Today the OpenDNS engineering team is releasing a DigiCert Issuer Plugin for Netflix’s recently released Lemur TLS certificate management tool.


Anyone who’s had to create, distribute, and manage SSL/TLS certificates can tell you how much of a pain it can be. It often involves many manual steps, which are both time consuming and highly error-prone.

This is roughly how creating and requesting a TLS certificate used to look like for developers at OpenDNS:

  1. Generate private key and CSR locally
  2. Upload the CSR via CA’s web GUI portal
  3. Get request approved
  4. Download the certificate
  5. Install the certificate on web server
  6. Realize the certificate wasn’t in the proper format
  7. Re-install certificate
  8. (2 years later) Forget how to do the above and repeat at step 1

There is no reason each developer needs to waste countless hours weeding through an unscalable, manual process like this. Thus, when we set out to fix this issue, we fell in love with Netflix’s Lemur.

What we Built

Lemur came with Verisign support out of the box, but we use DigiCert around here. Fortunately, the authors of Lemur had enough foresight to build a plugin framework, which means we can easily share our DigiCert plugin for Lemur!

Now our process looks something like this:

  1. Login to Lemur web GUI
  2. Fill out form with certificate details (CN, validity period, etc) and hit request
    1. Private key and CSR are magically created behind the scenes. Lemur interacts with CA’s API to request and retrieve certificate.
  3. Transfer key and cert materials to secrets management service
  4. Keys and certificates are deployed to server via secrets management service

How to Get it

Head over to the GitHub page for instructions on setting it up and generating reports. Contributions definitely welcome! Feel free to fork & feature requests! Hope you find it useful.

This post is categorized in: