Configurations for Firefly¶
Configurations are the glue that tie all the parts together so your Firefly can issue certificates. Configurations are groups of runtime settings that link the following together:
- The sub CA provider that provides the template for Firefly's CA certificate. This sub CA provider will also issue Firefly's CA certificate when it starts up.
- The policies used to determine which certificates Firefly can issue to it's clients, and which policies those clients are allowed to request from Firefly.
-
The IdP (identity provider) Firefly should trust when receiving signed JWTs. Firefly supports JWKS and OIDC Discovery.
You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.
Tip
Before you create a Configuration, you will need to create a policy. Learn more
Create a configuration¶
- Sign in to Venafi Control Plane.
- Click Configurations > Firefly Configurations.
- On the Configurations page, click New.
- Enter a name for your configuration.
- Select your Sub CA Provider from the list.
- Select one or more Policies from the list.
-
Select one or more Service Accounts Firefly can use to get the associated configurations.
A single service account can be connected to and retrieve only one configuration. However, a specific configuration can be associated with multiple service accounts.
-
Select the Minimum TLS Protocol Version.
For the best protection, you should choose the highest level supported by your organization's servers and applications.
-
Choose a client authentication and authorization type. This setting controls how clients authenticate with Firefly. Your organization probably already has one of these in place, so you just need to connect to it.
-
Specify the URL(s) to the trusted public key that Firefly can use to validate incoming JWTs. These need to include the FQDN as well as the protocol. Example:
https://docs.venafi.cloud
. -
If using an IdP that mandates specific claims, you can specify alias names for claims in the Firefly configuration. Learn more
1, Specify the Base URL. This is used to retrieve metadata about the authorization server including the token endpoint.
-
Specify the Audience (sometimes known as a client ID). This is a unique identifier that registers Firefly with the identity provider.
-
If using an IdP that mandates specific claims, you can specify alias names for claims in the Firefly configuration. Learn more
Choose None when Firefly shouldn't allow API clients using JWT-based authentication (gRPC, GraphQL, or REST API), but will still allow API clients to use gRPC or REST API over Unix Domain Sockets (UDS), IID-based authentication with REST, or using the cert-manager controller interface.
Note
If you want to enable Amazon AWS, Microsoft Azure, or Google Cloud VM instances to request mTLS certificates, you can do so using a signed identity document instead of a client authorization type. Depending on the service you want to use, enter the required information.
- For AWS IIDs you need to provide one or more AWS account IDs. Regions are optional. If you do not include a region, then the IIDs for the AWS accounts are allowed for any region.
- For Azure IIDs you need to provide at least one Azure subscription ID.
- For Google Cloud IIDs you need to enter at least one Google Cloud project, either by it's name or ID. Regions are optional. If you do not include a region, then the IIDs for the Google Cloud projects are allowed for any region.
If the IID feature is enabled for any of the cloud providers, the Firefly
config.yaml
file must specify theidentityDocument
section with theserver
to identify both the port, and either the DNS name or IP address where the IID endpoint will be available. -
-
Click Create.
What's next?¶
You're done configuring your Firefly settings in Venafi Control Plane. Now it's time to deploy your Firefly server!