I am using certify the web to automate the process of cert management for my org. I was planning to setup a centralized server where admins can pull certs from. The idea is that I create dns txt records for whatever url address the admins need. And the cetral and admin Certify the Web server pulls the certs and retrieves them from Acme. and the client retrieves the certs from the cert server.
Hi,
We are current working on solutions for this area with our planned Certify [Management] Server product but a way you can achieve this currently is to use an instance of the app to store certs in a secrets vault (Azure Keyvault, Doppler, Hashicorp vault) - we have some Deployment Tasks which support those targets.
Then on your consumer servers you would regularly (e.g. every maintenance window) pull the latest version of the secret(s) they are interested in/permitted to use and where applicable restart/reload services.
Hello thank you for your response I was able to successfully get the certs stored in MKV I was wondering how do I configure CTW to download the certs to a server that needs the cert installed now that the Cert is up in MKV? Is there a way to automate this?
Is “MKV” Azure Key Vault?
We don’t currently provide a way for Certify instances to pull certificates from other sources to deploy them. You would currently need to script this deployment yourself.
In the future we plan to implement features for distributed renewals but currently most users run a copy of the app on whatever windows machine they need certs for, and for linux machines they use one of the certificate export tasks over SSH/FTP.
Yes I mean Azure Key Vault. When you say “run a copy of the app” you mean CTW app? So on windows wound script the download from Azure Key Vault and run the Powershell in the deployment feature in CTW? When I used CTW it seems that the first thing that I get asked is to create an Acme account. But I dont want Server Admins to go out to Acme. I want them to use the deploy script.
@gspiii In the future we plan to offer the option to pull certificates from key vault etc, yes. However this feature does not yet exist.
Yes, by “run a copy” I mean install the app on a server and use it to get the certs that machine need. Either via http validation or DNS validation.
So, we don’t currently offer what you’re looking for but we’re heading in that direction.
Hello Thank you for your reply. Do you know when that will be? Is there a timeframe that you are looking to implement that feature?
Sorry no I don’t have a release date, the ambition is to have a release this year but we have actually been slowly developing this is a new product for a couple of years.
I would advise that if you need a product that does this now then you would need to investigate other products in the market place, or use the existing product with your own scripting etc and migrate to the new product once it’s available.