Skip to content

Workload Identity Manager and Certificate Manager - Self-Hosted

We have two control planes you can connect Workload Identity Manager to. Choose between the convenience of the SaaS-based Venafi Control Plane with Certificate Manager - SaaS, or the control of a self-hosted deployment with Certificate Manager - Self-Hosted. In this section you will learn how to use Workload Identity Manager with Certificate Manager - Self-Hosted. For information on how to use CyberArk Workload Identity Manager (formerly known as Firefly) with Venafi Control Plane, see Workload Identity Manager and Venafi Control Plane

Overview

In this section, Workload Identity Manager will be deployed on Kubernetes and configured to bootstrap its security settings directly from the Certificate Manager - Self-Hosted, eliminating the need to connect to any other CyberArk infrastructure.

The Workload Identity Manager security configuration enables security teams to define policies that align with corporate security requirements. These policies govern the subordinate certificate used to sign certificates requested by clients, the policies applied to the requested leaf certificates, as well as the authentication and authorization configuration for the client.

Once Workload Identity Manager is deployed and configured, it can serve certificate requests for various use cases, including modern scenarios like mTLS authentication for workloads, as well as traditional use cases such as TLS server termination.

In this way, the issued certificates are:

  • signed and trusted by your organization’s root CAs.

  • compliant with your organization’s PKI policy.

Workload Identity Manager will handle the load of signing certificate requests, even during high rates of certificate renewals, instead of the Certificate Manager - Self-Hosted. Certificate Manager - Self-Hosted will only be required when Workload Identity Manager is restarted or when renewing the subordinate CA certificate.

In this scenario, authentication between Workload Identity Manager and the Certificate Manager - Self-Hosted will use OIDC, where the Kubernetes cluster hosting Workload Identity Manager issues short-lived JWT credentials, which are then validated by Certificate Manager - Self-Hosted.

Prerequisites

  • An instance of Certificate Manager - Self-Hosted, configured with a certificate authority (such as ADCS), and a template that permits the issuance of subordinate CA certificates.

  • Access to the CyberArk Configuration Console to configure authentication settings.

  • A Kubernetes cluster where Workload Identity Manager will be deployed. The cluster must have its OIDC Discovery endpoint exposed for use by unauthenticated clients.

  • Check the network requirements.

Administrative functions

Configuring Workload Identity Manager to work with Certificate Manager - Self-Hosted requires work from more than one administrator:

  • A Certificate Manager - Self-Hosted platform administrator is needed to configure the user, API integrations, and JWT mapping.

  • A PKI administrator is required to create policy folders in Certificate Manager - Self-Hosted, as well as to generate, modify, and import the security configuration that Workload Identity Manager will use.

  • A Kubernetes Platform administrator is needed to bootstrap Workload Identity Manager, and must have information about how Workload Identity Manager will authenticate to Certificate Manager - Self-Hosted, security configuration, and bindings.

Let's begin

Here are the steps we'll take in getting started with Workload Identity Manager on Certificate Manager - Self-Hosted:

  1. Authenticating to Certificate Manager - Self-Hosted In this step you'll learn how to configure an API integration in Certificate Manager - Self-Hosted, and configure authentication settings for Workload Identity Manager.

  2. Create a CA template in Certificate Manager - Self-Hosted In this step you will create a new CA template. This will be used to sign the subordinate CA certificate for each Workload Identity Manager.

  3. Create a policy folder in Certificate Manager - Self-Hosted In this step you will create a Certificate Manager - Self-Hosted policy folder in which to store the security configuration and define policies for the issuance of the subordinate CA certificates.

  4. Push an Workload Identity Manager security configuration to Certificate Manager - Self-Hosted In this step you will create an Workload Identity Manager security configuration and store it in Certificate Manager - Self-Hosted.

  5. Deploy an Workload Identity Manager in Kubernetes In this final step, as a Kubernetes platform administrator, you will need to use the information from your Certificate Manager - Self-Hosted administrators regarding how Workload Identity Manager should authenticate with Certificate Manager - Self-Hosted, and which security configuration it will use.

Known issues

  • As best practice dictates following the principle of least privilege in security, it is recommended that the users used by your Workload Identity Manager instances to authenticate have minimal permissions in Certificate Manager - Self-Hosted. However, a side effect of this is that when Workload Identity Manager starts, you may see the warning message below, indicating insufficient rights to retrieve the security configuration. Although this message appears, Workload Identity Manager is still able to retrieve the security configuration, so you can safely ignore the warning:

    Warning   Secret Store - Insufficient Rights (Retrieve)    firefly had insufficient rights to retrieve the secret for entry 243046   Secret Store - Insufficient Rights (Retrieve)    firefly had insufficient rights to retrieve the secret for entry 243046

  • When Workload Identity Manager is managed by Certificate Manager - Self-Hosted and the subordinate issuer is Zero Touch PKI, you must specify the validity period of the requested subordinate certificate in the relevant Policies folder. This validity setting will be used when issuing the subordinate certificate. For more information, refer to the Zero Touch PKI installation instructions.

What's next?