Automation
The horizon-cli automate command helps you automate the installation of your TLS certificates. It is designed to streamline the process of certificate enrollment, renewal, and installation. This functionality is particularly useful for managing Transport Layer Security (TLS) on web servers, ensuring secure and encrypted connections. It simplifies complex operations through its suite of subcommands, each tailored for specific aspects of certificate management.
Subcommands
To begin with Horizon CLI automation, use the --help flag with any subcommand for detailed usage information:
./horizon-cli automate <subcommand> --help| Subcommand | Description |
|---|---|
This command is versatile, functioning similarly to the init command on servers without certificates, while also capable of re-enrolling or taking control of servers with existing certificates. |
|
This command is designed to automatically configure SSL on any newly installed web server. When executed, it seamlessly sets up a secure connection by arranging SSL certificates and enabling SSL on the default HTTPS port (usually port 443). The process includes configuring the necessary SSL settings and restarting the server with SSL enabled. |
|
This command is designed to locate certificates within a web server’s configuration and offers to bring them under automation control. Taking a certificate under control involves adding necessary metadata and incorporating it into the local memory for routine management and oversight. This process ensures that the certificates are systematically monitored and managed as part of the automated workflow. Be aware that enrolling a new certificate will replace any certificate currently bound to an application running on your machine. |
|
This command allows the user to select one of the managed certs and modify its sans. |
|
Sets up a routine task for automated certificate renewal. The task frequency can be specified, with a default period of 6 hours. This helps in automating the renewal process to ensure certificates remain valid without manual intervention. |
|
Removes the previously set periodic task for certificate renewal. This is useful when automated renewal is no longer needed or needs to be reconfigured. |
|
Performs a routine check on all managed certificates to assess if any need renewal. This is a part of proactive certificate management to avoid service disruptions. |
|
Lists all managed certificates. This provides an overview of all certificates under management, including details like expiration dates, domains covered, etc. |
|
Removes a managed certificate or a group of certificates. The <id> parameter specifies which certificates to remove, with the option to remove all services using a keyword like 'all'. |
|
If you’re looking for a more guided experience while using horizon-cli automate, the |
Supported Services
The horizon-cli automate feature supports a variety of web server and application server services.This ensures a wide range of compatibility and flexibility for users working with different server environments.The --target flag is used within the tool to specify the specific service on which to perform automation tasks, allowing for precise and targeted configuration and management.
| In order for horizon-cli to function properly, the targeted service should be started on the machine. |
List of the supported services:
-
nginx (linux)
-
tomcat (linux & windows)
-
jboss wildfly (linux)
-
lighttpd (linux)
-
microsoft iis (windows)
-
evertrust winhorizon (windows)
-
evertrust adcsconnector (windows)
-
generic (linux & windows)
Example of a standard setup on the default HTTPS port (443) for NGINX:
./horizon-cli automate init --target=nginx --automation-policy=<POLICY_NAME>|
To set up SSL on a custom port (e.g., 9000), use the |
Generic Service Automation
The Generic Service within the Horizon Client’s automation module provides a versatile and user-friendly method for obtaining TLS certificates, eliminating the need to specify a pre-existing service or certificate file. This feature is especially beneficial in scenarios where certificates are required to be generated dynamically or for users who seek a more automated certificate management process.
Through the interactive mode:
./horizon-cli automate init --target=generic --promptNon-Interactive Mode: For an even more streamlined experience, certificates can be automatically generated with default parameters in non-interactive mode.
./horizon-cli automate init --target=generic --automation-policy=<POLICY_NAME> --cert=my_cert.pem --key=my_key.key --chain-file=my_chain.pem --no-interactiveDefault Storage Location: Newly generated certificates are automatically stored in a default location, which is /opt/horizon/var/generic on Unix systems, and C:\ProgramData\EverTrust\Horizon\Var\Generic on Windows systems.
