Automation - TrustView | Documentation

1. Setup automation with win-acme and IIS website

Step 1a - Install and configure win-acme

Start by downloading win-acme and unpack it in a directory, on the Windows server you want to automate certificate renewal on. As long as the win-acme folder is not zipped or archived, the location is not important.

Tip

Even though win-acme can be run from anywhere on the server, it is still recommended to place the win-acme directory in a location that does not get deleted or removed.

e.g. "C:\Program Files\win-acme"

Next, 1 additional step is required to allow win-acme to use TrustView as an ACME server.

Update the settings.json file with the following content:

"RetryCount": 150

The default value is 15, but changing this value will allow the win-acme agent to retry and begin the automation after the agent has been activated in TrustView. This means you can get the automation to run, by executing one single PowerShell command.

Important

This method will not work with wildcard SSL certificates. If using a wildcard certificate such as *.example.org then you must change the PreValidateDns from True to False, in the Settings.json file from win-acme, because external CA’s such as Entrust and DigiCert will no longer allow wildcard SSL certificates to be validated through a HTTP-01 challenge.

Step 1b - Configure DNS validation method (Wildcard certificates)

If using a wildcard certificate when automating, you need to use the DNS validation method, as it’s not possible to use the HTTP validation method.

Note

If you are not using a wildcard certificate, this step is not necessary, and you can continue using the HTTP validation method (–validationmode http-01) in the win-acme command.

Start by creating a PowerShell script containing the following:

1exit 0

Name it dummy.ps1 and place it in a temp folder on your C: drive (or in any other directory, as long as you remember to adjust the command) of the server, where win-acme is placed.

Step 2a - Initial run of win-acme without wildcard certificate

Execute win-acme for the first time without using a wildcard certificate. You must replace {{acme-directory-url}} to match your configuration. You can find the {{acme-directory-url}} here, but it can be found inside TrustView under the Automation menu section.

win-acme command to run if you are not using a wildcard certificate¶

.\wacs.exe --baseuri "{{acme-directory-url}}" --target iis --host {{hostname}} --validationmode http-01 --webroot "C:\temp" --store certificatestore --installation iis

Tip

In some cases, you may want to use --siteid {{iis-site-id}} instead of --host {{hostname}}. The –webroot destination may be set to any directory on the server.

Note

If you want to include additional hostnames (SANs) in the SSL certificate you are trying to get issued, then add --host {{hostname}} per SAN in the SSL certificate.

If you want to specify in the IIS where to place the certificate once it is issued, then you can specify it in this format: --certificatestore My\Trusted by replacing this part --store certificatestore in the win-acme command above.

This is the output of an example run:

Example run of a win-acme command¶

C:\Program Files\win-acme.v2.1.23.1315.x64.pluggable> .\wacs --baseuri https://view.trustskills.com/acme/?token=e03f0dba-b6f7-46cc-8508-69526903d3d1 --target iis --host demo.adtest.local --validationmode http-01 --webroot "C:\temp" --store certificatestore --installation iis

A simple Windows ACMEv2 client (WACS)
Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
Connecting to https://view.trustskills.com/acme/?token=e03f0dba-b6f7-46cc-8508-69526903d3d1...
Connection OK!
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
Running in mode: Unattended
Source generated using plugin IIS: demo.adtest.local

Cached order has status pending, discarding
[demo.adtest.local] Authorizing...
[demo.adtest.local] Authorizing using http-01 validation (SelfHosting)

... Continued after the Automation agent has been activated inside TrustView ...

