Skip to content

Configurations for Issuer

Configurations are the glue that tie all the parts together so your Issuer can issue certificates. Configurations are groups of runtime settings that link the following together:

  • The sub CA provider that provides the template for Issuer's CA certificate. This sub CA provider will also issue Issuer's CA certificate when it starts up.
  • The policies used to determine which certificates Issuer can issue to it's clients, and which policies those clients are allowed to request from Issuer.

  • The IdP (identity provider) Issuer should trust when receiving signed JWTs. Issuer supports JWKS and OIDC Discovery.

    You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.

Tip

Before you create a Configuration, you will need to create a policy. Learn more

Create a configuration

  1. Sign in to Venafi Control Plane.
  2. Click Configurations > Issuer Configurations.
  3. On the Configurations page, click New.
  4. In the General section, enter a name for your configuration.
  5. Select your Sub CA Provider from the list.
  6. Select one or more Policies from the list.

  7. Select one or more Service Accounts Issuer can use to get the associated configurations.

    A single service account can be connected to and retrieve only one configuration. However, a specific configuration can be associated with multiple service accounts.

  8. To log issued certificates, select Log certificate issuance information, and optionally, Include raw certificate data (as described in Enabling Firefly detailed certificate issuance logging), and then click Continue.

  9. In the Client Configuration section, select one or more Allowed Policies from the list.

  10. Select the Minimum TLS Protocol Version.

    For the best protection, you should choose the highest level supported by your organization's servers and applications.

  11. To log issued certificates, select Log certificate issuance information, and optionally, Include raw certificate data, as described in Enabling Issuer detailed certificate issuance logging.

  12. Choose a client authentication and authorization type. This setting controls how clients authenticate with Issuer. Your organization probably already has one of these in place, so you just need to connect to it.

    1. Specify the URL(s) to the trusted public key that Issuer can use to validate incoming JWTs. These need to include the FQDN as well as the protocol. Example: https://docs.venafi.cloud.

    2. If using an IdP that mandates specific claims, you can specify alias names for claims in the Issuer configuration. Learn more

    1. Specify the Base URL. This is used to retrieve metadata about the authorization server including the token endpoint.

    2. Specify the Audience (sometimes known as a client ID). This is a unique identifier that registers Issuer with the identity provider.

    3. If using an IdP that mandates specific claims, you can specify alias names for claims in the Issuer configuration. Learn more

    Choose None when Issuer shouldn't allow API clients using JWT-based authentication (gRPC or REST API), but will still allow API clients to use gRPC or REST API over Unix Domain Sockets (UDS), IID-based authentication with REST, or using the cert-manager controller interface.

    Note

    If you want to enable Amazon AWS, Microsoft Azure, or Google Cloud VM instances to request mTLS certificates, you can do so using a signed identity document instead of a client authorization type. Depending on the service you want to use, enter the required information.

    • For AWS IIDs you need to provide one or more AWS account IDs. Regions are optional. If you do not include a region, then the IIDs for the AWS accounts are allowed for any region.
    • For Azure IIDs you need to provide at least one Azure subscription ID.
    • For Google Cloud IIDs you need to enter at least one Google Cloud project, either by it's name or ID. Regions are optional. If you do not include a region, then the IIDs for the Google Cloud projects are allowed for any region.

    If the IID feature is enabled for any of the cloud providers, the Issuer config.yaml file must specify the identityDocument section with the server to identify both the port, and either the DNS name or IP address where the IID endpoint will be available.

  13. Click Create.

What's next?

You're done configuring your Issuer settings in Venafi Control Plane. Now it's time to deploy your Issuer server!