Renew certificate using ACME automated flow of DNS challenge

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Request to renew the certificate and automatically retrieve the certificates for an application using an Automated Certificate Management Environment (ACME) automated flow of DNS challenge.

    Before you begin

    Ensure that a credential has been set up.

    Note:
    The GoDaddy credential is provided with the base system inside the credential page.

    The Certificate Management catalog has been enabled.

    A routing policy with a DNS challenge action exists.

    Role required: Certificate requester, PKI admin, PKI user, flow_designer, action_designer, or admin
    Note:

    A certificate requester is a user who doesn’t have the PKI admin or PKI user role.

    Procedure

    1. Access the certificate renew automated flow.
      1. Navigate to All > Service Catalog.
      2. Select Certificate Management.
      3. Select Automated Flow.
    2. Select Renew Certificate (Automated).
    3. On the form, fill in the fields.
      Table 1. Renew certificate
      Field Description
      Issued Certificate Certificate to renew.
      Certificate Purpose Request internal or external certificate.

      For CAs (for example, Let's Encrypt), select External.
      Certificate Signing Request (CSR) CSR containing certificate information.
      Validity Period for Certificate (In Days) Number of days the certificate is valid.

      For Let's Encrypt, the maximum validity period is 90 days.
      Certificate Owner Group Group for which the certificate tasks are generated.
      Certificate Owner Name or role of the person who will own the certificate.
      The following CSR attributes are matched and auto-populated based on the certificate information from CSR:
      • Subject Common Name
      • Subject Alternative Name
      • Organization
      • Organizational Unit
      • Locality/City
      • Province
      • Country
      • Email Address
    4. Select Submit.
      Once the request is submitted, a task is created for completing the DNS challenge. The task is completed automatically.

    Result

    • Once DNS record propagation has completed after two minutes, the DNS challenge is completed automatically and the automated flow sends a request to the CA to get the certificate.

      Admins can change this duration by modifying the sn_disco_certmgmt.wait_time_for_dns_record_propagation system property.

    • The certificate is attached to the New certificate task.
    • The request certificate task status changes to Completed.