[demo.adtest.local] Authorization result: valid
Downloading certificate [IIS] (any site), demo.adtest.local
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [IIS] (any site), demo.adtest.local @ 20XX/X/XX 9:53:01 to store WebHosting
Installing with IIS...
Adding new https binding *:443:demo.adtest.local
Committing 1 https binding changes to IIS while updating site 2
Scheduled task looks healthy
Adding renewal for [IIS] (any site), demo.adtest.local
Next renewal due at 20XX/X/XX 9:53:22
Certificate [IIS] (any site), demo.adtest.local created
C:\Program Files\win-acme.v2.1.23.1315.x64.pluggable>

Step 2b - Initial run of win-acme with wildcard certificate

Execute win-acme for the first time using a wildcard certificate. You must replace {{acme-directory-url}} to match your configuration. You can find the {{acme-directory-url}} here, but it can be found inside TrustView under the Automation menu section.

win-acme command to run if you are using a wildcard certificate¶

.\wacs.exe --baseuri "{{acme-directory-url}}" --source manual --host *.domain.com, domain.com --validationmode dns-01 --validation script --dnscreatescript C:\temp\dummy.ps1 --store certificatestore --certificatestore My --nocache --accepttos --emailaddress {{email}} --installation iis --installationsiteid {{IIS siteid}}

Important

If you want to use wildcard certificates, the base domain must also be added. The domain without the *. part.

For reference regarding targeting specific or all bindings for IIS sites, you can find more information here: win-acme reference.

Step 3 - Activate the agent in TrustView

Follow the steps described here to activate the Automation agent. Once that is done, the automation cycle will run and automatically renew the certificate, when nearing expiry.

Step 4 - Configure win-acme to run periodically

win-acme automatically creates a scheduled task that periodically runs win-acme and renews certificates, so there is no manual configuration required.

Win-acme defaults to start renewal 55 days before expiry, but that can be adjusted in the settings.json file.

Look for this section in the file and adjust as needed:

"ScheduledTask": {
  "RenewalDays": 55,
  "RenewalDaysRange": 0,
  "RenewalMinimumValidDays": null,
  "RandomDelay": "04:00:00",
  "StartBoundary": "09:00:00",
  "ExecutionTimeLimit": "02:00:00"
},

You can also adjust the scheduled task for the win-acme client on the Windows server.

2. Specify certificate name manually on the IIS

In some cases, you may want to specify the certificate name manually and bind it to the hostname, instead of automatically using the hostname of the IIS as the certificate name.

This can currently only be done by running the win-acme wacs.exe and not by using PowerShell and parameters.

Follow the instructions on screen:

Type M Create certificate (full options)
Type M Manual input
Type the desired hostname (the name of the certificate)
Press Enter to accept the hostname as the friendly name (unless you wish to change it)
Type 1 [http-01] Save verification files on (network) path
Type the network path, e.g. C:\temp
Type n as it’s not necessary to Copy default web.config before validation
Type 2 RSA key
Type 5 Windows Certificate Store
Type 1 or 3 for WebHosting
Type 6 No (additional) store steps
Type 1 Create or update bindings in IIS
Type 1 default
Type 3 No (additional) installation steps
The win-acme should now run, issue the certificate and update the IIS binding

3. Issue wildcard certificate and update bindings in IIS using win-acme without the IIS plugin

When using win-acme and the integrated IIS-plugin, win-acme insists on creating bindings in IIS. In some cases this is not desirable. In this example we utilize win-acme with a custom script instead of the IIS-plugin for updating certificates in IIS.

Step 1

Download and copy the scripts UpdateIISSites.ps1 and dummy.ps1 to c:\Scripts.

Step 2

Run this command¶

.\wacs.exe --baseuri "{{acme-url}}" --source manual --host "{{hostnames}}" --validationmode dns-01 --validation script --dnscreatescript 'C:\scripts\dummy.ps1' --store certificatestore --certificatestore WebHosting --accepttos --emailaddress {{email}} --keepexisting --installation script --script 'C:\scripts\UpdateIISSites.ps1' --scriptparameters '{CertThumbprint} {OldCertThumbprint}'

Note

Remember to adjust the {{acme-url}}, {{hostnames}} and {{email}} to fit your needs.

Step 3

Activate the agent connection in TrustView (if necessary)

Step 4

Update all relevant bindings in IIS to use the new certificate

Now, during certificate renewal, win-acme will automatically detect all bindings in IIS that uses the old certificate and replace the certificate with the renewed certificate.

