Request new certificate using ACME automated flow of DNS challenge

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Request a new certificate and automatically retrieve the certificates for an application using an Automated Certificate Management Environment (ACME) automated flow of DNS challenge.

    Before you begin

    Ensure that a credential has been set up.

    Note:
    The GoDaddy credential is provided with the base system inside the credential page.

    The Certificate Management catalog has been enabled.

    A routing policy with a DNS challenge action exists.

    Role required: Certificate requester, PKI admin, PKI user, flow_designer, action_designer, or admin
    Note:

    A certificate requester is a user who doesn’t have the PKI admin or PKI user role.

    Procedure

    1. Access the automated flow.
      1. Navigate to All > Service Catalog.
      2. Select Certificate Management.
      3. Select Automated Flow.
    2. Select Request New Certificate (Automated).
    3. On the form, fill in the fields.
      Table 1. New certificate form
      Field Description
      Certificate Purpose Indicates whether the request is for an internal or external certificate.

      For CAs such as Let's Encrypt, select External.
      Certificate Signing Request (CSR) CSR containing certificate information.
      Validity Period for Certificate (In Days) Number of days the certificate is valid.

      For Let's Encrypt, the maximum validity period is 90 days.
      Certificate Owner Group Group for which the certificate tasks are generated.
      Certificate Owner Name or role of the person who will own the certificate.
      The following CSR attributes are matched and auto-populated based on the certificate information from CSR:
      • Subject Common Name
      • Subject Alternative Name
      • Organization
      • Organizational Unit
      • Locality/City
      • Province
      • Country
      • Email Address
    4. Select Submit.
      Once the request is submitted, a task is created for completing the DNS challenge. The task is completed automatically.

    Result

    • Once DNS record propagation has completed after two minutes, the DNS challenge is completed automatically and the automated flow sends a request to the CA to get the certificate.

      Admins can change this duration by modifying the sn_disco_certmgmt.wait_time_for_dns_record_propagation system property.

    • The certificate is attached to the New certificate task.
    • The request certificate task status changes to Completed.