Enabling Firefly detailed certificate issuance logging¶

Firefly now supports logging certificate issuance events, enhancing traceability and audit readiness. Operating as a subordinate Certificate Authority (CA), Firefly plays a critical role in enterprise PKI ecosystems—making visibility into issued certificates essential for detecting anomalies and meeting compliance requirements.

This capability is available in both cert-manager SaaS and Self-Hosted control planes and is designed to integrate seamlessly with centralized logging platforms such as Splunk.

Key Capabilities¶

Centralized Logging of Certificate Events
Firefly can be configured to emit detailed logs for every certificate request. Logged fields include requester identity, certificate metadata, and issuance context.
Optional Certificate Embedding
For deeper inspection and analytics, teams may choose to include the full PEM-encoded certificate in the log output.
Flexible Output Formats
Logs can be emitted in either plain-text or structured JSON, enabling compatibility with a wide range of logging pipelines and analysis tools.

Turning on detailed certificate issuance logging¶

Important

This capability requires Firefly version 1.8.0 or later. Older versions will ignore the control plane configuration and will not emit detailed audit log messages.

Certificate Manager, SaaS (VCP)Certificate Manager, Self-Hosted (TPP)

You can enable detailed certificate issuance logging in the Venafi Control Plane UI.

To turn on Firefly detailed certificate issuance logging, in the Venafi Control Plane UI go to Configuration > Firefly Configurations.
Click the Firefly configuration for which you want to enable logging in the Firefly Configurations page.
In the panel that opens on the right of the page, select the Log certificate issuance information checkbox.

When selected, Firefly logs each successfully issued certificate's requester, and request details. Optionally, you can also log raw certificate data by selecting the Include raw certificate data checkbox. Firefly saves all the information to the standard Firefly logs in your environment.

Note

If you do not see the new configuration option on the Firefly configuration page, it means this feature is not enabled for your tenant. Please contact us to have it enabled.

If Firefly is running in a Kubernetes environment, the certificate issuance messages can be found in the Pod logs. These logs can be consumed by solutions such as SIEM (Security Information and Event Management) tool.

When Firefly is run as a standalone binary, logs are output to standard output and can be redirected to a file. Similar to the previous option, the logs can then be consumed by SIEM solutions.

You can set the following properties to enable this feature in the Firefly security configuration

advancedSettings:
  enableIssuanceAuditLog: false
  includeRawCertDataInAuditLog: false

Venafi CLI tool release 1.21.0 (and later) introduces new attributes for the generate subcommand. See the following generated manifest example:

% venctl configuration firefly generate

subCaProvider:
...
minTlsVersion: TLS13
advancedSettings:
  enableIssuanceAuditLog: false
  includeRawCertDataInAuditLog: false

For more information on Firefly security documentation, see Reference: TLS Protect Datacenter configuration.

Configuring the logging format¶

Firefly 1.8.0 or later supports two logging formats: text and json. The default format is text.

For environments that integrate with SIEM systems, it is recommended to use the json format to enable better parsing and analysis.

Configuring the logging format on Kubernetes using Helm¶

Use the following values to set the logging format to JSON:

Using inline configuration with --setUsing a values.yaml file

helm upgrade prod oci://registry.venafi.cloud/public/venafi-images/helm/firefly \
  --install \
  --create-namespace \
  --namespace venafi \
  --values values.yaml \
  --set deployment.logFormat=json \
  --version v1.8.0

# values.yaml
deployment:
  logFormat: json
  config:
    bootstrap:
      vaas:
...

Configuring the logging format on Docker or as a standalone application¶

When running Firefly as a Docker container or standalone application, you can specify the logging format using the --logging-format flag. For example:

docker run "$(id -u):$(id -g)" -e ACCEPT_TERMS=Y -p 8081:8081 -p 8123:8123 -p 8281:8281 --cap-add=IPC_LOCK \
        -v /opt/firefly/config.yaml:/etc/firefly/config.yaml:ro \
        -v /opt/firefly/svc-acct.key:/etc/firefly/svc-acct.key:ro \
        registry.venafi.cloud/public/venafi-images/firefly:v1.8.0 run -c /etc/firefly/config.yaml --logging-format=json