4. Use win-acme to automatically renew certificates on multiple bindings and sites of an IIS

If you want to automate the deployment of certificates on an IIS and have multiple sites and/or bindings, you need to utilize this command parameter:

--installationsiteid {{id}}

You can also read more about the details of that command here.

As stated here the command will use the name of all the bindings (if more than one) from the chosen siteid, so you have to make preparations for that before running the automation command with win-acme, by making sure all the bindings you wish to hit, has the exact same name.

Example:

An IIS setup has 3 sites (id 10, 11 and 12), and each site have 3 bindings. These bindings have a wildcard certificate (*.) attached that contain the exact same name.

.\wacs.exe --baseuri "{{acme-directory-url}}" --source manual --host *.wildcardcertificate.com --validationmode dns-01 --validation script --dnscreatescript C:\temp\dummy.ps1 --store certificatestore --certificatestore My --nocache --accepttos --emailaddress mailtobenotified@domain.com --installation iis --installationsiteid 10

Binding 10 in this example has been chosen, but because the remaining 2 sites have bindings that contain a wildcard certificate with the same name, they will also automatically be renewed in the process, and therefore they do not need to be specified with the --installationsiteid command.

If you wish, bindings can be excluded with this command parameter:

--excludebindings example.com

You can refer to the details here.

5. Deploy certificate from the Certificate Store to the IIS

If you wish to deploy one or more certificates from your Microsoft Certificate Store to your IIS, you can do so by running a script at the end of the win-acme renewal process.

Below is a script you can use and configure for your needs as a starting point:

CertificateStoreToIIS.ps1

6. Use win-acme to automatically issue and renew the certificate on a local file system

Note

Minimum version required of win-acme is v2.1.19.1142.

First, make sure to update the settings.json file with the following content:

"RetryCount": 150

Then use the PowerShell command, with the following parameters:

.\wacs.exe --baseuri {{acme-directory-url}} --validationmode http-01 --webroot "C:\temp" --source manual --host {{Hostname}} --store pemfiles --pemfilespath {{Cert-Path}}

The following files will be created when --store pemfiles is used:

{CommonName}-crt.pem (certificate)
{CommonName}-key.pem (private key)
{CommonName}-chain.pem (certificate plus chain)
{CommonName}-chain-only.pem (chain without certificate)

Optionally {CommonName}-key.pem can be password protected by adding --pempassword {{password}} at the end.

If you need a .pfx file, use --store pfxfile and --pfxfilepath {{Cert-Path}} instead.

Tip

Remember to change {{acme-directory-url}}, {{Hostname}} and {{Cert-path}} to where you want your certificates to be stored, to match your configuration.

7. Use win-acme to automatically issue and renew a certificate on Apache Tomcat

Note

Minimum version required of win-acme is v2.1.19.1142.

First, make sure to update the settings.json file with the following content:

"RetryCount": 150

Step 1 - Initial run of Win-acme

You will need a .pfx file for this to work, so use --store pfxfile to save the certificate as a PFX file --pfxpassword {{password}} will define the password for the certificate so it does not change. --pfxfilename {{CertName}} will define the name and make sure the PFX certificate will have the same name after renewal and --pfxfilepath {{Cert-Path}} to define where it should save the PFX file, as shown in the PowerShell command below.

Use the PowerShell command, with the following parameters:

.\wacs.exe --baseuri {{acme-directory-url}} --validationmode http-01 --webroot "C:\temp" --source manual --host {{Hostname}} --store pfxfiles --pfxpassword {{Password}} --pfxfilespath {{Cert-Path}} --pfxfilename {{certname}}

Tip

Remember to change {{acme-directory-url}}, {{Hostname}} , {{Cert-path}}, {{Password}} and {{certname}}.

Step 2 - Configure Apache Tomcat to use new SSL certificate

Locate the Tomcat installation directory, typically:

C:\Program Files\Apache Software Foundation\Tomcat 9.0_TrustView

Tip

If you are unable to locate the Apache Tomcat directory, contact our for assistance.

The SSL certificate is specified in the Tomcat Apache server.xml configuration file Tomcat-install-dir\conf\server.xml. The following is an example of such Connector element:

<Connector
port="443"
maxhttpheadersize="8192"
maxThreads="150"
minsparethreads="25"
maxsparethreads="75"
enablelookups="false"
disableuploadtimeout="true"
acceptcount="100"
scheme="https"
secure="true"
sslProtocol="TLS"
clientAuth="true"
SSLEnabled="true"
keystoreFile="conf/trustview_ssl.p12"
keystorePass="Test1234"
keystoreType="PKCS12"
/>

Important

Always make sure you have a backup of the server.xml file before modifying it.

Now update the following attributes of the Connector element to match the path, filename and password defined in Win-acme:

keystoreFile

keystorePass

Step 3 - Run a script to restart Apache Tomcat service

Follow the steps described here to run a script after a renewal of a certificate and run the following script:

Batch script:

net stop "myservice"

net start "myservice"

PowerShell script:

Restart-Service -displayname "Service name"

Tip

In this case, the service name would most likely be TrustView, but check the properties of the Windows service, if in doubt.

8. Automation of certificate renewal on an Apache HTTP server using Certbot

In this example the Apache HTTP server is running on a Linux Ubuntu server, and we will be using the Certbot ACME client.

Step 1 - Install Certbot

Start by installing Certbot:

$ sudo apt-get install python3-certbot python3-certbot-apache

You can also follow the installation instructions provided by the Certbot website.

Step 2 - Initial run of Certbot

Execute Certbot for the first time. How you find your {{acme-directory-url}} is described here, but it can be found inside TrustView under the Automation menu section.

$ certbot -i apache -a manual --server '{{acme-directory-url}}' --manual-auth-hook '/bin/true' --agree-tos --webroot -w /tmp -d example.domain.com --http-01-interactive-redirect 10

Setting --http-01-interactive-redirect to a value of 10 will give you approximately an hour to activate the Automation agent inside Trustview, before you would have to run the command again.

Step 3 - Activate the agent in TrustView

Follow the steps described here to activate the Automation agent. Once that is done, the automation cycle will run and automatically renew the certificate, when nearing expiry.

Step 4 - Configure Certbot to run periodically

You can set up a cron job or scheduled task to make Certbot run periodically. When using the renew command inside a cron job, it defaults to attempt renewal of certificate 30 days before expiry.

Cron job example:

0 0 * * * certbot renew --quiet

This will make the cron job run every day at midnight.

Important

Note that some OS distributions come with preconfigured scheduled renewal of certificates configured with Certbot using e.g. systemd or cron (depending on the method you used for installing Certbot).

9. Use win-acme to automatically issue and renew certificates for Azure Key Vault

Step 1 - Install and configure win-acme

Note

This plugin requires you to use the pluggable release of the main executable, which you can find here.

Start by downloading win-acme and unpack it in a directory on the Windows server, that you want to automate certificate renewal on. To use Azure with win-acme we need to download and install a plugin. This plugin is offered as a separate download, and it has to be moved to the Win-acme directory and unpacked.

Win-acme store keyvault plugin

win-acme releases

Note

After unpacking, you may have to unblock all new .dll files before .NET will trust them. You can do that from the Windows File Explorer by going into Properties of the files and then checking the Unblock box in the General tab.

Step 2 - Azure configuration

Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates.

How to create Azure key vault:

Follow this guide: Azure key vault guide

App registration is to establish a trust relationship between your app (win-acme) and Microsoft Azure.

How to create app registration:

Follow this guide: Azure app guide

When both have been created, you have to give App registration access to your key vault.

Note

Give full permission in Key Permissions, Secret Permissions and Certificate Permissions.

How to assign access policy to azure key vault:

Access policy guide

Step 3 - Setup DNS integration [Optional]

To get Lets Encrypt certificates issued, they need to be validated with a DNS challenge, which happens through the DNS integration. See DNS integration for details.

