Use automated flow for certificate management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read

    • Automated certificate management in Certificate Inventory and Management streamlines TLS certificate processes, offering benefits such as improved efficiency, reduced manual intervention, and enhanced security. Automating certificate management ensures timely renewal, minimizes the risk of expired certificates, and provides a systematic approach to handling the lifecycle of TLS certificates.

    Before you begin

    Role required: pki_admin or admin

    Procedure

    1. Set the system property sn_disco_certmgmt.cert_task_default_approval_group to the default Approval Group name.
      The approval group name is the default group used if the certificate request moves into manual mode, for instance, if there is no matching policy or more than two matching policies. You can add more than one approval group, separated by commas. The first group on the list, which belongs to the task domain, is used for approval. If no domain-specific group is found, the first name in the global domain list is used.
    2. To set the validity period of the certificate order, update the system property sn_disco_certmgmt.default_cert_order_validity_period.
      Default is 730 days (2 years).
    3. Set up the Routing Policy for each certificate authority (for instance, DigiCert, Entrust CA Gateway, or Microsoft CA).
      You can define multiple routing policies for a single CA to use different accounts to fetch certificates. For Microsoft CA, you can then either:
      • Add the IP of CA Server in ca_host_ip field of the routing policy, OR
      • Add the IP of an intermediate server in ca_host_ip field of the routing policy. The intermediate server can be any Windows server which is in the same domain as the Microsoft CA Server and has access to certutil and certreq commands available on Powershell.

        When an intermediate server is used, the MID Server executes a Powershell script on the intermediate server using Invoke-Command, which in turn uses Remote Procedure Call (RPC) to run the certutil and certreq commands on the CA Server.

    4. Create the certificate credential and map it to the credential alias.
      Each credential should map with a unique credential alias. For more information, see Credential alias for Discovery.
    5. Ensure that the Certificate and Certificate URL information is in the Certificate Authority [sn_disco_certmgmt_ca] and Certificate Authority API URL [sn_disco_certmgmt_ca_api_url] tables.
      The default URL for DigiCert provides all validation type URLs. You can add additional URLs if desired.
    6. Ensure that the Certificate and Certificate URL information is in the Certificate Authority [sn_disco_certmgmt_ca] and Certificate Authority API URL [sn_disco_certmgmt_ca_api_url] tables.
      The default URL for DigiCert and Entrust CA Gateway provides all validation type URLs. You can add additional URLs if desired.
    7. Ensure that the Certificate and Certificate URL information is in the Certificate Authority [sn_disco_certmgmt_ca] and Certificate Authority API URL [sn_disco_certmgmt_ca_api_url] tables.
      The default URL for DigiCert and Entrust CA Gateway provides all validation type URLs. You can add additional URLs if desired.
    8. Set the task priority.

      Based on the priority of the task, the change requests priority and type are mapped. Change request will have same priority as task priority except P5 (change request doesn’t have P5 so in this case it will be mapped to P4).

      To change the type of change requests, the change management property com.snc.change_management.change_model.type_compatibility needs to be set to true. Default is False.

      1. Set the task and change the system property sn_disco_certmgmt.default_cert_task_priority if needed to configure New and Renew task priorities.
        The priority defaults to P3. The possible values are 1, 2, 3, 4, 5. If the value is 1, the priority sets to P1 and so on. If any invalid value is provided, the priority resets to the default of P3.
      2. Set the task and change the system property sn_disco_certmgmt.default_revoke_cert_task_priority if needed to configure Revoke task priorities.
        The priority defaults to P1. The possible values are 1, 2, 3, 4, 5. If the value is 1, the priority sets to P1 and so on. If any invalid value is provided, the priority resets to the default of P1.
    9. Optional: Install the Integration hub plugin [com.glide.hub.integrations].

      The [com.glide.hub.integrations] plugin is not required for requesting the DigiCert and tracking the certificate order status. However, if the customer wants to debug the certificate subflow actions or add their own customization flow for DigiCert, they must install this plugin.

      The [com.glide.hub.integrations] plugin is not required for requesting the DigiCert or Entrust CA Gateway Certificate and tracking the certificate order status. However, if the customer wants to debug the certificate subflow actions or add their own customization flow for DigiCert or Entrust CA Gateway, they must install this plugin.

      The [com.glide.hub.integrations] plugin is not required for requesting the DigiCert or Entrust CA Gateway Certificate and tracking the certificate order status. However, if the customer wants to debug the certificate subflow actions or add their own customization flow for DigiCert, Entrust CA Gateway, or Microsoft CA, they must install this plugin.