Ascio Web Service v3
Automating the SSL workflow
Avoiding manual tasks with SSL-Certificates
Reselling SSL Certificates can be cause many manual tasks. This tutorial shows how which steps need to be done in order to design a order-process without interaction.
The manual process
- Generate private key and CSR-file
- Manually register the Certificate
- Wait until the customer has done the domain-verification
- Run after the customer, in case the verification e-mail was filtered as spam
- Download the certificate and place it on the webserver, or upload it to a management tool
- Edit the vhosts file, if not using a management tool
The automated process
- The customer enters all details on the reseller-website
- After payment, the website sends the order via API.
- A DNS-record or verification-file is created via API.
- When the Certificate is active, it's downloaded via API and installed.
This is an example how SSL can be automated with Ascio
<?php $subDomain = $argv; $domainName = $argv; echo $domainName."\n"; $automation = new SslAutomation("testing",$domainName,$subDomain,"positivemdcssl"); // create CSR and Private Keys $automation->createKeys(); // register a domain $automation->registerDomain(); // register the SSL Certificate with the generated CSR $automation->registerSsl(); // wait for the SSL Token $automation->pollToken(); // create a DNS record $automation->createDns(); // wait for complete $automation->PollV3(); // download certificate $certificate = $automation->getCertificate(); echo "complete";
DNS-records is a good way to automate verification. The reseller-system gets a token during the verification process. There are different types, depending on the CA
Digicert (RapidSSL, Geotrust, Symantec, Thawte)
- A verification code is received after registration
- A TXT-Record with the verification code is created
- The source is _dnsauth.[domain name] or just the domain name.
- For wildcard-domain the _dnsauth subdomain is not allowed
- For SANs a TXT-record must be created for each zone/domain.
- A validation code, CNAME_NAME and CNAME_VALUE is received after registration
- A CNAME-Record with the validation code is created
- For SANs a CNAME-record must be created for each zone/domain. The domain of the CNAME_NAME must be replaced with the SAN-Domain.
A file is place on the Webserver. This is good when there is no access to the DNS. But there can be issues with the .htaccess file.
AutoinstallSSL works with Cpanel. The full installation is automated. It's based on file-verification and can fail if there is a .htaccess file.
SSL automation in action
Here you can see how the DNS-Verification is used in the WHMCS-Ascio-Plugin. Here is the implementation in WHMCS: WHCMS SSL Plugin source
Please configure the IP-Whitelisting in the portal/demo-portal.