Certificate issuance log schema¶

JSON formatText format

Sample output:

{
  "ts": 1746715392175.5826,
  "v": 0,
  "msg": "certificate issued",
  "data": {
    "instanceInfo": {
      "instanceName": "My Firefly Instance",
      "hostname": "my-ff-firefly-6997c76fc5-jc78c"
    },
    "certificate": {
      "subject": {
        "commonName": "my cert",
        "dn": "cn=my cert, o=acme"
      },
      "validity": {
        "from": "2025-05-08T12:03:12Z",
        "to": "2025-05-09T12:03:12Z"
      },
      "issuer": {
        "commonName": "my-ca",
        "dn": "cn=my-ca, o=my-org"
      },
      "altNames": {
        "dnsNames": ["foo.com", "bar.com"],
        "ipAddresses": [],
        "emailAddresses": [],
        "uris": []
      },
      "signatureAlgorithm": "ECDSA-SHA256",
      "keyType": "RSA_2048",
      "serialNumber": "709EA3B0E41DECD4011F4107A52B7F6A7BB4F2C4",
      "fingerprint": "sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
      "pem": "-----BEGIN CERTIFICATE-----\nMIIDvTCCAqWgAwIBAgIUTn9nkPYOFy6CET1y4lhTHXh7Mxkw..."
    },
    "request": {
      "requester": {
        "identity": "alice"
      },
      "authentication": {
        "type": "JWT_OIDC"
      },
      "policyName": "my issuance policy",
      "interface": "grpc:tcp",
      "operation": "GENERATE_AND_SIGN"
    }
  }
}

Sample output:

I0620 16:37:03.304953  686079 auditlog.go:209] "certificate issued" logger="firefly.agent.server"
  data.instanceInfo.instanceName="My Firefly Instance"
  data.instanceInfo.hostname="my-ff-firefly-6997c76fc5-jc78c"
  data.certificate.subject.commonName="my cert"
  data.certificate.subject.dn="cn=my cert, o=acme"
  data.certificate.validity.from="2025-05-08T12:03:12Z"
  data.certificate.validity.to="2025-05-09T12:03:12Z"
  data.certificate.issuer.commonName="my-ca"
  data.certificate.issuer.dn="cn=my-ca, o=my-org"
  data.certificate.signatureAlgorithm="ECDSA-SHA256"
  data.certificate.keyType="RSA_2048"
  data.certificate.serialNumber="709EA3B0E41DECD4011F4107A52B7F6A7BB4F2C4"
  data.certificate.fingerprint="sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
  data.certificate.pem="-----BEGIN CERTIFICATE-----\\nMIIDvTCCAqWgAwIBAgIUTn9nkPYOFy6CET1y4lhTHXh7Mxkw..."
  data.request.requester.identity="alice"
  data.request.authentication.type="JWT_OIDC"
  data.request.policyName="my issuance policy"
  data.request.interface="rest:tcp"
  data.request.operation="GENERATE_AND_SIGN"
  data.certificate.altNames.dnsNames="foo.com;bar.com"
  data.certificate.altNames.ipAddresses="[]"
  data.certificate.altNames.emailAddresses="[]"
  data.certificate.altNames.uris="[]"

Certificate issuance log entry structure¶

Each certificate issuance log entry records the issuance of a certificate and the context of the request. Each entry includes the following sections:

