Name: Getting Started with Automation Clients: Open Source and Commercial Options
Uploaded: 2025-06-12T17:56:04.060Z
Duration: 33 min
Description: Getting Started with Automation Clients: Open Source and Commercial Options

Transcript for "Getting Started with Automation Clients: Open Source and Commercial Options": Hello, and welcome, everybody. We'll be getting started in just a minute or so. We're gonna let people filter in. So in the meantime, we'll be we'll be in the background muted. Give us just about a minute here to let people to filter in. Thank you. For those of you just joining, we're just allowing a couple of minutes for people to filter in, and we'll get started. So apologies for the for the the white noise at the moment that we'll be getting started here in just a moment. Alright. Let's go ahead and get started, Michael. Welcome, everybody, to the getting started with automation clients open source and commercial ops options webinar. We are thrilled to have you with us today. Just to start out, I wanna do a little bit of housekeeping. So today's session is being recorded. We'll send you a link to that recording after the webinar. You can also access access today's slides in the docs panel on the right hand side of your screen. In that panel, you'll also see the q and a feature. That will allow you to submit any questions you may have, during the course of the webinar. And we will have several moderators today that will be face passing your questions on to our experts. Also near the top right hand corner of the screen, you'll see a get demo button. I wanna call this one out specifically. It is kind of the fast pass method to getting in touch with our sales and solutions engineering teams. So feel free to click it at any time, and we will get back to you. Last but not least, if you have any technical issues today with the webinar, please check your Internet connection as well as, refresh your Chrome, your cookies. Chrome and Edge typically work the best for the platform, but in case a problem persists, please contact, us by email at webinars@digicert.com, and we'll do our best to assist you. I'd like to introduce our panel for today. We have, myself and Michael Rudloff. Michael is a technical product specialist with DigiCert, Michael's innovation and commitment to providing exceptional and customized, solutions to DigiCert customers and their challenges is what makes him such a valuable member of the team. Having been with DigiCert for nearly a year now, Michael brings over twenty plus years of experience of industry experience to bear with a wealth of knowledge in public PKI and information security. I'm Andrew McCullough. I'm a principal solutions and sales engineer with DigiCert. I've been with DigiCert for nearly four years now, but similar to Michael, bring over twenty plus years of cloud, PKI, and security experience to bear. So we will be leading you through this journey today. Today, we plan on covering, and laying the foundation, for certificate automation and specifically related to the recent CA browser forms mandate for reduced certificate validities. I'm sure most or all of you are aware of this, and and the reason you're here to be on this screen. During our live q and a on May 6, we asked if you wanted to learn more about automation. And the number one request and we also asked how you wanted to learn about automation. And the number one, request for that was we want live demos. We want practical demonstrations. And so that's what Michael and I plan to bring you today. Right? But you don't just wanna hear about it. You want to see it in action. And so we listened, and this is our this is the in a four part series that we're putting together that dives into the practical real world automation scenarios to hopefully give you some better insight and to make your jobs a little easier. Understanding those the upcoming changes just to cover them briefly for those of you who may not heard. So, the forty seven day validity period, it's headline grabbing. Right? And it's an important note that this is a phased reduction. It's not all coming at once. Right? But the part is starting in less than a year. In about nine months, on March fifteenth of twenty twenty six, the certificate validity and domain control validities will drop from 398 down to two hundred days. Right? And then in 2027, we dropped to a hundred days, and then finally culminating in 2029 at forty seven days and ten days to main control validity. So by the end of this session, the goal, is to have a good understanding of how to install tools like certbot and configure them as well as provide certificate issuance and automatic renewals using those tools. In addition, we want to provide a better understanding of open source automation agents, if they're the right fit for your environment versus when an open source agent begins to introduce additional operational risks and concerns, and we should start looking at other commercial alternatives. And finally, we plan to demonstrate how DigiCert automation agent helps to extend our control and automation capabilities beyond what we can accomplish with open source agents to provide greater visibility and control in our environments. And with that said, I'm gonna turn it over to Michael. Michael, welcome. And, Yeah. Thank you very much, Andrew. So, yeah, we we're talking about a little bit about ACME today. ACME is essentially a protocol used for certificate issuance, and a lot of times, it's used by various providers or vendors, whether it's hardware vendors, for example, firewalls, low balances, etcetera. And a lot of people probably now let's encrypt as well for free certificates, that's also using the Acme