Issuer and Venafi Control Plane¶

We have two control planes you can connect CyberArk Workload Identity Manager (formerly known as Firefly) to: Venafi Control Plane or TLS Protect Datacenter. In this section you will learn how to use Issuer with Venafi Control Plane. For information on how to use Issuer with TLS Protect Datacenter, see Issuer and TLS Protect Datacenter

To help you get started using Issuer on Venafi Control Plane, review the following information and complete all steps.

This document is intended to provide you with a high level understanding of the process, from start to finish. The details of how to do specific steps are in the linked topics. Use this document as a road map to help you get started with Issuer.

Prerequisites¶

Before you begin, meet the following requirements:

A Linux server with Docker installed.
Download and run the Issuer Docker image.

Make sure you have access¶

Use the product switcher (in the upper right, near your user icon) to open the Issuer administrative interface. If you don't see Issuer in the product switcher, try the following solutions.

Log in with the correct user typeIssuer must be enabled

Make sure your user is a PKI Administrator or System Administrator. The Issuer web interface is currently only available to administrators.

In this case, start with Issuer Developer Mode as documented in Dev Central

Once you are happy with deploying and using Issuer, talk to your TLS Protect Cloud admins about using Issuer with the Control Plane.

If you don't see Issuer in the product switcher, your account may not have Issuer enabled.

You can sign up for an Issuer trial (which will create a new TLS Protect Cloud tenant where you can evaluate Issuer without impacting your existing environment), or you can contact your Venafi Sales account executive about starting an Issuer trial in your existing TLS Protect Cloud tenant.

Let's begin¶

Here are the steps we'll take in getting started with CyberArk Workload Identity Manager (formerly known as Firefly):

Issuer and Venafi Control Plane
Prerequisites
Make sure you have access
Step 1: Create a CA account
Step 2: Create a subordinate CA provider
Step 3: Create a new policy
Step 4: Create a team
Step 5: Add a service account
Step 6: Create a new configuration
Step 7: Deploy Issuer using Docker or Kubernetes
Step 8: Start requesting certificates
Step 9: Review certificates in the inventory
What's next
- Related links

Step 1: Create a CA account¶

Machine identity management is about trust. You want to ensure that the certificates that Issuer will issue will be trustable. For that, you need to chain back to a trusted certificate authority. So your first step is to connect Issuer to a certificate authority.

Tip

While Issuer does have its own built-in certificate authority, it's not designed for production use. However, if you are deploying an Issuer in a test or development environment, you can probably skip this step.

In addition to Venafi's built-in CA, you can add connections to Microsoft AD CS, as well as to Zero Touch PKI.

Learn how to link a CA account

Step 2: Create a subordinate CA provider¶

Subordinate CA (sub CA) providers are necessary because they do the following:

Determine which CA account will issue the CA certificate for Issuer.
Determine the composition of the CA certificate for the Issuer.

Sub CA providers link back to a specific CA account. Depending on the CA account, they also can have a limited scope. For example, with Microsoft AD CS, you are required to select an AD CS issuing template. If you wanted to use multiple AD CS issuing templates, you would create multiple sub CA providers for Microsoft AD CS.

Learn how to configure sub CA providers

Step 3: Create a new policy¶

Chances are you don't want your end users generating CSRs without any kinds of restrictions. At the minimum, you generally want to specify the key algorithms that can be used to generate the CSRs. Policies are sets of rules that allow you to enforce organizational policies on what kinds of certificates can be issued. Policies can have default settings that users can override, or they can be settings enforced so CSRs can't be generated outside of the policy's defined values.

Policies constrain certificate issuance and key generation by your users. You can have multiple policies with different settings to meet a wide array of organizational applications.

Learn how to create a policy

Step 4: Create a team¶

You need a team before you can create a service account, and Issuer makes it easy to create a team, which helps ensure continued access to the service account regardless of team membership changes.

Learn how to create a team for Issuer

Step 5: Add a service account¶

Service accounts allow your Issuer systems to authenticate with TLS Protect Cloud so they can obtain the configuration settings, and communicate with the Venafi Control Plane.

Learn how to create a service account for Issuer

Step 6: Create a new configuration¶

Once you have one or more policies, you create a configuration. Configurations are the Issuer runtime configurations that link the following together:

The sub CA provider that will provide the template for the Issuer's CA certificate. This sub CA provider will also issue Issuer's CA certificate when it starts up.
The policies that will be used to determine the certificates Issuer can issue to its clients, and which policies those clients are allowed to request from Issuer.
The identity provider Issuer should trust when evaluating the JWTs that clients present to it.

Issuer supports the following identity provider methods for evaluating the validity of JWTs it receives:

JWKS (JSON Web Key Set), which contains a list of public keys we use to verify the signature of the JWT.
OIDC Discovery, which uses an SSO provider (like Okta or Azure) to verify the signature of the JWTs.

You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.

Learn how to create a configuration

Step 7: Deploy Issuer using Docker or Kubernetes¶

Now that you've configured the Control Plane to work with your Issuer server, you need to take some steps to deploy the Issuer server so you can use it to issue certificates. You can deploy the Issuer server in a Kubernetes cluster using a Helm chart, or using a Docker container.

Learn how to deploy Issuer instances using Kubernetes or using Docker

Step 8: Start requesting certificates¶

With Issuer configured and running, you're ready to utilize the APIs you enabled (gRPC or REST) for requesting certificates from Issuer. Learn more about that in our API documentation.

Issuer API Reference for Clients

Step 9: Review certificates in the inventory¶

That's it! Issuer has been deployed, and if you followed the previous step, it's already started to generate certificates. Now you can watch the Issuer Certificates page to see what certificates Issuer has issued.

Learn about the Issuer Certificate inventory

What's next¶

Once your Issuer instances are deployed, you can use the Issuer Certificate page to see an inventory of all certificates that have been issued by an Issuer instance.

For help while using the Issuer user interface, click the "What can I do here?" link found on each page to launch the related Quick Help.

Overview: Issuer