Step 4 - Use win-acme with Azure Key Vault

When running win-acme it will need the following to authenticate with Azure:

Directory/Tenant ID
Application client ID
Application client secret

The Directory/tenant ID can be found under Azure Active Directory:

The Application client ID can be found under your App registration:

The Application client secret can also be found under your App registration:

Note

You have to create one first, and the value will only be shown once, so remember to save it.

Execute win-acme for the first time.

Note

You must replace {{acme-directory-url}}, {{Key-vault-name}}, {{Name-of-cert-in-azure}}, {{Hostname}}, {{Directory/tenant id}}, {{Application client id}} and {{Application client secret}} to match your configuration.

    ./wacs.exe --baseuri "{{acme-directory-url}}" --Store keyvault --source manual --vaultname "{{Key-vault-name}}" --Certificatename “{{Name-of-cert-in-azure}}” --Host “{{Hostname}}” --azureenvironment azurecloud --azuretenantid “{{Directory/tenant id}}” --azureclientid “{{Application client id}}” --azuresecret “{{Application client secret}}”

Important

The --Certificatename parameter must be a name without spaces or extensions such as .dk and .com etc. An example for a valid name would be certificateName or exampleCom.

Step 5 - Activate the agent in TrustView

Follow the steps described here, but it can be found inside TrustView under the Automation menu section.

Now the activated certificate should be in the Azure Key Vault under Certificates.

This is the output of an example run:

C:\Program Files\Acme> ./wacs.exe --baseuri https://tv-staging.trustskills.com:11443/acme/?token=6b8e06fa-0ea0-4a78-a1d2-c4e0a38a09d8 --store keyvault --vaultname AcmeTest --certificatename test1  --host azuretest4.dk --azureenvironment azurecloud --azuretenantid a6fb3859-****-****-****-**** --azureclientid de12ab67-****-****-****-**** --azuresecret Y43g************ --source manual

A simple Windows ACMEv2 client (WACS)
Software version 2.1.20.1185 (release, pluggable, standalone, 64-bit)
Connecting to https://tv-staging.trustskills.com:11443/acme/?token=6b8e06fa-0ea0-4a78-a1d2-c4e0a38a09d8...
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
Running in mode: Unattended
Source generated using plugin Manual: azuretest4.dk

[azuretest4.dk] Authorizing...
[azuretest4.dk] Authorizing using http-01 validation (SelfHosting)
[azuretest4.dk] Authorization result: valid
Downloading certificate [Manual] azuretest4.dk
Store with KeyVault...
Installing with None...
Scheduled task looks healthy
Adding renewal for [Manual] azuretest4.dk
Next renewal scheduled at 20XX/XX/XX 10.13.11
Certificate [Manual] azuretest4.dk created

10. Using Certbot to automatically issue and renew certificates on F5 BIG-IP

Step 1 - Setup and installation

Requirements:

Linux-based container or virtual machine with reachability to the F5 Big-IP interface
Certbot (Certbot for Windows servers exists, but have not been tested in a production environment)
certbot-bigip certbot-bigip

Follow the steps on the Linux-based container or VM.

Run the installation command:

sudo pip install certbot-bigip

Tip

Use ==x.x.x to specify a version of the plugin, like this example: sudo pip3 install certbot-bigip==1.2.0.

If needed, change the port of the F5 BIG-IP management interface, to be able to connect to it:

cd /usr/local/lib/python3.9/dist-packages/f5/bigip$
sudo nano __init__.py

Find the line that specifies the port and adjust it:

port=kwargs.pop('port', 443)

There are changes that need to be made to the following 3 files:

All 3 are located in the /usr/local/lib/python3.9/dist-packages/certbot_bigip directory. Download these modified files below and replace them with the original files in the directory.