Configuration Folder Override: Users have the flexibility to override the default storage location using the --config-folder option. This allows for customization of the storage path as per individual requirements or organizational standards.
./horizon-cli automate init --config-folder=/path/to/folder --target=generic --automation-policy=<POLICY_NAME> --pfx=my_cert.p12 --pfx-pwd=pass123 --chain-file=my_chain.pem --no-interactiveThe Generic Service’s emphasis on flexibility and user-friendliness makes it a valuable tool for a wide range of users, from those requiring on-the-fly certificate generation to those preferring a hands-off, automated approach.
Windows-Specific Features: On Windows systems, the Horizon CLI offers additional flags to specify the certificate store location:
--user-store: Save the certificate in the user store. This option is beneficial when certificates need to be accessible on a per-user basis.
--machine-store: Save the certificate in the machine store. Ideal for certificates that must be available system-wide.
These options provide flexibility in managing certificate storage, catering to different security and accessibility requirements on Windows systems.
Automation policies
Automation policies are central to the operation of the automation module in the Horizon system. These policies dictate how certificates should be enrolled and renewed, providing a customizable framework to suit various client requirements.
Before using automation policies, they must be pre-configured in the Horizon web app. Each policy is given a unique name for easy identification.
Profile Selection: Policies can be based on EST, SCEP, or ACME profiles, depending on the specific requirements of the enrollment and renewal process.
| EverTrust recommends using EST for most use cases of server automation. |
Execution Policy: Includes settings that define how and when the automation should be executed.
Compliance Settings: Specify which CAs are authorized for use within the policy.
Authorized Hash Algorithms: Determine which hash algorithms are acceptable.
Trust Chains: Configure the trust chains that are essential for establishing the trustworthiness of the certificates.
Parameter Specification: When performing automation operations, the relevant automation policy is specified using the --automation-policy parameter.
Existing WebServer certificates
The Horizon CLI’s automation module is equipped with a discovery feature that scans and identifies certificates on your machine. It does this by parsing configuration files of your web server or TLS service.
By default, it searches for certificates across all supported services.
./horizon-cli automate enroll --automation-policy=<POLICY_NAME>|
Limit the search to specific services. Separate multiple services with commas. If you use a different config folder than the default one you can specify your custom folder using Perform only the discovery phase and print the results without enrolling certificates using |
The --discovery parameter allows you to integrate certificate enrollment with a discovery campaign pre configured in the Horizon web app before running the CLI command. It includes additional information on the certificate’s usage and location on the host machine.
./horizon-cli automate enroll --automation-policy=<POLICY_NAME> --discovery-campaign=<DISCOVERY_CAMPAIGN_NAME>Additional enrollment parameters
Challenge Passwords for Enrollment
The --challenge parameter is used to provide challenge passwords for EST or SCEP during the enrollment process. Challenge passwords are crucial for the authentication phase in these protocols, ensuring secure communication and identity verification.
|
When enrolling certificates using EST or SCEP protocols, the |
Post-Enrollment Script Execution
The --script parameter allows the execution of a custom script upon the successful completion of a certificate enrollment process. It supports both Bash scripts in Linux environments and PowerShell scripts in Windows environments.
./horizon-cli automate enroll --automation-policy=<POLICY_NAME> --script=/home/user/post_enroll.shThe script will receive arguments passed by Horizon Client in the following order:
-
Issued certificate serial number
-
Issued certificate fingerprint (SHA-1 hash of the certificate in DER format - windows store thumbprint)
-
Issued certificate Subject DN
-
Issued certificate Issuer DN
Below is an example of a very simple bash script:
#!/bin/sh
echo $1
echo $2
echo $3
echo $4Below is an example of a very simple PowerShell script:
param($serial, $fingerprint, $subject, $issuer)
Write-Output $serial
Write-Output $fingerprint
Write-Output $subject
Write-Output $issuerACME Account Specification for Enrollment
The --acme-account parameter is mandatory when enrolling certificates using the ACME protocol. It specifies the ACME account to be used for the enrollment process.
