Skip to content

Certificate authority accounts

One of the first steps you need to do when working with Firefly is to connect to a certificate authority (CA). The Certificate Authorities page shows you the CAs that have been configured for your organization, and allows you to create, edit, and delete connections to trusted certificate authorities.

The specified CA account will issue the CA certificate for Firefly.

Tip

You can skip this step if you want to use the existing built-in CA from Venafi, since it already exists. However, remember that the built in CA is only intended for use in non-production environments.

Create a new CA Account

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.

  3. Click New and select the CA you want to connect to.

    Enter the following information.

    Field Description
    Name Choose a name for this CA connection. You will use this name when creating a sub CA account, so make it meaningful.
    Zero Touch PKI URL Choose an existing Zero Touch PKI url. (This requires you to have previously configured the Zero Touch PKI service.)
    API Key ID Get this from the Zero Touch PKI server.
    API Key Get this from the Zero Touch PKI server.

    A four step wizard will walk you through the configuration of Microsoft AD CS. These steps assume you already have servers setup for VSatellite and a VSatellite Worker. For details, see the VSatellite documentation.

    Use the following table for reference.

    Step Field Description
    Connection Name Choose a name for this CA connection. You will use this name when creating a sub CA account, so make it meaningful.
    Connection VSatellite Worker Select an existing VSatellite Worker, or click Deploy VSatellite Worker. (For details on deploying a VSatellite Worker, see Deploying VSatellite Workers)
    Information AD CS administrative address Enter the IP address or the hostname of the Microsoft AD CS system.
    Information Common name of the CA's certificate This is the CN (common name) of the issuing (root) certificate as it appears in Microsoft Active Directory Certificate Services. It is also known as Service Name.
    Information Username and Password Enter the credentials to log in to Microsoft AD CS. Click Test credentials to verify that Firefly can connect to AD CS.
    Issuance Issuance template Choose an AD CS issuing template that is for subordinate CA certificates.
    Import Not applicable for Firefly

    A three-step wizard will walk you through the configuration of TLS Protect Datacenter. These steps assume you already have a server setup for VSatellite. For details, see the VSatellite documentation.

    Use the following table for reference.

    Step Field Description
    Connection Name Choose a name for this CA connection. You will use this name when creating a sub CA account, so make it meaningful.
    Connection VSatellite Select an existing VSatellite, or click Deploy VSatellite. (For details on deploying a VSatellite, see Deploying VSatellites)
    Information TLS Protect Datacenter API URL Enter the base URL of the TLS Protect Datacenter API service.
    Information Username and Password Enter the credentials to log in to TLS Protect Datacenter.
    Information Client ID This is the identifier assigned to the API Integration in TLS Protect Datacenter. Click Next to verify that Firefly can connect to TLS Protect Datacenter.
    Issuance Policy Folders Enter abbreviated distinguished names of TLS Protect Datacenter policy folders (for example, Firefly\SubCA) configured to issue valid subordinate CA certificates that have key usages of digitalSignature and keyCertSign, and pathLenConstraint set to 0.
  4. Click Create.

What's next?

Now that you have one or more CA's registered, you need to create a sub CA.