Step 2 - Initial run of Certbot

sudo certbot --server '{{acme-directory-url}}' --email 'email@address' --agree-tos -a manual -i certbot-bigip:bigip --certbot-bigip:bigip-list '{{public-interface-ip}}' --certbot-bigip:bigip-partition Common --certbot-bigip:bigip-vs-list '/Common/wwwvs' --certbot-bigip:bigip-username '{{username}}' --certbot-bigip:bigip-password '{{password}}' -d example.trustskills.com

Step 3 - Activate the agent in TrustView

Follow the steps described here.

Change the certificate issuer to LetsEncrypt or another issuer under the relevant Automation agent, by the Certificate issuer dropdown menu.

Note

If Let’s encrypt is used as certificate issuer, there are some limitations on the renewal rate of certificates, see Let’s encrypt certificate rate limits.

Step 4 - Setup DNS integration

To get Let’s Encrypt certificates issued, they need to be validated with a DNS challenge, which happens through the DNS integration in TrustView. See DNS integration for details.

Step 5 - Issue first certificate

sudo certbot --server '{{acme-directory-url}}' --email '{{email}}' --agree-tos -a manual -i certbot-bigip:bigip --certbot-bigip:bigip-list '{{public-interface-ip}}' --certbot-bigip:bigip-partition Common --certbot-bigip:bigip-vs-list '/Common/wwwvs' --certbot-bigip:bigip-username '{{username}}' --certbot-bigip:bigip-password '{{password}}' -d example.trustskills.com

Step 6 - Setup crontab

To set up the automation for certificate retrieval, you can use a crontab to schedule when to run the renewal and deployment process.

sudo crontab -e

Inside the crontab, the setup could be like this:

0 0,12 * * * /usr/bin/certbot certonly -q --server '{{acme-directory-url}}' -m {{email}} --agree-tos -a manual -i certbot-bigip:bigip --certbot-bigip:bigip-list '{{public-interface-ip}}' --certbot-bigip:bigip-partition Common --certbot-bigip:bigip-vs-list '/Common/wwwvs' --certbot-bigip:bigip-username '{{username}}' --certbot-bigip:bigip-password '{{password}}' -d example.trustskills.com

This example renews a single certificate and deploys it to the F5 BIG-IP.

The crontab above is set to run twice a day (every 12 hour). So every day it checks if a certificate needs to be renewed and 30 days before expiry, the renewal process will begin automatically.

To configure when the crontab is run, you can use this crontab generator.

Important

It is recommended to run each line in the crontab outside the crontab in the terminal once, both to test for any error of the renewal process, but also to issue the first certificate and to be able to activate the automation agent. Use the --dry-run parameter to test if the command would be successful without actually renewing the certificate. Also change the -q parameter to -n when running the command outside the crontab. -n non-interactive will show logging in the terminal and -q quiet will log and show nothing, which is recommended when run inside a crontab.

Step 7 - Set password in environment variable [Optional]

This will ensure that passwords are not displayed in cleartext within the crontab or when used as part of a command.

Tip

This can also be used for usernames and other variables that you do not want to show as cleartext.

Open the .bash_profile file:

nano .bash_profile

Note

You can use whatever text editor you prefer, in this example nano is used.

Set the environment variables inside the .bash_profile file:

export PASSWORD="my_password"

Save the file and restart the terminal, or logout from the user account and then login again, to use the new changes to the environment variables.

PASSWORD can now be used in the Certbot command instead of using the cleartext version of the password.

Important

Check your OS, in some cases ~/.profile is used as default for environment variables, but can be overridden if you create a .bash_profile file.

11. Use win-acme to automatically issue and renew the certificate on ADFS

To see the token-signing and token-decryption certificate expiry on the ADFS, run these commands and look for the [Not After] timestamp.

Get-AdfsCertificate –CertificateType token-signing
Get-AdfsCertificate –CertificateType token-decrypting

The certificate for which the IsPrimary value is set to True is the certificate that ADFS is currently using.

Step 1 - Initial run of win-acme

You can use certificates from ADCS, Entrust, DigiCert, GeoTrust and Let’s Encrypt by selecting the corresponding certificate issuer under the automation agent.

