Skip to content

Configurations for Firefly

Configurations are the glue that tie all the parts together so your Firefly can issue certificates. Configurations are groups of runtime settings that link the following together:

  • The sub CA provider that provides the template for Firefly's CA certificate. This sub CA provider will also issue Firefly's CA certificate when it starts up.
  • The policies used to determine which certificates Firefly can issue to it's clients, and which policies those clients are allowed to request from Firefly.
  • The IdP (identity provider) Firefly should trust when receiving signed JWTs. Firefly supports JWKS and OIDC Discovery.

    You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.


Before you create a Configuration, you will need to create a policy. Learn more

Create a configuration

  1. Sign in to Venafi Control Plane.
  2. Click Configurations > Firefly Configurations.
  3. On the Configurations page, click New.
  4. Enter a name for your configuration.
  5. Select your Sub CA Provider from the list.
  6. Select one or more Policies from the list.
  7. Select one or more Service Accounts Firefly can use to get the associated configurations.

    A single service account can be connected to and retrieve only one configuration. However, a specific configuration can be associated with multiple service accounts.

  8. Choose a client authentication and authorization type. This setting controls how clients authenticate with Firefly. Your organization probably already has one of these in place, so you just need to connect to it.

    • Specify the URL(s) to the trusted public key that Firefly can use to validate incoming JWTs. These need to include the FQDN as well as the protocol. Example:
    1. Specify the Base URL. This is used to retrieve metadata about the authorization server including the token endpoint.
    2. Specify the Audience (sometimes known as a client ID). This is a unique identifier that registers Firefly with the identity provider.

    If you want to enable Amazon AWS, Microsoft Azure, or Google Cloud VM instances to request mTLS certificates, they can do so using a signed identity document instead of a client authorization type. Depending on the service you want to use, enter the required information.

    • For AWS IIDs you need to provide one or more AWS account IDs. Regions are optional. If you do not include a region, then the IIDs for the AWS accounts are allowed for any region.
    • For Azure IIDs you need to provide at least one Azure subscription ID.
    • For Google Cloud IIDs you need to enter at least one Google Cloud project, either by it's name or ID. Regions are optional. If you do not include a region, then the IIDs for the Google Cloud projects are allowed for any region.

    If the IID feature is enabled for any of the cloud providers, the Firefly config.yaml file must specify the identityDocument section with the server to identify both the port, and either the DNS name or IP address where the IID endpoint will be available.

  9. Click Create.

What's next?

You're done configuring your Firefly settings in Venafi Control Plane. Now it's time to deploy your Firefly server!