I use a very generic approach for certificate automation as I like to be able to pick-up-an-go to a new system and have things "just work". I created this automation method so easily issue new certs and create a renewal pipeline that is touchless.

Essentially, there is a domain/fqdn path per cert. Each path has a config and script that will be run to generate a new CSR config file.

For a backend PKI I use OpenXPKI. These scripts use a compiled sscep program over on https://github.com/certnanny/sscep to send the CSR requests to OpenXPKI over API calls.

Workflow

To issue a new cert create the folder path and populate with the minimum files:

key.pw (key's encryption passphrase)
gen.sh (updated with cert CN, etc)
issue.cnf (no change)
renew.cnf (no change)

Then run ./issue.sh at the top level. It will go through each folder and only execute the issue.sh if a cert doesn't already exist. If a cert aleady exists is means that we should be running a ./renew.sh command instead. Likewise ./renew.sh will only renew certs that exist.

New certs (ie. issue.sh) will need to be manually approved in OpenXPKI. Afterwards, renew.sh signs the API request with the old cert so OpenXPKI will auto-approve the request (as long as the cert is still valid). Up to 5 certs with the same Subject can be issued at once. the ./renew.sh command can be put into a cron job to automate this task.

Automation

A cron runs daily to see if any certs are < 10 days until expiry. If they are it renews them, if not it skips. Renewal is automatically approved as the API calls to get the renewed cert from OpenXPKI are signed with the current cert (one of the auto-approval methods) and works as long as the cert is not expired.