CERT
    private_key  = var.SECTIGO_CM_PRIVATE_KEY
}

  7. Add a resource defining the sectigo_certificate arguments. Either set the argument values directly or use the variables defined in terraform.auto.tfvars as shown below.

    #SSL Certificate Configuration
resource "sectigo_certificate" "ssl_certificate" {
    base_url            = var.sectigo_ssl_cert_cm_base_url
    orgid               = var.sectigo_cm_org_id

    cert_file_path      = var.sectigo_ssl_cert_file_path
    cert_file_name      = var.sectigo_ssl_cert_file_name
    cert_type           = var.sectigo_ssl_cert_type
    cert_config_type    = var.sectigo_ssl_cert_config_type
    cert_validity       = var.sectigo_ssl_cert_validity
    cert_format_type    = var.sectigo_ssl_cert_format_type
    cert_comments       = var.sectigo_ssl_cert_comments
    cert_ext_requester  = var.sectigo_ssl_cert_external_requester
    subject_alt_names   = var.sectigo_ssl_cert_subject_alt_names
    cert_num_servers    = var.sectigo_ssl_cert_num_servers
    server_type         = var.sectigo_ssl_cert_server_type
    ssl_custom_fields   = var.sectigo_ssl_cert_custom_fields

    domain              = var.sectigo_csr_domain
    country             = var.sectigo_csr_country
    province            = var.sectigo_csr_state
    locality            = var.sectigo_csr_location
    organization        = var.sectigo_csr_organization
    org_unit            = var.sectigo_csr_organization_unit
    email_address       = var.sectigo_csr_email_address
    sign_algorithm_type = var.sectigo_csr_key_algo
    rsa_bits            = var.sectigo_csr_key_size
    external_csr_pem    = var.sectigo_csr

    max_timeout         = var.sectigo_max_timeout
    loop_period         = var.sectigo_loop_period
    cert_warning_days   = var.sectigo_expiry_window
    reason              = var.sectigo_reason
    auto_renew          = var.sectigo_auto_renew
}

#Client Certificate Configuration
resource "sectigo_certificate" "client_certificate" {
    base_url                 = var.sectigo_client_cert_cm_base_url
    orgid                    = var.sectigo_cm_org_id

    client_file_path         = var.sectigo_client_cert_file_path
    client_file_name         = var.sectigo_client_cert_file_name
    cert_type                = var.sectigo_client_cert_type
    cert_config_type         = var.sectigo_client_cert_config_type
    cert_validity            = var.sectigo_client_cert_validity
    client_email_address     = var.sectigo_client_cert_email_address
    client_first_name        = var.sectigo_client_cert_first_name
    client_middle_name       = var.sectigo_client_cert_middle_name
    client_last_name         = var.sectigo_client_cert_last_name
    client_custom_fields     = var.sectigo_client_cert_custom_fields
    client_revoke_on_replace = var.sectigo_client_cert_revoke_on_replace
    domain                   = var.sectigo_csr_domain
    country                  = var.sectigo_csr_country
    province                 = var.sectigo_csr_state
    locality                 = var.sectigo_csr_location
    organization             = var.sectigo_csr_organization
    org_unit                 = var.sectigo_csr_organization_unit
    email_address            = var.sectigo_csr_email_address
    sign_algorithm_type      = var.sectigo_csr_key_algo
    rsa_bits                 = var.sectigo_csr_key_size
    external_csr_pem         = var.sectigo_csr

    max_timeout              = var.sectigo_max_timeout
    loop_period              = var.sectigo_loop_period
    cert_warning_days        = var.sectigo_expiry_window
    reason                   = var.sectigo_reason
    auto_renew               = var.sectigo_auto_renew
}

  8. Configure your SCM account and other values in the terraform.auto.tfvars file. The example configuration shown is for SSL certificates. If using client certificate authentication the sectigo_ssl_cert_cm_base_url should be https://<cm_base_url>/private/api/ssl/v1/ and sectigo_client_cert_cm_base_url should be https://<cm_base_url>/private/api/smime/v1/.