./horizon-cli automate enroll --acme-account=myAcmeAccountAdd metadata to certificates during the enrollment process: These certificate information parameters enhance the management and traceability of TLS certificates. By using these optional fields, organizations can maintain better oversight and control over their certificate infrastructure.
| Parameter | Description |
|---|---|
|
Owner of the certificate |
|
Contact email of the certificate owner |
|
Team owning the certificate |
|
Labels to attach to the certificate, in the form |
Installation
After a successful enrollment or renewal, the certificate will be installed on your machine.The impacted services will be restarted automatically after each certificate enrollment or renewal.
|
In certain scenarios, you might not want the Horizon CLI to automatically install the new certificate or restart the related services. If you wish for the client to not install your new certificate, that is, not replace the old certificate and not restart the impacted services, you can use the |
Renewal
Each time a certificate is discovered and enrolled by the automation module of the Horizon Client, its details are stored in the internal database for future reference.Each time the automate routine command is run, the client will check if any of the locally known certificates need to be renewed.Reasons for renewal can be:
-
The certificate is about to expire
-
The certificate has been revoked
-
Preferences such as key type or enrollment CA were changed in the profile or automation policy
If a certificate needs to be renewed, the client will perform the renewal according to the automation policy, and its corresponding profile.
|
We recommend that you run the |
This mechanism allows for more resilient web servers, as the certificates will be renewed automatically, before any interruption of service can happen because of an expired or revoked certificate. It also helps your organisation migrate your TLS certificates to a new CA quickly, by simply changing the preferred enrollment CA in the automation policy and waiting a few hours for all your instances of the Horizon Client to execute their routine tasks.
|
Using |
Interactivity
Two options are available to control the interactivity of the automate enroll command:
-
The
--no-interactiveflag will prevent any prompt from being displayed, and will use the default values or those provided in the command line arguments. It will:-
select all discovered certificates for enrollment
-
if a challenge is required, use the provided
--challengeargument. If no challenge is provided, or the given challenge has already been used, the enrollment will fail. -
not add any additional SANs
-
-
the
--promptflag will force the client to prompt the user for any missing information. If specified, any other command line arguments are optional. It will:-
prompt the user to select which services to search for on the machine (equivalent to the
--targetoption) -
prompt the user for the automation policy (equivalent to the
--automation-policyoption) -
prompt the user for the configuration folder (equivalent to the
--config-folderoption)
-
Certificate commands
Enroll
The enroll command can either setup a certificate and empty https configuration from scratch, or take control of certificates, reenrolling them to be compliant when necessary.
Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--automation-policy |
☑ |
string |
The automation policy to link the certificate to. |
--challenge |
string array (comma separated) |
See challenge section. |
|
--script |
string (path to file) |
See script section. |
|
--auto-renew |
boolean |
Configures a status check every 6 hours. |
|
--discovery-campaign |
string |
Also add discovery info on the enrolled certificate on the campaign passed. |
|
--force-enroll |
boolean |
Reenroll all selected certificates regardless of their compliance. |
|
--analyze-only |
boolean |
Instead of executing the enrollments, only displays a summary of possible actions. |
|
--no-interactive |
boolean |
Disables all interactive inputs. All parameters must then be given using cli flags. |
|
--prompt |
boolean |
Enable all interactive inputs. All parameters will now be asked for, except ones given using cli flags. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--target |
string array (comma separated) |
List of services to target. If not given, all available services are targeted. |
|
--no-install |
boolean |
Disables installation. |
|
--config-folder |
string (path to folder) |
Explicitly point your webserver configuration folder. |
|
--port |
integer |
When initializing an empty https configuration on a blank server, choose on which port to listen for https (defaults to the standard https port for the webserver 443 or 8443) |