.\wacs.exe --baseuri {{acme-directory-url}} --validationmode http-01 --webroot "C:\temp" --source manual --host {{Hostname}} --store pfxfile --pfxfilepath {{Cert-Path}}

Remember to activate the Automation agent in TrustView after you run win-acme the first time.

Tip

Remember to change {{acme-directory-url}}, {{Hostname}} and {{Cert-path}} where you want your certificates to be stored, to match your configuration. To locate the acme-directory-url, see.

Step 2 - Configure script [Optional]

If you are using a certificate from one of the certificate issuers instead of a self-signed certificate, you can use the script.

Download and use this PowerShell script as a starting point for your configuration adfs.ps1

12. Automation of certificate renewal on Palo Alto firewall using Certbot

Step 1 - Setup and installation

Requirements:

Linux-based container or virtual machine with reachability to the Palo Alto firewall management interface
Certbot (Certbot for Windows exists, but have not been tested in a production environment)
OpenSSL
pan-python pan-python

Follow the steps on the Linux-based container or VM.

Run the installation commands:

sudo apt-get install python3-pip certbot openssl
sudo pip install pan-python

Generate an API key, if you do not already have one available:

panxapi.py -h PAN_MGMT_IP_OR_FQDN -l USERNAME:'PASSWORD' -k

Note

The example is shown with DigiCert certificates, but can be used with Entrust, GeoTrust and Let’s Encrypt certificates or certificates from the ADCS module. Just select the type you want to use under the relevant automation agent - Certificate issuer dropdown menu. With DigiCert, GeoTrust and Entrust certificates we need to enable automation from our side, in that case contact our to let us know.

Let’s Encrypt certificates requires a DNS integration to be setup in TrustView
ADCS certificates requires the installation of the ADCS module and a specific CRL flag to be set on the CA
Entrust, GeoTrust and DigiCert, requires prevalidation for the OV and EV certificates and to have automation enabled in our backend

If you want to use ADCS certificates, this CRL flag must be set on the CA:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

This is an example of the output:

C:\Windows\system32> certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Adtest Root CA\CRLFlags:

Old Value:
  CRLFlags REG_DWORD = 2
    CRLF_DELETE_EXPIRED_CRLS -- 2

New Value:
  CRLFlags REG_DWORD = 10002 (65538)
    CRLF_DELETE_EXPIRED_CRLS -- 2
    CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT -- 10000 (65536)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
C:\Windows\system32>

This will allow the subject field to be filled out on ADCS certificates, when retrieving the certificate through the automation agent. If this step is skipped an error will occur during the deployment step.

Step 2 - Setup deploy script

Write your own deploy script or use this pre-made script paloalto.bash

The script handles a single certificate and SSL/TLS service profile. To accommodate for more certificates and SSL/TLS service profiles, you either need to use separate scripts or configure the pre-made script to handle additional ones.

Important

There must be no spaces in the name of the SSL/TLS service profiles. Replace them with underscores, dashes or other characters.

Step 3 - Setup crontab

To setup the automation for certificate retrieval and deploy script, you can use a crontab to schedule when to run the renewal and deployment process.

sudo crontab -e

Inside the crontab, the setup could be like this:

0 0,12 * * * /usr/bin/certbot certonly -q --apache -m {{email}} --agree-tos --server {{acme-directory-url}} -d example.trustskills.com --deploy-hook /pathto/deployscript

If you have a single deploy script for a single certificate and SSL/TLS service profile, then you should use the example above and add additional lines if you have more than one single certificate and SSL/TLS service profile.

The crontab above is set to run twice a day (every 12 hour). So every day it checks if a certificate needs to be renewed and 30 days before expiry, the renewal process will begin automatically.

Important

It is recommended to run each line in the crontab outside the crontab in the terminal once, both to test for any error of the renewal process, but also to issue the first certificate and to be able to activate the automation agent. Use the --dry-run parameter to test if the command would be successful without actually renewing the certificate. Also change the -q parameter to -n when running the command outside the crontab. -n non-interactive will show logging in the terminal and -q quiet will show nothing, which is recommended when run inside a crontab.