    SSL certificate sample configuration
    # Customer Specific
sectigo_ssl_cert_cm_base_url = "https://<cm_base_url>/api/ssl/v1/"
sectigo_cm_org_id            = 12345

# SSL Certificate Parameters
sectigo_ssl_cert_file_path          = "/etc/ssl/"
sectigo_ssl_cert_file_name          = "sectigo_ssl"
sectigo_ssl_cert_type               = 248
sectigo_ssl_cert_config_type        = "ssl_cert"
sectigo_ssl_cert_validity           = 365
sectigo_ssl_cert_format_type        = "x509CO"
sectigo_ssl_cert_comments           = "Test Cert for Sectigo"
sectigo_ssl_cert_external_requester = ""
sectigo_ssl_cert_subject_alt_names  = ""
sectigo_ssl_cert_num_services       = 0
sectigo_ssl_cert_server_type        = -1
sectigo_ssl_cert_custom_ fields     = []

# CSR Parameters
sectigo_csr_domain            = "www.mycompanydomain.com"
sectigo_csr_country           = "CA"
sectigo_csr_state             = "ON"
sectigo_csr_location          = "Ottawa"
sectigo_csr_organization      = "MYORG"
sectigo_csr_organization_unit = "MYORGUNIT"
sectigo_csr_email_address     = "[email protected]"
sectigo_csr_key_algo          = "RSA"
sectigo_csr_key_size          = 2048

# Others
sectigo_max_timeout   = 600
sectigo_loop_period   = 30
sectigo_expiry_window = 7
sectigo_reason        = "Testing Sectigo Terraform provider"
sectigo_auto_renew    = true

  9. Set the environment variables.

    • Linux and macOS

    • Windows

    These variables can be added to the ~/.bashrc file or through the command line. If you add the environment variables to your .bashrc file, be sure to run the source command on that file so that your changes take effect. The variables are as follows for username and password authentication:

    • export TF_VAR_SECTIGO_CM_USER='<your_sectigo_username>'

    • export TF_VAR_SECTIGO_CM_PASSWORD='<your_sectigo_password>'

    • export TF_VAR_SECTIGO_CM_URI='<your_sectigo_uri>'

    The variables are as follows for username and client certificate authentication:

    • export TF_VAR_SECTIGO_CM_USER='<your_sectigo_username>'

    • export TF_VAR_SECTIGO_CM_AUTH_TYPE=client_cert

    • export TF_VAR_SECTIGO_CM_URI='<your_sectigo_uri>'

    • export TF_VAR_SECTIGO_CM_CLIENT_CERT='<your_client_certificate_pem_format>'

    • export TF_VAR_SECTIGO_CM_PRIVATE_KEY='<your_client_private_key_pem_format>'

      If you are using macOS, you will need to allow binaries to run from system settings. For more information, see Safely open apps on your Mac.

    These variables can be added to the environment variables through the PowerShell command line or using the Windows UI. The variables are as follows for username and password authentication:

    • $ENV:TF_VAR_SECTIGO_CM_USER="<your_sectigo_username>"

    • $ENV:TF_VAR_SECTIGO_CM_PASSWORD="<your_sectigo-password>"

    • $ENV:TF_VAR_SECTIGO_CM_URI="<your_sectigo_uri>"

    The variables are as follows for username and client certificate authentication:

    • $ENV:TF_VAR_SECTIGO_CM_USER="<your_sectigo_username>"

    • $ENV:TF_VAR_SECTIGO_CM_AUTH_TYPE=client_cert=

    • $ENV:TF_VAR_SECTIGO_CM_URI="<your_sectigo_uri>"

    • $ENV:TF_VAR_SECTIGO_CM_CLIENT_CERT="<your_client_certificate_pem_format>"

    • $ENV:TF_VAR_SECTIGO_CM_PRIVATE_KEY="<your_client_private_key_pem_format>"

  10. Update Certificate issuance parameters in the main.tf and terraform.auto.tfvars files.