|
--keystore-password |
string |
Password of the webserver’s keystore if it cannot be deduced from configuration |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--dnsnames |
string array (comma separated) |
List of DNS SANs. If not given, the machine hostname is used. |
|
--ip |
string array (comma separated) |
List of IP SANs. If not given, no ips are set. |
|
--labels |
string array (comma separated, in label:value form) |
Horizon labels to add to the certificate on enrollment. |
|
--team |
string |
Horizon team to add to the certificate on enrollment |
|
--owner |
string |
Horizon owner to add to the certificate on enrollment |
|
--contact-email |
string |
Horizon contact email to add to the certificate on enrollment |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--acme-account |
☑ (if using ACME) |
string |
The identifier (email) of the ACME account to use. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--destination-folder |
string (path to folder) |
Folder to write the new certificates to. Default to |
|
--pfx |
string |
Name of the PKCS#12 file to write the enrolled certificate to. |
|
--pfx-pwd |
string |
Password of the PKCS#12 file to write the enrolled certificate to. |
|
--jks |
string |
Name of the JKS file to write the enrolled certificate to. |
|
--jks-pwd |
string |
Password of the JKS file to write the enrolled certificate to. |
|
--jks-alias |
string |
Alias of the JKS file to write the enrolled certificate to. |
|
--cert |
string |
Name of the file to write the enrolled certificate to in PEM format. |
|
--key |
string |
Name of the file to write the enrolled key to. |
|
--der |
boolean |
Save the certificate and key in DER format. |
|
--chain-file |
string |
Name of the file to write the enrolled certificate chain to. |
|
--user-store |
boolean |
Save the certificate in the windows user store. |
|
--machine-store |
boolean |
Save the certificate in the windows machine store. |
| Storage output for generic must choose between pfx, certificate, jks or windows store output. |
Examples
Enroll a new certificate in the default generic folder
horizon-cli automate enroll --automation-policy=<automation policy> --target=generic --cert cert.pem --key key.pem --chain-file chain.pemInit
The init command can setup a certificate and empty https configuration from scratch.
The init command can only be used on webservers where no certificate is configured in order to avoid conflicts.See the other commands to match your use case.
|
Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--automation-policy |
☑ |
string |
The automation policy to link the certificate to. |
--challenge |
string array (comma separated) |
See challenge section. |
|
--script |
string (path to file) |
See script section. |
|
--auto-renew |
boolean |
Configures a status check every 6 hours. |
|
--discovery-campaign |
string |
Also add discovery info on the enrolled certificate on the campaign passed. |
|
--analyze-only |
boolean |
Instead of executing the enrollments, only displays a summary of possible actions. |
|
--no-interactive |
boolean |
Disables all interactive inputs. All parameters must then be given using cli flags. |
|
--prompt |
boolean |
Enable all interactive inputs. All parameters will now be asked for, except ones given using cli flags. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--target |
string array (comma separated) |
List of services to target. If not given, all available services are targeted. |
|
--no-install |
boolean |
Disables installation. |
|
--config-folder |
string (path to folder) |
Explicitly point your webserver configuration folder. |
|
--port |
integer |
When initializing an empty https configuration on a blank server, choose on which port to listen for https (defaults to the standard https port for the webserver 443 or 8443) |
|
--keystore-password |
string |
Password of the webserver’s keystore if it cannot be deduced from configuration |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--dnsnames |
string array (comma separated) |
List of DNS SANs. If not given, the machine hostname is used. |
|
--ip |
string array (comma separated) |
List of IP SANs. If not given, no ips are set. |
|
--labels |
string array (comma separated, in label:value form) |
Horizon labels to add to the certificate on enrollment. |
|
--team |
string |
Horizon team to add to the certificate on enrollment |
|
--owner |
string |
Horizon owner to add to the certificate on enrollment |
|
--contact-email |
string |
Horizon contact email to add to the certificate on enrollment |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--acme-account |
☑ (if using ACME) |
string |
The identifier (email) of the ACME account to use. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--destination-folder |