protocol. And just like other, any other vendor, DigiCert is also using Acme in some of its products or to issue some of the products. So you can just see, generally how the Acme protocol works. So I'm just gonna read that out for you. You can see that. But, essentially, we send in we send in CSR. We issue a certificate, and that that's pretty much the the 30,000 mile view, if you will. But there are, of course, yeah, various, ACME clients. One of the more known client is actually Certbot. Certbot has been around for for quite a while and actually is being used by a lot of vendors in the back end. The only thing is now, I say, at the top, Agni client mix, which I mean is like Linux, etcetera, because Certbot actually stopped support for for Windows, but just as a side note. But, basically, support is like an open source tool, and it automates the the issuance of certificates. It supports major web services. And the reason for the support is basically what that means is it's not just issuing a certificate, but it also, installs these certificates in your web services like Apache or NGINX. And it is available for most, Unix or Linux operating systems. One thing I forgot to mention, Acme is not just something self contained in Serp, for example, because it is literally just a protocol. But what it does is it, connects to any cert or certificate provider, certificate of priority like Digicert, and connects to a particular ACME endpoint. I know we have a few digital customers on this call as well. So we we support this, for example, for CertCentral, just like a manager, etcetera. Anyway, that is Linux. So what are the what are the key benefits? It is very much customizable. The advantages, of course, being a command line tool means you can utilize it in your own scripts. You can run it by itself. It has also, post script or hook capabilities. So what that means is if you have, let's say, something that needs to happen after the certificate has an issue, for example, installing it into a party, you can attach a script to certbot and every time it does a renewal, it runs that script again. One of the use case I work with customers, for example, is using external firewalls. So certbot issues a certificate and automatically issues APIs API codes uploaded to, physical appliance, for example. It is an industry standard encryption, but also more importantly, there are quite a variety of DV plugins. DV means it's domain validated. So when you have a certificate that is a DV certificate, you need to do, a validation for domain. One of them, for example, is via DNS, and Certbot does certainly support that. For Windows, I just mentioned, Certbot is not supported on Windows anymore. You can still get it, but if something goes wrong, you're pretty much on your own. We're using or, I know customers and myself in the lab, for example, using Porsche Acme. I'm not saying that particular client is very fancy. It is literally the name Porsche Acme, so I didn't make that up. But it is a difference to the to Certbot. Porsche Acme is literally just a PowerShell module, which makes it very easy to not just run or install, but also to integrate in any, scripts again you have so that you can further the automation, for example. And, it supports PowerShell, PowerShell Core. And, in fact, literally this morning, I tried it on a Mac with the PowerShell core integration, and it works there as well. The big difference, though, I find is, to Certbot. It's basically it does not support installing in, party or, for example, IIS. But given that it's a PowerShell module, you can just write a simple one liner. In effect, you can probably ask GPT to write it for you. Very simple. The key benefits, as I mentioned, is PowerShell. So it's PowerShell native. It supports, most pretty much all validation methods. The two main ones are, of course, HTTP and DNS. It does do automatic renewal just like Certbot does. It also has DNS providers and also supports exports or your PFX certificates. The installation is fairly straightforward. So, Andrew mentioned we're running a demo. I wanted to show that, live. Having said that, we know Murphy's Law. Murphy Murphy is against us, and, I wanted to avoid, any demo issue and wasting your time. So what we do here is I'll show you a slide with the installation and how to configure it, how to run it. At the end, we will have some QR codes, and you can actually grab the video, the recording directly from YouTube. The recording is not the recording of this webinar. It's just the recording where I narrate the installation, configuration, and the test so you will see how I issue a certificate, a public certificate, including DNS validation. So, cert port installation is fairly straightforward. There are two main ways of installing it. You just use your Linux package manager to whatever you use, Yum or apps to install certbot. What I'm doing here, though, is I'm using a Python virtual environment. You don't necessarily have to do that, but it makes things a lot easier. And these plugins, which I mentioned to do the domain validations, they're actually a lot easier to install in, the Python environment because not every repo in every system has actually the most up to date plug ins as well as the the the certbot binaries. I don't have to mention it looks a bit busy, but, the busyness is mainly due to Acme keys. I just wanna walk you through. So you can see the green bit circle. That is literally the the the binary command. That's it. Cert only, I only deliver I only want to issue a certificate. I don't wanna install it automatically. You can see there is a demo, the demo URL. So that's one of our endpoints here in DigiCert configuration directory, the API keys for