Skip to content

Configuring the Vault Venafi Secrets Engine integration

The Venafi Vault plug-in accepts additional arguments to the Vault write command to specify the Zone and the API key that the integration will use to communicate with Venafi as a Service.

Here is an example Vault write command to set up a role with a specified API key and zone along with Venafi-recommended default values to store certificate private keys:

    vault write venafi-pki/roles/cloud cloud_url= zone="Default" apikey=xxxxx-xxxx-
    xxxx-xxxxxx generate_lease=true store_by_cn="true" store_pkey="true"
    store_by_serial="true" ttl=1h max_ttl=1h
  • Use Your Parameters on the Automation page to determine which zone should be used to issue certificates.

screenshot

Note

Your Parameters displays the policies that must be conformed to when certificates are requested from the zone. Additional information and examples of setting up the issuer with Venafi Cloud and other Venafi solutions can be found in Venafi's Github page.