Property	Description
`ts`	Timestamp of the log entry. Example: `2025-05-08T12:03:12.175582603+01:00`.
`v`	Log level.
`msg`	Log message. Example: `certificate issued`.
`data.instanceInfo.instanceName`	The name of the Firefly instance that issued the certificate. Example: `My Firefly Instance`.
`data.instanceInfo.hostname`	The hostname of the Firefly pod or server that processed the request. Example: `my-ff-firefly-6997c76fc5-jc78c`.
`data.certificate.subject.commonName`	The Common Name (CN) from the certificate subject. Example: `my-cert`.
`data.certificate.subject.dn`	The full Distinguished Name (DN) string of the subject. Example: `CN=my-cert,O=Example Corp,C=US`.
`data.certificate.validity.from`	Start date and time (UTC, RFC 3339 format). Example: `2023-08-01T10:26:06.666+00:00`.
`data.certificate.validity.to`	Expiry date and time (UTC, RFC 3339 format). Example: `2024-08-01T10:26:06.666+00:00`.
`data.certificate.issuer.commonName`	The Common Name (CN) of the issuer. Example: `my-ca`.
`data.certificate.issuer.dn`	The full Distinguished Name (DN) of the issuer. Example: `CN=my-ca,O=my-org`.
`data.certificate.altNames.dnsNames`	List of DNS names. Example: `[ "*.foo.com" ]`.
`data.certificate.altNames.ipAddresses`	List of IP addresses as strings.
`data.certificate.altNames.emailAddresses`	List of email addresses.
`data.certificate.altNames.uris`	List of URI SANs.
`data.certificate.signatureAlgorithm`	The algorithm used to sign the certificate. Possible values include: `MD5-RSA`, `SHA1-RSA`, `SHA256-RSA`, `SHA384-RSA`, `SHA512-RSA`, `SHA256-RSAPSS`, `SHA384-RSAPSS`, `SHA512-RSAPSS`, `DSA-SHA1`, `DSA-SHA256`, `ECDSA-SHA1`, `ECDSA-SHA256`, `ECDSA-SHA384`, `ECDSA-SHA512`, `Ed25519`.
`data.certificate.keyType`	The type and size of the public key. Possible values: `RSA_2048`, `RSA_3072`, `RSA_4096`, `EC_P256`, `EC_P384`, `EC_P521`, `EC_ED25519`.
`data.certificate.serialNumber`	The certificate’s serial number (hexadecimal string). Example: `709EA3B0E41DECD4011F4107A52B7F6A7BB4F2C4`.
`data.certificate.fingerprint`	The SHA-256 fingerprint of the certificate, prefixed with `sha256:`. Example: `sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad`.
`data.certificate.pem`	The PEM-encoded certificate (only included if enabled in the UI), with newlines escaped. Example: a block starting with `-----BEGIN CERTIFICATE-----`.
`data.request.requester.identity`	For JWT: the `sub` (subject) claim from the JWT. For IID: the format depends on the Cloud provider used (AWS example: `aws://account/123456789012/region/us-west-2/instanceId/i-1234567890abcdef0`, Google example: `google://projects/my-project/zone/us-west1-a/instances/example-vm`, Azure example: `azure://subscriptions/1abcd1234-5678-90ab-cdef-1234567890ab/resourceGroups/myresourcegroup/providers/Microsoft.Compute/virtualMachines/my-vm/objectId/12345678-1234-1234-1234-1234567890ab`).
`data.request.authentication.type`	The method used to authenticate certificate requests sent to Firefly. Options: `None`, `JWT_OIDC`, `JWT_JWKS`, `IID`.
`data.request.policyName`	The name of the Firefly policy that was used to make the request.
`data.request.interface`	The interface through which the request was received. Possible values: `grpc:tcp`, `grpc:uds`, `rest:tcp`, `rest:uds`, `cert-manager`, `kubernetes-csr`.
`data.request.operation`	The type of operation performed. Possible values: `GENERATE_AND_SIGN`, `SIGN_PUBLIC_KEY`, `SIGN_CSR`.
`data.request.requestedValidity`	The requested validity period for the certificate, in RFC 3339 duration format. Example: `P1D`.