One size does not fit all when it comes to automation of SSL certificate lifecycle management. That is why Sectigo provides a number of alternatives and a choice to pick one or more that are the most suitable for your organization. Here are the many options for your organization.
1. Use Industry Standard-Based Tools to Automate
A good option is to use tools that support industry standard protocols with Sectigo, such as Automated Certificate Management Environment (ACME), Simple Certificate Enrollment Protocol (SCEP), or Enrollment over Secure Transport (EST).
ACME: More than 150 million websites are using the ACME protocol to issue and renew SSL certificates. This is one of the most popular waves of automation in this arena. ACME, which became an Internet Engineering Task Force (IETF) Standard in March 2019, is quickly increasing its adoption rate. There are over 130 open source tools that support ACME on various Operating Systems, making an administrator’s task easier. Some web servers such as Apache have ACME built in and others like NGINX are expected to soon support it natively (although you can use a standalone ACME tool to work with it today). You can also enroll certificates for load balancers such as Netscaler and HAProxy using ACME.
If you have a DevOps Team, pass the word on to them as a large number of popular tools that help automate deployment of software in the IT environment support ACME. One set of tools across your organization may help standardize on a platform, reducing training efforts for your team.
SCEP: Most networking gear, including routers, load balancers, VPN devices, Wi-Fi Hubs, and firewalls, support the SCEP protocol for certificate enrollment. SCEP has been around for a long time and gained significant traction, making it almost ubiquitous. This protocol is also supported on MacOS and Linux. You can leverage Sectigo’s SCEP server to manage your certificates.
EST: Many networking devices support the EST protocol out of the box as well. EST is considered to be more secure than SCEP and supports server-side key generation and the cutting-edge Elliptic Curve Cryptography (ECC). In some circumstances, you may choose it over SCEP for efficiency and security reasons. Reach out to us if you need any guidance in selecting it for your application.
Sectigo ACME is in the beta phase at this time, whereas SCEP and EST are available in production.
2. Use APIs to Integrate with Sectigo for Automation
As an alternative option, Sectigo provides a RESTful API so that you may integrate with us from your applications. Some customers prefer this as it provides greater flexibility in managing the lifecycle of their certificates. The RESTful API is easy-to-use, and the effort to integrate with it is minimal. Of course, you will need integration assistance from your developers, but Sectigo provides code samples and detailed documentation on our API, and we are here to help.
3. Use Sectigo’s Automation Tool
Sectigo provides a proprietary agent that can be used to enroll or renew certificates for Apache, Tomcat, and IIS, web servers as well as the F5 load balancer. You can install an instance of this lightweight agent (or a cluster of them to provide high availability) in your network that communicates with the Sectigo Certificate Manager hosted on the cloud. It provides an added benefit as you can schedule installation of certificates at a future date, like during an upcoming maintenance window. If you need a wildcard certificate to be installed, it will ensure that the certificate is installed in all servers you specify along with the private key which is transported securely to those servers.
4. Use Tighter Integration with Select Vendors
Sectigo works with third-party vendors of web servers, load balancers, and other networking devices, to have Sectigo certificate management natively supported in their products.
With choices comes the task of decision making. Contact us for information about the specific products we closely integrate with or if you’d like help with choosing which method is right for you. We are here to help!