Support for Digicert. Heavily based on the Venafi runner by Joseph Hall (firstname.lastname@example.org).
Before using this module you need to register an account with Digicert's CertCentral.
Login to CertCentral, ensure you have a payment method configured and/or there are adequate
funds attached to your account. Click the
Account item in the left sidebar, and select
Account Access. The right hand pane should show "Account Access" and a link to create
an API key. Create a new API key and assign it to the user that should be attached to requests
coming from Salt.
NOTE CertCentral will not show the API key again after revealing it the first time. Make sure you copy it right away or you will have to revoke it and generate a new one.
/etc/salt/master and add the API key as shown below.
digicert: api_key: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABC
Restart your Salt Master.
You can also include default values of the following variables to help with creating CSRs:
digicert: api_key: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABC shatype: sha256
This API currently only supports RSA key types. Support for other key types will be added if interest warrants.
Delete cached domains from the master
salt-run digicert.del_cached_domain domain1.example.com,domain2.example.com
gen_csr(minion_id, dns_name, organization_id, ou_name=None, key_len=2048, shatype=u'sha256', password=None)¶
salt-run digicert.gen_csr <minion_id> <dns_name>
gen_key(minion_id, dns_name=None, password=None, key_len=2048)¶
Generate and return a private_key. If a
dns_name is passed in, the
private_key will be cached under that name.
salt-run digicert.gen_key <minion_id> [dns_name] [password]
get_certificate(order_id=None, certificate_id=None, minion_id=None, cert_format=u'pem_all', filename=None)¶
Retrieve a certificate by order_id or certificate_id and write it to stdout or a filename.
salt-run digicert.get_certificate order_id=48929454 cert_format=apache
Including a 'filename' will write the certificate to the desired file. Note that some cert formats are zipped files, and some are binary.
If the certificate has not been issued, this function will return the order details inside of which will be a status (one of pending, rejected, processing, issued, revoked, canceled, needs_csr, and needs_approval)
If for some reason you want to pipe the output of this command to a file or other
command you will want to leave off the
filename argument and make sure to include
--no-color so there will be no terminal ANSI escape sequences.
Return the details for an organization
salt-run digicert.get_org_details 34
Returns a dictionary with the org details, or with 'error' and 'status' keys.
List domains that have been cached
List domains that CertCentral knows about. You can filter by container_id (also known as "Division") by passing a container_id.
List certificate orders made to CertCentral.
List organizations that CertCentral knows about. You can filter by
container_id (also known as "Division") by passing a container_id.
This function returns validation information by default; pass
include_validation=False to turn it off.
List certificate requests made to CertCentral. You can filter by
salt-run digicert.list_requests pending
order_certificate(minion_id, common_name, organization_id, validity_years, cert_key_passphrase=None, signature_hash=None, key_len=2048, dns_names=None, organization_units=None, server_platform=None, custom_expiration_date=None, comments=None, disable_renewal_notifications=False, product_type_hint=None, renewal_of_order_id=None)¶
Order a certificate. Requires that an Organization has been created inside Digicert's CertCentral.
See here for API documentation: https://www.digicert.com/services/v2/documentation/order/order-ssl-determinator
salt-run digicert.order_certificate my_minionid my.domain.com 10 3 signature_hash=sha256 dns_names=['this.domain.com', 'that.domain.com'] organization_units='My Domain Org Unit' comments='Comment goes here for the approver'
This runner can also be used to renew a certificate by passing renewal_of_order_id. Previous order details can be retrieved with digicertapi.list_orders.
Show certificate requests for this API key
Show organization information, especially the company id
salt-run digicert.show_company example.com
Show a private RSA key
salt-run digicert.show_rsa myminion domain.example.com