Support for Digicert. Heavily based on the Venafi runner by Joseph Hall (

Before using this module you need to register an account with Digicert's CertCentral.

Login to CertCentral, ensure you have a payment method configured and/or there are adequate funds attached to your account. Click the Account item in the left sidebar, and select Account Access. The right hand pane should show "Account Access" and a link to create an API key. Create a new API key and assign it to the user that should be attached to requests coming from Salt.

NOTE CertCentral will not show the API key again after revealing it the first time. Make sure you copy it right away or you will have to revoke it and generate a new one.

Now open /etc/salt/master and add the API key as shown below.


Restart your Salt Master.

You can also include default values of the following variables to help with creating CSRs:

  shatype: sha256

This API currently only supports RSA key types. Support for other key types will be added if interest warrants.


Delete cached domains from the master

CLI Example:

salt-run digicert.del_cached_domain,
salt.runners.digicertapi.gen_csr(minion_id, dns_name, organization_id, ou_name=None, key_len=2048, shatype='sha256', password=None)

CLI Example:

salt-run digicert.gen_csr <minion_id> <dns_name>
salt.runners.digicertapi.gen_key(minion_id, dns_name=None, password=None, key_len=2048)

Generate and return a private_key. If a dns_name is passed in, the private_key will be cached under that name.

CLI Example:

salt-run digicert.gen_key <minion_id> [dns_name] [password]
salt.runners.digicertapi.get_certificate(order_id=None, certificate_id=None, minion_id=None, cert_format='pem_all', filename=None)

Retrieve a certificate by order_id or certificate_id and write it to stdout or a filename.

A list of permissible cert_formats is here:

CLI Example:

salt-run digicert.get_certificate order_id=48929454 cert_format=apache

Including a 'filename' will write the certificate to the desired file. Note that some cert formats are zipped files, and some are binary.

If the certificate has not been issued, this function will return the order details inside of which will be a status (one of pending, rejected, processing, issued, revoked, canceled, needs_csr, and needs_approval)

If for some reason you want to pipe the output of this command to a file or other command you will want to leave off the filename argument and make sure to include --no-color so there will be no terminal ANSI escape sequences.


Return the details for an organization

CLI Example:

salt-run digicert.get_org_details 34

Returns a dictionary with the org details, or with 'error' and 'status' keys.


List domains that have been cached

CLI Example:

salt-run digicert.list_domain_cache

List domains that CertCentral knows about. You can filter by container_id (also known as "Division") by passing a container_id.

CLI Example:

salt-run digicert.list_domains

List certificate orders made to CertCentral.

CLI Example:

salt-run digicert.list_orders
salt.runners.digicertapi.list_organizations(container_id=None, include_validation=True)

List organizations that CertCentral knows about. You can filter by container_id (also known as "Division") by passing a container_id. This function returns validation information by default; pass include_validation=False to turn it off.

CLI Example:

salt-run digicert.list_organizations

List certificate requests made to CertCentral. You can filter by status: pending, approved, rejected

CLI Example:

salt-run digicert.list_requests pending
salt.runners.digicertapi.order_certificate(minion_id, common_name, organization_id, validity_years, cert_key_passphrase=None, signature_hash=None, key_len=2048, dns_names=None, organization_units=None, server_platform=None, custom_expiration_date=None, comments=None, disable_renewal_notifications=False, product_type_hint=None, renewal_of_order_id=None)

Order a certificate. Requires that an Organization has been created inside Digicert's CertCentral.

See here for API documentation:

CLI Example:

salt-run digicert.order_certificate my_minionid 10             3 signature_hash=sha256             dns_names=['', '']             organization_units='My Domain Org Unit'             comments='Comment goes here for the approver'

This runner can also be used to renew a certificate by passing renewal_of_order_id. Previous order details can be retrieved with digicertapi.list_orders.


Show certificate requests for this API key

CLI Example:

salt-run digicert.show_csrs

Show organization information, especially the company id

CLI Example:

salt-run digicert.show_company
salt.runners.digicertapi.show_rsa(minion_id, dns_name)

Show a private RSA key

CLI Example:

salt-run digicert.show_rsa myminion