You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/hub/guides/ccm.md
+1-14Lines changed: 1 addition & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -59,19 +59,6 @@ Your *Certify Certificate Manager* install remains much the same as it was befor
59
59
The hub does not currently have global settings that can be pushed to all managed instances etc (such as a single ACME account, or specific stored credential).
60
60
61
61
## Other Considerations
62
-
### Ensure Unique Instance IDs
63
-
64
-
When CCM is installed, an InstanceID value is generated and stored in appsettings.json (on Windows).
65
-
66
-
**Important:** If you have previously used a VM clone to create a new instance of CCM:
67
-
- You must ensure two instances do not share the same Instance ID
68
-
- Duplicate IDs will cause instances to appear as one, and their communication with the hub will conflict
69
-
- One instance may receive edits intended for the other
70
-
71
-
Instance IDs must be valid (unique) GUID values. If in doubt:
72
-
1. Delete your `appsettings.json` file (or just the instanceID field)
73
-
2. Restart the Certify background service to let the app create a new one
74
-
75
62
## Setting up additional joining keys
76
63
77
64
If you manage instances across different organizations (e.g. if you are an MSP etc), consider creating multiple joining keys to partition by organization. This allows you to revoke hub access for specific groups without affecting unrelated instances.
@@ -97,6 +84,6 @@ This step may be unnecessary in current versions where it's auto-created.
97
84
3. Select **Managed Instances Service Principle**
98
85
4. Enter **Instance Joining Key** as the title
99
86
5. Select **Management Hub Managed Instance** as the scoped role
100
-
6.**Important:** Click **Add/Remove Role Scope** to add it to the scope list
87
+
-**Important:** Click **Add/Remove Role Scope** to add it to the scope list
101
88
7. Click **Add** to create the new API token
102
89
8. Copy the **Client ID** and **Secret** values - you'll need these for instance configuration
Copy file name to clipboardExpand all lines: docs/hub/managedchallenges.md
+28-1Lines changed: 28 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,34 @@ Under *Settings > Security > Users*, add a User to represent the consumer (user
35
35
36
36
Under *Settings > Security > API Access*, select Add API Token, select the required security principle, enter a descriptive title etc for this consumer token so you know why it exists and what it's being used for. To scope the API access token to managed challenges only, select Managed Challenge Consumer from the Role list and click Add/Remove Role Scope, then Save. A new API token will be created and you will need the Client ID and Secret values to access the API and use the managed challenge.
37
37
38
+
1. In the hub, navigate to **Settings > Security > Users**
39
+
2. Click **Add New Security Principle**
40
+
3. Configure as follows:
41
+
-**Type**: Application/Service
42
+
-**Title**: "Managed Challenge User" (for example, to help identify the consumer of the managed challenge)
4. After adding, click the **Roles icon** (People+ icon) next to the new security principle's ID
45
+
5. Select the `Managed Challenge Consumer` role from Available Roles to assign it.
46
+
6. Click **Save**
47
+
48
+
### 2. Create an API Key to use the managed challenge
49
+
50
+
1. Navigate to **Settings > Security > API Access**
51
+
2. Click **Add API Token**
52
+
3. Select **Managed Challenge User** as the security principle.
53
+
4. Enter **Managed Challenge API Key** as the title
54
+
5. Select **Managed Challenge Consumer** as the scoped role
55
+
-**Important:** Click **Add/Remove Role Scope** to add it to the scope list
56
+
7. Click **Add** to create the new API token
57
+
8. Copy the **Client ID** and **Secret** values - you'll need these for instance configuration
58
+
59
+
#### Combined Hub joining and Managed Challenge Key
60
+
It is possible to create a combined hub joining key and managed challenge key, which certain clients (such as Certify Certificate Manager) can use by default if they already know the hub joining key. This is provided as an option for convinience but is not configured by default.
61
+
62
+
To enable this, add the Managed Challenge Consumer role to the managed instance service principle (or a new service principle), then create a new hub joining key with both the *Hub Managed Instance* role and *Managed Challenge Consumer* role scope.
63
+
38
64
### Configure your ACME Client
39
-
Where an ACME client supports Certify Managed Challenges you will follow the normal process for selecting that provider and you will be required to specify the Client ID and Secret from the above configuration, you will also need to specify the Management Hub API Url. When you then perform your certificate order it will call the Management Hub API to complete the DNS updates required.
65
+
Where an ACME client supports Certify Managed Challenges you will follow the normal process used by that client for selecting that provider and you will be required to specify the Client ID and Secret from the above configuration, you will also need to specify the Management Hub API Url. When you then perform your certificate order it will call the Management Hub API to complete the DNS updates required.
40
66
67
+
In Certify Certificate Manager, under Authorization, select dns-01 as the Challenge Type, and Certify Managed Challenge API as the provider, then add the required credentials.
0 commit comments