for admin, which is called a kit and an HMAC. Don't worry. They are not real, so you can try it, but good luck. There are a couple of other switches supported, and that's actually quite a few. So the, documentation on certbot website is fairly comprehensive. But just to pick out a few, force renew, automatically, Certbot renews a certificate 30 before it expires. If you run it multiple times for testing, for example, it will refuse to issue certificate until those thirty days have arrived. You can force that. The domain, you can see minus the tl.google.io. So I want to have a certificate for my domain tl.google.io, and that's also the one I'm using in that recorded demo. And you can see at the bottom is the, preferred challenge is DNS. So I'm doing a DV certificate, a public certificate from DigiCert using Route 53. Route 53 in this case is the AWS DNS integration. And so I'm using basically AWS to host DNS for my domain. So what certbot does is it connects to that DNS so that DNS server basically creates a CNAME record as a DNS validation, reads that record whether that was successful or not to then validate it, and then, of course, the key type. And that's pretty much it. You you will then get and you will see that in the demo. You will then get the the the locations where the certificate is stored, which will be the ACME folder you can see in the line. And then you can do whatever you want with it. Install it in Apache, use Certbot to do that, or a different script. Maybe they called it Posh Acme to be fancy when it comes to the installation because that will you just basically install the module. You install the module, you import it, and you're ready to go. So there's no us. Of course, that only works when you have Internet connectivity from that PowerShell server. But, otherwise, that is literally how you install that. Issuing a certificate are a couple of steps. The you set the URL of the endpoint. Again, in Digicert, it can be CertCentral or cross lifecycle manager. Then, again, you are typing or you're using the, Acme details, the kit and the HVAC. So the, basically, username and password, if you will. And register the account with an email address. You can see my email address is there, and that's it. The next we have to do because, again, I'm using AWS Route 53 to do my DNS validation. I just wanna create here, an environment variable with my access key and my secret, which, of course, I'm not putting here on the slide. And the next thing you do is literally use certificate t l s google.io. What plugin am I using? What are my credentials? And that is essentially it. And then you get your certificate. You can see the path where the certificate is stored. And I just see, someone posted posh through PowerShell. Thank you. That that seems almost too obvious, but, yeah, that makes sense. And I just, wanna say, I know we we gotta go through the questions anyway, but I see one of them with, DV services. The process is the same for OV. OV is a is that is a little bit different. You need to essentially validate these certificates differently. DV can be automated with Ovi. We have, for example, a team at Digicert that validates the organizations. And, usually, what you have is you have those domains already pre validated with UCA, and then you don't have to use any plugin at all. You just essentially, submit a request for TLS. Well, not for TLS guru I o, but for for whatever domain you want to have. And that's pretty much it. So I set the demos. When it comes to demos, have a look here. It's going to right now, we haven't actually moved it to the YouTube channel of Digicert yet. I have someone doing that. So, that's just my boring, personal channel. But, basically, these are unlisted, so you won't find them on YouTube unless you have the link. So, you know, grab your phone, make a screenshot. You're getting the slides anyway. I can see the docs. Tap is now there. I don't know if the slides are already there. It should probably be out of slides are there. And then that should be it. So, yeah, it's a quick and short video. And I don't know who's taking over now, but, I mean Thank you thank you so much, Michael. Really appreciate all of that information. Please join us on June 26 for part two of this session. We're gonna be talking about automating DNS o one, cert by DNS plug in versus full DigiCert plus UltraDNS integration. Should be a really interesting session. Step up your automation game, with Trust Life Cycle, which is our unified certificate life cycle and automation product. So feel free to scan the QR code here, and you'll be able to they'll take you to our automation hub and provide more information as needed. We are trying to answer your questions in chat, as quickly as possible. So, but if we don't get to them, we will, we will try to see, see you on this next call next meeting next week and try to get to those questions answered for you in the meantime between now and then. So thank you so much for attending, and we look forward to seeing you next week. Alright. Just see if someone asked to see the bar codes again. So I'm just gonna step back for a few seconds to get further. Okay. Hi. A question here, about Windows servers. Should you know should you use support or shouldn't you? To be honest, it's totally fine. Yeah, that's that we don't really have a connection to the license anyway. But the risk is if you do some upgrade in Windows machine or several custom upgrades, eventually, the support will probably cause the Windows support to disappear completely. I'm still using it myself. I see a question here. Does Azure support automated certificate installation yet? And the answer is yes, through Azure Key Vault. So we can do, you