[Let's Encrypt - ACME] Configure automated certificate management for TLS certificatesOverview This article guides you through configuring routing policies and the required credentials for Let's Encrypt [ACME] Automated certificate management in the Certificate Inventory and Management store app. Before you begin You should have the Certificate Inventory Management plugin activated.You should have the MID Server set up correctly.Role required: pki_admin or admin. Step 1: Create Credentials This credential will be used to authenticate with the Certificate Authority (CA). A. Navigate to Credentials Go to Connection & Credentials > Credentials.Click New.Choose the appropriate type: Certificate Management Credentials B. Fill in Credential Details Select 'Let's Encrypt' from the drop-down as the CA type.Provide the appropriate name for your credential.Private Key: The private key is needed to sign all the requests sent to the server. You can provide any private key of any type, RSA or ECDSA, with a size of 1024, 2048, or 4096 bits. Suggestions for Generating a Private Key: Using OpenSSL (commonly used and widely available)Using ssh-keygen (for simple RSA key generation) Key Type: type of your private key, RSA or ECDSA.Contacts: This field is optional. You can provide a comma-separated list of email IDs if you wish to receive order status updates from the Let's Encrypt side.Select or create a credential alias for your credential. This should be unique across all your credentials. Later will be used by mid to make a connection with the CA (need to provide the same in the routing policy) To create a new credential alias, follow the steps below: Click on the search icon next to the credential alias field.Click New.Select type as Credential. Provide the appropriate name to your credential alias and submit. Step 2: Create Routing Policy This routing policy will be used to route the certificate requests to the right CA account. A. Navigate to Certificate Routing Policy Go to Certificate Management > Certificate Automate Flows > Certificate Routing PoliciesClick New. B. Fill in the routing policy details Certificate Authority: Choose Certificate Authority as 'Let's Encrypt'. Check the base URL of the selected CA. You can modify this by navigating to Certificate Management > Certificate Automate Flows > Certificate Authorities. Name: Provide a name to your routing policy.DNS Challenge Action: If selected DNS challenge will be automatically resolved using the subflow action selected from the drop-down. ServiceNow provides an OOB action for GoDaddy domains 'ACME DNS Challenge - GoDaddy'. To use this GoDaddy action to resolve DNS challenges automatically, you need to provide your GoDaddy api key in credentials. Navigate to Connection & Credentials > Credentials > GoDaddy (OOB record) and provide your account API key in sso-key [API_KEY]:[API_SECRET] format. Follow the steps below to generate a new API key on the GoDaddy Portal: Visit the Developer Portal: Navigate to developer.godaddy.com.developer.godaddy.comSign In: Log in with your GoDaddy account credentials.Access API Keys: Click on API Keys in the top navigation menu.Create New API Key: Click on the Create New API Key button.Fill in Details: Name: Enter a name for your API key (e.g., MyAppAPIKey).Environment: Choose between Production or Test.Save the Key: After creation, copy and securely store the API key and secret. These will not be shown again. DNS Task Assignment Group: Choose a group to which the DNS task should be assigned to complete the DNS challenges. Check part C to get more info on DNS challenges.Assignment Group: Choose a group to which any manual task, like renewal tasks, etc, should be assigned related to the certificates requested through this routing policy.Maximum validity period: This takes the maximum allowed validity for the certificates in days. You can restrict the maximum allowed validity period using this field.Organization ID: This is only required for organization-validated certificate requests.Credential Alias: This should be the same with which you added credentials for Digicert in Step 1.Allow Duplicate Request: If enabled, duplicate requests with the same CSR are allowed.Approval Required & Task Approval Group: When requesting new certificates or renewing certificates, many PKI teams prefer human validation before fulfillment. If so, select the Approval required check box and select the group to which the task should be assigned for approvals.Mid Server: You can select a specific mid server to which all the requests matching this routing policy should go.The following fields are used to match the routing policy. Subject common name and Subject alternative name are supported with RegEx. The RegEx format has the following restrictions: It should not contain commas.It should not start and end with a forward slash (/). * matches any. Organization, Organizational Unit, Locality, State, Country, and Email are CSR attributes and accept comma-separated values. * will be considered as any. Environment: It is just metadata that can be used to route certificate requests to different CAs or CA's accounts.Certificate Purpose (internal/external): Similar to Environment, can be used to route certificate requests. C. How to resolve DNS challenges The DNS challenge in the ACME (Automatic Certificate Management Environment) protocol is called the DNS-01 challenge. It's a method used to prove control over a domain when requesting an SSL/TLS certificate from a Certificate Authority (CA) like Let's Encrypt. How it works: 1. CA will provide a random token as part of the challenge. You can navigate to the DNS Task from your certificate task. 2. On the DNS task page, you will see all the DNS challenges that need to be completed. 3. Create a DNS Record to your domain. The steps to add a TXT record to your domain will be specific to your domain provider. Check your domain provider documentation to learn how to add a TXT record to your domain. Troubleshooting Guide The following options may occur while requesting a certificate. OptionDescriptionIf a single routing policy matchesVerify the following conditions: Validate the subject common name using the RegEx pattern provided in the Routing Policy table, domain name, or *.Check for certificate request validity period not greater than the maximum validity period in the Routing Policy table.Check for the duplicate Certificate Request is allowed flag in the Routing Policy table. If multiple routing policies are eligibleThe task is assigned to the default approver group.If there is no routing policy foundThe task is assigned to the default approver group.If a single policy matches and the approval needed flag is trueThe task is assigned to the task approval group defined in the routing policy. Note: The default approval group can be set using the system property 'sn_disco_certmgmt.cert_task_default_approval_group' The approval group name is the default group used if the certificate request is moved into manual mode, for instance, when there is no matching policy or more than two matching policies. You can add more than one approval group, separated by commas. The first group on the list, which belongs to the task domain, is used for approval. If no domain-specific group is found, the first name in the global domain list is used as the default.