salt.runners.digicertapi¶
Support for Digicert. Heavily based on the Venafi runner by Joseph Hall (jphall@saltstack.com).
Before using this module you need to register an account with Digicert's CertCentral.
Login to CertCentral, ensure you have a payment method configured and/or there are adequate
funds attached to your account. Click the Account item in the left sidebar, and select
Account Access. The right hand pane should show "Account Access" and a link to create
an API key. Create a new API key and assign it to the user that should be attached to requests
coming from Salt.
NOTE CertCentral will not show the API key again after revealing it the first time. Make sure you copy it right away or you will have to revoke it and generate a new one.
Now open /etc/salt/master and add the API key as shown below.
digicert:
api_key: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABC
Restart your Salt Master.
You can also include default values of the following variables to help with creating CSRs:
digicert:
api_key: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABC
shatype: sha256
This API currently only supports RSA key types. Support for other key types will be added if interest warrants.
- salt.runners.digicertapi.del_cached_domain(domains)¶
Delete cached domains from the master
CLI Example:
salt-run digicert.del_cached_domain domain1.example.com,domain2.example.com
- salt.runners.digicertapi.gen_csr(minion_id, dns_name, organization_id, ou_name=None, key_len=2048, shatype='sha256', password=None)¶
CLI Example:
salt-run digicert.gen_csr <minion_id> <dns_name>
- salt.runners.digicertapi.gen_key(minion_id, dns_name=None, password=None, key_len=2048)¶
Generate and return a private_key. If a
dns_nameis passed in, the private_key will be cached under that name.CLI Example:
salt-run digicert.gen_key <minion_id> [dns_name] [password]
- salt.runners.digicertapi.get_certificate(order_id=None, certificate_id=None, minion_id=None, cert_format='pem_all', filename=None)¶
Retrieve a certificate by order_id or certificate_id and write it to stdout or a filename.
- A list of permissible cert_formats is here:
https://www.digicert.com/services/v2/documentation/appendix-certificate-formats
CLI Example:
salt-run digicert.get_certificate order_id=48929454 cert_format=apache
Including a 'filename' will write the certificate to the desired file. Note that some cert formats are zipped files, and some are binary.
If the certificate has not been issued, this function will return the order details inside of which will be a status (one of pending, rejected, processing, issued, revoked, canceled, needs_csr, and needs_approval)
If for some reason you want to pipe the output of this command to a file or other command you will want to leave off the
filenameargument and make sure to include--no-colorso there will be no terminal ANSI escape sequences.
- salt.runners.digicertapi.get_org_details(organization_id)¶
Return the details for an organization
CLI Example:
salt-run digicert.get_org_details 34
Returns a dictionary with the org details, or with 'error' and 'status' keys.
- salt.runners.digicertapi.list_domain_cache()¶
List domains that have been cached
CLI Example:
salt-run digicert.list_domain_cache
- salt.runners.digicertapi.list_domains(container_id=None)¶
List domains that CertCentral knows about. You can filter by container_id (also known as "Division") by passing a container_id.
CLI Example:
salt-run digicert.list_domains
- salt.runners.digicertapi.list_orders(status=None)¶
List certificate orders made to CertCentral.
CLI Example:
salt-run digicert.list_orders
- salt.runners.digicertapi.list_organizations(container_id=None, include_validation=True)¶
List organizations that CertCentral knows about. You can filter by container_id (also known as "Division") by passing a container_id. This function returns validation information by default; pass
include_validation=Falseto turn it off.CLI Example:
salt-run digicert.list_organizations
- salt.runners.digicertapi.list_requests(status=None)¶
List certificate requests made to CertCentral. You can filter by status:
pending,approved,rejectedCLI Example:
salt-run digicert.list_requests pending
- salt.runners.digicertapi.order_certificate(minion_id, common_name, organization_id, validity_years, cert_key_passphrase=None, signature_hash=None, key_len=2048, dns_names=None, organization_units=None, server_platform=None, custom_expiration_date=None, comments=None, disable_renewal_notifications=False, product_type_hint=None, renewal_of_order_id=None)¶
Order a certificate. Requires that an Organization has been created inside Digicert's CertCentral.
See here for API documentation: https://www.digicert.com/services/v2/documentation/order/order-ssl-determinator
CLI Example:
salt-run digicert.order_certificate my_minionid my.domain.com 10 3 signature_hash=sha256 dns_names=['this.domain.com', 'that.domain.com'] organization_units='My Domain Org Unit' comments='Comment goes here for the approver'
This runner can also be used to renew a certificate by passing renewal_of_order_id. Previous order details can be retrieved with digicertapi.list_orders.
- salt.runners.digicertapi.show_csrs()¶
Show certificate requests for this API key
CLI Example:
salt-run digicert.show_csrs
- salt.runners.digicertapi.show_organization(domain)¶
Show organization information, especially the company id
CLI Example:
salt-run digicert.show_company example.com
- salt.runners.digicertapi.show_rsa(minion_id, dns_name)¶
Show a private RSA key
CLI Example:
salt-run digicert.show_rsa myminion domain.example.com
