Digicert Certificate Renewal

skwieste · April 2, 2022, 5:00am

Hi , I’ve very new to certify the web and have the following scenario

I have a server which currently doesn’t have a certificate installed for a specific wildcard domain and has an existing binding in IIS. This wildcard certificate exists in Digicert and has more than a year left in its current renewal cycle. Ideally what I want it to do is download the certificate and bind it then when a new certificate is available ( created manually via the digicert portal ) it should download / rebind the new cert before expiration - is this possible ? I can install the existing cert if needed but would really like to get an automated way to renew the cert from Digicert when it’s due.

Note I have played with Let’s Encrypt however the business would like to continue to use Digicert.

The following steps have been completed.

I’ve created an ACME URL in Digicert and have the KID / HMAC account and I’ve created a new cert authority successfully in CTW.

Each time I attempt to request a certificate the process failes with a Failed to finalise certificate order. Final order status was Processing. In digicert I see a pending request has been completed but appears to be for a new certificate which I obviously don’t want to proceed with so I reject the order.

My question is how do I get CTW to just download the certificate and renew it when it’s due - The renewal process on Digicerts side I would just use the normal process to purchase a new cert when it’s due so I don’t want that bit automated anyway.

Ideally I’d be deploying this process to lots of servers for the single wildcard - albeit with a different common name per server. I just want it to renew the cert when it’s due really I guess not order another one.

I’ve also been playing with the POSH ACME client but getting an error requesting a new certificate that way as well using New-PACertificate

WARNING: ACME response body was not JSON parseable
The remote server returned an error: (405) Method Not Allowed.

webprofusion · April 2, 2022, 7:31am

The “Failed to finalise” error could just be that the certificate order needs approval before it can be downloaded, that’s not really part of the ACME spec/flow so it can’t really be done like that in Certify The Web.

Certify is currently only designed to work with the ACME certificate workflow, so it can’t do what you need in this instance. It can’t pick up a certificate order that it doesn’t know about from your Digicert account.

Really as you are going down the traditional path of having a long lived certificate that’s updated annually I’d suggest the simplest approach is to just document all the places the cert is used and where to update it, then schedule that as a manual maintenance task.

You could consider storing your cert in a secrets vault such as Azure Key Vault, or Hashicorp vault, then prepare regular scripted jobs to pull the cert from there and deploy it (whether its new or not), then you only have once place you need to update the cert when the time comes.

As another alternative, how about the new Google Cloud acme certificate authority? They offer free trusted (Domain Validated) certificates and their service is has an SLA etc.

skwieste · April 4, 2022, 4:39am

Thanks for the feedback.