Skip to content

Adding a CA account in Venafi as a Service

When you add a CA Account, you create a connection to a Certificate Authority who provides certificate life cycle services.

Important

You must be an Admin or PKI Admin to add a new CA account.

To add a new CA account

  1. In the menu bar, click Settings > CA Accounts.

    Tip

    Venafi as a Service comes with a built-in CA which can you use for testing purposes or for any applications or use cases that don't require the use of a publicly trusted certificate

  2. Click New.

  3. Enter an Account Name, then select a Certificate Authority from the list.

  4. Depending on the CA you chose, you'll be asked to supply your CA account's credentials.

    1. On the Venafi as a Service home page, click Settings > CA Accounts.
    2. In CA accounts, click Add New Account.
    3. Copy and paste your API Key from DigiCert CertCentral.

      Important

      You must have the Manager role or higher in Digicert CertCentral.

    4. Click Add Account.

    If you don't yet have a GlobalSign account, visit https://www.globalsign.com/en/lp/venafi/ to create one.

    1. On the Venafi as a Service home page, click Settings > CA Accounts.

    2. In CA accounts, click Add New Account.

    3. Select GlobalSign as the Certificate Authority.

    4. Browse to your Credentials File.

      How do I find my GlobalSign credentials file?

      The Credentials file is supplied to you directly from when you create your account.

    5. Click Authenticate.

      Note and Example

      After you authenticate, we'll show you GlobalSign's validation policy. This is a list of requirements that your certificate request must comply with before GlobalSign will issue a certificate for you. We'll also display this information, in a more readable form when you start setting up policies for your organization.

      Example

      {

      'validity': {'secondsmin': 60, 'secondsmax': 7776000, 'notBeforeNegativeSkew': 200, 'notBeforePositiveSkew': 200},

      'subjectDn': {

      'commonName': {

      'presence': 'REQUIRED',

      'format': '^([a-z0-9-_]+\.)*(venafi\.io|vfidev\.com|thehotelcook\.com)$'

      },

      'organization': {'presence': 'STATIC', 'format': 'Venafi, Inc.'},

      'organizationalUnit': {'isStatic': false, 'list': ['^.*$'], 'mincount': 0, 'maxcount': 3},

      'country': {'presence': 'STATIC', 'format': 'US'},

      'state': {'presence': 'STATIC', 'format': 'UT'},

      'locality': {'presence': 'STATIC', 'format': 'Salt Lake City'},

      'streetAddress': {'presence': 'FORBIDDEN', 'format': ''},

      'email': {'presence': 'FORBIDDEN', 'format': ''},

      'joiLocalityName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiStateOrProvinceName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiCountryName': {'presence': 'FORBIDDEN', 'format': ''},

      'businessCategory': {'presence': 'FORBIDDEN', 'format': ''}

      },

      'extendedKeyUsages': {

      'ekus': {

      'isStatic': true,

      'list': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.1'],

      'mincount': 2,

      'maxcount': 2

      }, 'critical': false

      },

      'publicKey': {'keyType': 'RSA', 'allowedLengths': [4096, 3072, 2048], 'keyFormat': 'PKCS10'},

      'publicKeySignature': 'FORBIDDEN'

      }

      1. After the credential is authenticated, click Add Account.

      In CA Accounts, you'll see a tile for the new GlobalSign account you added.

    Entrust Certificate Services features a tool that helps streamline the procurement and administration of SSL certificates. Venafi Cloud has partnered with Entrust Certificate Services to give you the ability to quickly and easily request and renew certificates.

    1. On the Venafi as a Service home page, click Settings > CA Accounts.

    2. In CA accounts, click New.

    3. Type in an Account Name for your Entrust account.

      Insert alt text here

    4. Select Entrust from the Certificate Authority list.

    5. Upload an API SSL (client) certificate.

      Note

      The client certificate must have the Client Authentication EKU.

      How do I create a client certificate?
      1. Log in to the Entrust Certificate Services web console.
        1. In the top menu, navigate to Administration > Advanced Settings*.
        2. Click API. Insert alt text here
        3. Click the highlighted link to download the REST API for ECS Enterprise User Guide and Method Reference.
        4. Follow the steps in the Authentication section that includes instructions on how to create a public/private key pair, SSL certificate, and an API user and key.
    6. After you've uploaded the certificate, private key, and chain in PKCS#12 format, enter its passphrase.

    7. Type your Entrust username and provide the associated API Key. To learn how to retrieve your Entrust API key, see Entrust's Help document here.
    8. Click Validate.
    9. After successful authentication, click Add Account..
  5. When you're done, click Add Account.

    You'll see the CA account you created as a new tile on the CA accounts page.