know, automated, certificate rotation, renewals, revocations, etcetera, through integration with Azure Key Vault. And the Digicore products today, are natively integrated to the Azure, Key Vault platform, as well as other cloud platforms such as AWS certificate manager, GCP certificate manager, which would be the equivalent in those clouds. I see a question from Monet's Chen. My certificate has not yet expired and probably not within the next year. Should I do this later or now? And, basically, planning for certificate automation is really the goal here. Right? We don't need to renew that certificate yet necessarily. But what we do wanna do is make sure that we have the the software and infrastructure in place, to be able to to get those automations going so that when as these these deadlines approach for the reduced certificate validity that we can now begin automating those certificates and don't worry about potentially, missing a certificate expiration and having, you know, a certificate become invalid. There's a question here from Jeremy. I'm a tier customer. I'm in the early steps using NET, etcetera. Will you cover the auto issuance binding of a single cert to multiple points? So we have multiple things or multiple ways of doing that. I'm actually in the team that is that again from Deepgram. So I don't know if it's really now. Could you guys go and no. Still doesn't work. I I hope you can hear me with the feedback. Much better. But, basically, my team is helping customers to do exactly that. So out of the box, you will have, let's say, an agent that installs the certificate on a Windows Server, for example, put it into IIS or Linux and Apache. And if you then have a use case to put it somewhere else to another party, again, going back to the use case I mentioned earlier where a certificate is being put on a Windows Server and then actually on a hardware firewall or load balancer as well as a backup. Our agents can be extended. It it's basically yeah. It it supports extensibility. So, out of the box, you push it to to one endpoint. I come in presales, postales, whenever, and then we can talk and do it, the other way. So we've we pushed it through hundreds of servers, for example, a single certificate so that there are ways of doing that, but not out of not out of the box. Another question. Does certbot agents need to be installed on old client where we need to renew? So what's the what Certbot does is it issues the certificate and stores them locally on the server where you run Certbot. You can issue a thousand certificates. You can issue just the one certificate. Whether you can install it into multiple points, for example, you have domain one to server one, domain two to server two, it depends on your environment. You can do that, but that also means your certbot server will have to have access to the servers you want to put the certificates on. So sometimes you have, like, one server that's connected to the Internet to issue those certificates, and then pushes them to another server that's maybe behind a firewall, and then it gets distributed. Again, it can be an account. It it really depends, but the the option is you can have it on one or you have it on a thousand. It really depends on a local environment. But, again, we can help you with that with that, with that as well. Another question about Posh. Acme, I think, answered that. You can use cell phone if you will, if you want, but you could also go to to Posh. That's another one. It's the yes. So it is compatible with with Red Hat. As far as I know, anyway, it's pretty much on all Linux variants. We had someone asking about certain UNIX variants, and that wasn't supported. But for, yeah, it should be supported. I saw another question here that says, is is there a certbot for f five integration? And and there is not a cert bot client specifically for f five, load balancer automation. But what DigiCert has done is we have natively API integrated the f five certificate management services into our trust lifecycle manager platform. So we do provide native API based integration and automation, as well as alerting within the Trust Life Cycle Manager platform. But, unfortunately, certbot does not have, that level of integration, for it. What I've mentioned, it it supports post hooks for scripts, or you can you can either ask cert bots to run a script to push it up to an f five via, via API, or you use a different script that runs cert bot as part of the script and then push it into f five as an API. And, in fact, actually, f five has one of the easiest APIs I work with. So that should be a breeze to do. No. I do not think certbot runs on unit system services. Can have a quick look. But There's another question here. Does Acme client need to be installed in all servers where certificates, will be installed? Typically, the answer is yes. Right? So if you've got, you know, five servers that are hosting different certificates or even the same, like, if it's a wild card certificate, as an example, even though that wouldn't be best practice, we see that used a lot. So in that scenario, we would need an Acme client on each one of those servers in order to be able to automate renewal, for each one of those systems. We would probably love to stick around for to answer every single question, but what we're gonna do is before we, believe we're obviously making, a record of all your questions, and we do follow-up on those. So don't fret if we haven't, if we haven't answered your questions. We will So with that, I think we will, we will wrap up today's presentation. We thank you all for joining, and we look forward to seeing you next week. Thanks, everyone. Have a great day. Thank you very much.