string (path to folder) |
Folder to write the new certificates to. Default to |
|
--pfx |
string |
Name of the PKCS#12 file to write the enrolled certificate to. |
|
--pfx-pwd |
string |
Password of the PKCS#12 file to write the enrolled certificate to. |
|
--jks |
string |
Name of the JKS file to write the enrolled certificate to. |
|
--jks-pwd |
string |
Password of the JKS file to write the enrolled certificate to. |
|
--jks-alias |
string |
Alias of the JKS file to write the enrolled certificate to. |
|
--cert |
string |
Name of the file to write the enrolled certificate to in PEM format. |
|
--key |
string |
Name of the file to write the enrolled key to. |
|
--der |
boolean |
Save the certificate and key in DER format. |
|
--chain-file |
string |
Name of the file to write the enrolled certificate chain to. |
|
--user-store |
boolean |
Save the certificate in the windows user store. |
|
--machine-store |
boolean |
Save the certificate in the windows machine store. |
| Storage output for generic must choose between pfx, certificate, jks or windows store output. |
Examples
Enroll a new certificate in the default generic folder
horizon-cli automate init --automation-policy=<automation policy> --target=generic --cert cert.pem --key key.pem --chain-file chain.pemControl
The control command can take control of an existing certificate on your machine.
The control command can only be used on known and compliant with Horizon certificates.If the certificate needs to be enrolled, see the other commands to match your use case.
|
Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--automation-policy |
☑ |
string |
The automation policy to link the certificate to. |
--challenge |
string array (comma separated) |
See challenge section. |
|
--script |
string (path to file) |
See script section. |
|
--auto-renew |
boolean |
Configures a status check every 6 hours. |
|
--discovery-campaign |
string |
Also add discovery info on the enrolled certificate on the campaign passed. |
|
--analyze-only |
boolean |
Instead of executing the control, only displays a summary of possible actions. |
|
--no-interactive |
boolean |
Disables all interactive inputs. All parameters must then be given using cli flags. |
|
--prompt |
boolean |
Enable all interactive inputs. All parameters will now be asked for, except ones given using cli flags. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--target |
string array (comma separated) |
List of services to target. If not given, all available services are targeted. |
|
--no-install |
boolean |
Disables installation. |
|
--config-folder |
string (path to folder) |
Explicitly point your webserver configuration folder. |
|
--keystore-password |
string |
Password of the webserver’s keystore if it cannot be deduced from configuration |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--labels |
string array (comma separated, in label:value form) |
Horizon labels to add to the certificate on enrollment. |
|
--team |
string |
Horizon team to add to the certificate on enrollment |
|
--owner |
string |
Horizon owner to add to the certificate on enrollment |
|
--contact-email |
string |
Horizon contact email to add to the certificate on enrollment |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--acme-account |
☑ (if using ACME) |
string |
The identifier (email) of the ACME account to use when renewing. |
For generic control, it is as of now disabled outside the default folder (/opt/horizon/var/genric or C:\ProgramData\EverTrust\Horizon\Generic) to ensure no service interruption. Use post enrollment scripts to copy the certificate.
|
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--pfx |
string |
Name of the PKCS#12 file to control. |
|
--pfx-pwd |
string |
Password of the PKCS#12 file to control. |
|
--jks |
string |
Name of the JKS file to control. |
|
--jks-pwd |
string |
Password of the JKS file to control. |
|
--jks-alias |
string |
Alias of the JKS file to control. |
|
--cert |
string |
Name of the certificate file to control. |
|
--key |
string |
Name of the key file to control. |
|
--der |
boolean |
If true, the certificate and key to control are in DER format. |
|
--chain-file |
string |
Name of the file to write the enrolled certificate chain to. |
|
--user-store |
boolean |
Control the certificate in the windows user store. |
|
--machine-store |
boolean |
Control the certificate in the windows machine store. |
|
--thumbprint |
boolean |
Thumbprint of the certificate to control. To use with --machine-store or --user-store |
| Input for generic must choose between pfx, certificate, jks or windows store. |
Modify
The modify command allows to select a managed certificate and reenroll it, modifying its sans.
