|
For the latest version, please use Certificate Lifecycle Manager 6.0.0! |
Integration with Automation and Infrastructure-as-Code (IaC) Tools
Overview
MTG CLM provides multiple integration interfaces that allow customers to fully automate operations and integrate certificate management into existing Infrastructure-as-Code (IaC) and automation workflows using tools such as Terraform, Ansible, or custom automation frameworks.
Integration Interfaces
REST API
MTG CLM offers a comprehensive, fully documented REST API:
The REST API exposes all major functionalities of the system, including:
-
Certificate enrollment and renewal
-
Key management
-
Certificate revocation
-
Certificate lifecycle operations
-
Policy configuration
The REST API can be used directly by IaC tools and automation frameworks to provision and manage certificates during the deployment of infrastructure or applications.
Integration with IaC tools can be implemented through:
-
Direct REST calls (e.g., via Terraform external providers, Ansible URI module)
-
Custom-developed plugins or wrappers based on customer requirements.
ERS CLI Client
MTG CLM additionally provides a command-line interface (CLI) client, which simplifies automation tasks and scripting:
The ERS CLI client supports:
-
Automated certificate issuance and renewal
-
Integration with shell scripts, CI/CD pipelines, and deployment automation
-
Simplified credential management and authentication options
The CLI client can be easily invoked by automation tools like Ansible, Terraform (via local-exec provisioners), or any CI/CD system.
Typical Automation Use Cases
-
Automated enrollment of TLS certificates for application servers and microservices.
-
On-demand certificate requests during virtual machine or container deployment.
-
Automated certificate renewal and replacement processes integrated into deployment pipelines.
-
Full PKI policy configuration during IaC-driven environment provisioning.
Integration Examples
Ansible Example (REST API – Full 3-Step Certificate Issuance)
- name: Full certificate creation via REST API
hosts: localhost
vars:
base_url: "https://ers.example.com"
api_token: "your_keycloak_token_here"
realm_id: "example-realm-id"
policy_id: "example-policy-id"
end_entity_common_name: "www.example.com"
tasks:
- name: Create End Entity
uri:
url: "{{ base_url }}/api/v1/end-entities/"
method: POST
headers:
Content-Type: "application/json"
Accept: "application/json"
Authorization: "Bearer {{ api_token }}"
body_format: json
body:
commonName: "{{ end_entity_common_name }}"
realmId: "{{ realm_id }}"
organization: "Example Org"
organizationalUnit: "IT"
country: "DE"
externalId: "entity-001"
email: "admin@example.com"
domains:
- "{{ end_entity_common_name }}"
ips:
- "192.168.0.1"
genericDtoList:
- key: "env"
value: "prod"
return_content: yes
register: end_entity_response
- name: Extract endEntityId
set_fact:
end_entity_id: "{{ end_entity_response.json.id }}"
- name: Create Certificate Request
uri:
url: "{{ base_url }}/api/v1/cert-requests/"
method: POST
headers:
Content-Type: "application/json"
Accept: "application/json"
Authorization: "Bearer {{ api_token }}"
body_format: json
body:
endEntityId: "{{ end_entity_id }}"
keyPairMode: "SERVER_GEN"
policyId: "{{ policy_id }}"
validFor: "SIX_MONTHS"
keyGenParamsDto:
cryptoAlgorithm: "RSA"
keySize: "2048"
pkcs10ReqBase64: null
publicKeyBase64: null
return_content: yes
register: cert_request_response
- name: Extract certRequestId
set_fact:
cert_request_id: "{{ cert_request_response.json.certRequestId }}"
- name: Create Certificate
uri:
url: "{{ base_url }}/api/v1/certificates/cert-requests/{{ cert_request_id }}"
method: POST
headers:
Accept: "application/json"
Authorization: "Bearer {{ api_token }}"
status_code: 201
return_content: yes
register: cert_response
- name: Extract certificate (base64 PFX) and ID
set_fact:
certificate_pfx: "{{ cert_response.json.base64EncodedPkcs12 }}"
certificate_id: "{{ cert_response.json.certificateId }}"
- name: Output certificate ID
debug:
msg: "Certificate successfully created with ID: {{ certificate_id }}"Terraform Example (ERS CLI – One-Step Certificate Issuance)
variable "ee_uuid" { description = "End-Entity UUID (created on-the-fly if it does not exist)" }
variable "ee_password" { description = "End-Entity password used for Basic Auth" }
variable "output_path" { description = "Filesystem path where the resulting PKCS#12 file will be written" }
resource "null_resource" "issue_certificate" {
provisioner "local-exec" {
# 'ers' combines End-Entity creation (if needed), certificate request,
# and certificate issuance in a single command.
command = <<EOT
ers certificate request \
-m SERVER_GEN \
--ee-uuid ${var.ee_uuid} \
--ee-password ${var.ee_password} \
--algorithm RSA \
--rsa-key-size 2048 \
--valid-for SIX_MONTHS \
--output-type PKCS12 \
--key-file ${var.output_path}/www_example_com.p12 \
--key-file-password keystorePassword
EOT
}
# Optional: re-run only when the input variables change
triggers = {
ee_uuid = var.ee_uuid
ee_password = sha1(var.ee_password)
output_path = var.output_path
}
}
1. ers will create the End Entity automatically if the supplied --ee-uuid does not exist.2. The resulting PKCS#12 file ( *.p12) contains the private key and certificate.3. Remove the --key-file-password flag if you need an unprotected PKCS#12 for testing purposes (not recommended in production).
|
Summary
MTG CLM offers full automation capabilities via:
-
REST API for programmatic access to all PKI/CLM functions.
-
ERS CLI Client for simplified scripting and integration into automation pipelines.
-
Compatibility with common IaC and automation tools such as Terraform and Ansible.