13. Use win-acme to automatically issue and renew the certificate in Java KeyStore

If you want to renew certificates on a Java KeyStore, it can be done with the ACME client - win-acme and a script that is run after the certificate retrieval in TrustView.

Download win-acme and run this command to set up the automation agent inside TrustView:

.\wacs.exe --baseuri {{acme-directory-url}} --validationmode http-01 --webroot "C:\temp" --source manual --host {{Hostname}} --script {{script-path}}

You can write your own script or use this pre-made script as a starting point:

JavaKeyStore_RenewalScript_Windows.ps1

Note

In the PowerShell script, there are several variables that need to be adjusted to match your setup. So configure those, before running the script.

14. Use Certbot to automatically issue and renew the certificate in Java KeyStore

If you want to renew certificates on a Java keystore on a Linux server, it can be done with Certbot.

Download Certbot and run this command to set up the automation agent inside TrustView:

/usr/bin/certbot certonly -q --apache -m {{email}} --agree-tos --server {{acme-directory-url}} -d {{Hostname}} --deploy-hook /pathto/JavaKeyStore_RenewalScript_Linux.bash

You can write your own script or use this pre-made script as a starting point:

JavaKeyStore_RenewalScript_Linux.bash

Note

The script also contains variables that need to be adjusted for your needs.

15. Run a script after issuing or renewing certificate with win-acme

Add the following parameters at the end of win-acme, remember to change {{Script-path}} to match your configuration.

--installation script --script {{script-path}}

Script Parameters

The following variables can be specified at the end of win-acme as command line arguments, that the script can run after retrieving the certificate.

Remember to change {{Script-path}} and {{parameters x}} to match your configuration.

--installation script --script {{script-path}} --scriptparameters {{parameterX}}

Value	Replaced with
{0} or {CertCommonName}	Common name (primary domain name) of the newly issued certificate
{1} or {CachePassword}	The `.pfx` password (generated randomly for each renewal)
{2} or {CacheFile}	Full path of the cached `.pfx` file
{4} or {CertFriendlyName}	Friendly name of the newly issued certificate
{5} or {CertThumbprint}	Thumbprint of the newly issued certificate
{7} or {RenewalId}	Id of the renewal
{3} or {6} or {StorePath}	Path or store name used by the (first) store plugin
{StoreType}	Name of the plugin (CentralSsl, CertificateStore or PemFiles)
{OldCertCommonName}	Common name (primary domain name) of the previously issued certificate
{OldCertFriendlyName}	Friendly name of the previously issued certificate
{OldCertThumbprint}	Thumbprint of the previously issued certificate

If you need your scripts parameters to look something like this:

--scriptparameters action=import file=C:\mydomain.pfx password=*****

Then your argument string should look like this:

--scriptparameters action=import file={CacheFile} password={CachePassword}

Automation¶

Automation using ACME clients¶

Hostnames and IPs used during automation¶

win-acme and Certbot logs¶

Customize the ACME URL directory path¶

Automation examples¶

Change the renewal interval for win-acme¶

Automate activation of agent connections¶

Adding a new activation template¶

Troubleshooting¶

Unable to bind win-acme to IIS website using specific hostnames¶

Automation agent activation¶

Deleting certificates in Certbot¶

Automatic method¶

Manual method¶

Changing the TLS version¶

Automation¶

Automation using ACME clients¶

Hostnames and IPs used during automation¶

win-acme and Certbot logs¶

Customize the ACME URL directory path¶

Automation examples¶

Change the renewal interval for win-acme¶

Automate activation of agent connections¶

Adding a new activation template¶

Troubleshooting¶

Unable to bind win-acme to IIS website using specific hostnames¶

Automation agent related tasks in TrustView¶

The ACME directory URL¶

Automation agent activation¶

Deleting certificates in Certbot¶

Automatic method¶

Manual method¶

Changing the TLS version¶