| Automation policy cannot be modified |
Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--challenge |
string array (comma separated) |
See challenge section. |
|
--script |
string (path to file) |
See script section. |
|
--discovery-campaign |
string |
Also add discovery info on the enrolled certificate on the campaign passed. |
|
--prompt |
boolean |
Enable all interactive inputs. All parameters will now be asked for, except ones given using cli flags. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--target |
string array (comma separated) |
List of services to target. If not given, all available services are targeted. |
|
--no-reload |
boolean |
Do not reload webservers after certificate enrollment. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--dnsnames |
string array (comma separated) |
List of DNS SANs. If not given, the machine hostname is used. |
|
--ip |
string array (comma separated) |
List of IP SANs. If not given, no ips are set. |
|
--labels |
string array (comma separated, in label:value form) |
Horizon labels to add to the certificate on enrollment. |
|
--team |
string |
Horizon team to add to the certificate on enrollment |
|
--owner |
string |
Horizon owner to add to the certificate on enrollment |
|
--contact-email |
string |
Horizon contact email to add to the certificate on enrollment |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--acme-account |
☑ (if using ACME) |
string |
The identifier (email) of the ACME account to use. |
Backup
Each time a file is replaced by the Horizon Client, the old file is backed up. The backup files are stored in the cert/backup/<HASH(BACKUPED FILE PATH)> directory relative to the Horizon Client data folder (/opt/horizon on unix and C:/ProgramData/EverTrust/Horizon on Windows), as filename_n.ext where n is the number of the backup. Thus, the filename_0.ext is the original version, before any intervention of the Horizon Client.
Internal Database operations
The internal database is used to store the details of the certificates that are discovered and enrolled by the automation module. You can list them using the automate list command, and delete them using the automate delete command. Certificates are indexed by their bindings, which are the combination of all the services along with the hostnames and ports that use the certificate. For example, if you have a certificate that is used by Apache for all hosts on the port 443, it’s "id" in the local database will be apache-*:443.
|
You can choose the output format of the |
The automate remove <id1> … <idn> command erases certificates from the local database.This command will not remove the certificate files from your machine, only remove it from the "managed certificates" local database.This way, the client will not check its status at each routine execution anymore.
|
You can use the |
The --restore option of the automate remove command can be used to restore a certificate from a backup file.The backup file to be restored will always be the older one, in most cases the filename_0.ext, that is, the original file before any tampering by the Horizon Client.For certificates stored in the windows store, the store thumbprints will be stored in a file corresponding to the server type, like iisbackups.
Routine
This command does not take any parameter.Its usage is described in the renewal section.
Management commands
Periodic task
To run the routine at specified intervals, the periodic task command can create scheduled execution on windows (scheduled task) and linux (cron).
Two commands are available, to remove and add the task.
Parameters
| Argument | Mandatory | Type | Description |
|---|---|---|---|
Period |
duration |
Run the routine command every |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--user |
string |
Linux only: The user to impersonate while running the routine. Defaults to root user. |
List
The list command lists the currently managed certificates and various information about them, notably the associated automation policy.
Remove
The remove command erases a certificate binding from the horizon-cli managed certificates.
Parameters
| Argument | Mandatory | Type | Description |
|---|---|---|---|
id |
string |
Id of the services to remove. See automate list to get the id. Use |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
--restore |
boolean |
Enables restoration of the oldest backup for the removed certificate. |
Examples
Enroll certificates used by nginx and apache
horizon-cli automate enroll \
--target=nginx,apache \
--automation-policy=<POLICY_NAME>Enroll certificates using the generic target
horizon-cli automate enroll \
--target=generic \
--automation-policy=<POLICY_NAME>Get the DN of all the certificates enrolled by the automation module
horizon-cli automate list --json | jq -r '.[] | .certificate | .subject'