Documentation
Start typing to search…

DigiCert Target

The Digicert Target enables the use of Digicert as a Public Certificate Authority (CA) with an Akeyless PKI Issuer.

With a public CA, Akeyless cannot access the private key that signs certificates. Akeyless validates certificate issuance requests by connecting to Digicert through the Akeyless Gateway.

The DigiCert integration uses an ACME Client (v2).

To prove domain ownership, the Akeyless integration supports DNS validation:

  • DNS validation: Ownership is proven by adding a DNS TXT record. This requires the domain to be managed in a supported DNS provider's hosted zone (for example, AWS Route 53, GCP Cloud DNS, or Azure DNS).

Create a Digicert Target with the CLI

To create a Digicert target with the CLI, use one of the following examples based on the challenge method and DNS provider:

akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HAMC Key> \
--acme-challenge dns \
--dns-target-creds <AWS DNS Target Name> \
--hosted-zone <Route53 Hosted Zone ID>
akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HAMC Key> \
--acme-challenge dns \
--dns-target-creds <GCP DNS Target Name> \
--gcp-project <GCP Project ID>
akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HAMC Key> \
--acme-challenge dns \
--dns-target-creds <Azure DNS Target Name> \
--resource-group <Azure Resource Group Name>

Where:

  • name: A unique name for the target. The name can include a path to a virtual folder by using slash / separators. If the folder does not exist, Akeyless creates it with the target.

  • digicert-url: Use this when you want to select the ACME environment explicitly. Supported values are production (default) and staging.

  • email: Email address used for ACME account registration.

  • eab-key-id: External Account Binding Key ID from DigiCert Services.

    eab-hmac-key: External Account Binding Key ID from DigiCert Services.

  • acme-challenge: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are http (default) and dns.

  • dns-target-creds: Use this when --acme-challenge=dns. This is required for DNS validation. Supported target types are AWS, Azure, and GCP.

  • hosted-zone: Use this when --acme-challenge=dns and --dns-target-creds points to an AWS target. This identifies the Route 53 hosted zone.

  • resource-group: Use this when --acme-challenge=dns and --dns-target-creds points to an Azure target.

  • gcp-project: Use this when --acme-challenge=dns and --dns-target-creds points to a GCP target and the project ID cannot be derived automatically.

  • timeout: Use this when challenge validation needs a custom wait time. Default is 5m. Supported range is 1m to 1h.

  • key: Use this when you want to encrypt target secret values with a specific protection key instead of the account default key.

View the complete list of parameters for this command.

Create a Digicert Target in the Console

  1. Log in to the Akeyless Console, and go to Targets > New > Certificate Automation (Digicert).

  2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  3. Select a Protection key with a Customer Fragment to enable Zero-Knowledge and click Next. Read more about Zero-Knowledge Encryption.

  4. Define the remaining parameters as follows:

    • Environment: The ACME environment, US Production / EU Production / US Demo or EU Demo

    • Email: Email address used to register the ACME account.

    • DNS Provider: Either AWS, GCP, or Azure (relevant only if Challenge Type is DNS).

    • Target: Select a target that contains the DNS provider credentials (relevant only if Challenge Type is DNS).

    • Hosted Zone: AWS Route 53 hosted zone identifier. (Relevant only if Challenge Type is DNS and DNS Provider is AWS).

    • Resource Group: Azure resource group name. (Relevant only if Challenge Type is DNS and DNS Provider is Azure).

    • GCP Project: GCP Cloud DNS project ID. Optional when DNS Provider is GCP.

    • Timeout: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes).

  5. Click Finish.


Updated 3 days ago

Footer Section