Is it possible to implement full end-to-end automation — including Installation of CertifyTheWeb, CA registration, certificate provisioning, auto-renewal, and IIS binding — so that once deployed, everything runs without manual intervention?
I want to implement this using Ansible
We have two main products:
- Certify Certificate Manager, which is a desktop UI+ background service mainly used with services like IIS, and mainly used manually. It does have a basic command line Command Line (CLI) | Certify The Web Docs but the app is not designed to be used exclusively from the command line.
- Certify Management Hub, which is a new (beta) product with a web UI and API. This includes Certify Management Agent on linux which can talk back to the hub. Getting Started | Certify The Web Docs
We haven’t tried much Ansible automation of the app yet (but we had done a few experiments recently) but making assumptions about your use case I would suggest looking at the Management Hub + agents (depending on the target OSes).
Technically you should be able achieve exactly as you’ve described (on Windows targets) using the current Certify Certificate Manager and the CLI, if using HTTP domain validation but it wouldn’t yet be enough to do DNS domain validation (which has more complex config and a lot of secrets management). We do have the new “Managed Challenge” feature in the hub, which is where your client (which can include CCM etc) defers to the hub to complete DNS challenges. That feature is still in beta and is under active development.
So some aspects will depend what you have in mind and what kind of services you are deploying to, what kind of monitoring you want. In general you should not create new certificates in your process if your process will be repeated frequently (e.g. CI/CD) because some public CAs have small rate limits on duplicate certificates, and for those scenarios you’d be better to use the hub to maintain a certificate them pull/push the cert regularly to your target service, this also simplifies your target service so it doesn’t have to do it’s own cert management and keeps it visible.