This is a basic script that automates requests for certificates from AlwaysOnSSL (DigiCert) via CertCenter when the domain's name server is Amazon Route 53.
What it does:
- Checks the domain against CertCenter for eligibility
- Requests domain validation challenge (TXT record)
- Creates TXT record in AWS
- Verifies the TXT record has been created, that it has propagated and that the value matches
- Submits the CSR for signing
- Dumps out the signed cert with chain
- Deletes TXT record
Create a file called 'config' with the contents below and fill in the appropriate values.
[CertCenter]
client_id =
client_secret =
product_code = AlwaysOnSSL.AlwaysOnSSL
cert_validity_period = 365
[AWS]
hosted_zone_id =
aws_access_key_id =
aws_secret_access_key =
request_cert.py -f/--fqdn <subject-fqdn> -c/--csr <csr-filename> [-v/--validity <days>]
Required Arguments:
--fqdn / -f: The FQDN from the CN--c / -c: the filename of ot he CSR
Optional Arguments:
--days / -d: override validity from config file (1-365)--verbose / -v: verbose logging
request_cert.py --fqdn=host.domain.com --csr=host.csr
request_cert.py -f host.domain.com -c host.csr
- Fixed an issue where the cached access token was not being used in subsequent requests
- Fixed an issue where the root certificate and extra blank lines were included in the chained output due to an undocumented change by DigiCert
- Initial release
This repo is licensed under the MIT License - see the LICENSE file for details
Author: @timcappalli