Workload Identity Manager and Venafi Control Plane¶

There are two control planes you can connect CyberArk Workload Identity Manager (formerly known as Firefly) to: Venafi Control Plane or Certificate Manager - Self-Hosted. In this section you will learn how to use Workload Identity Manager with Venafi Control Plane. For information on how to use Workload Identity Manager with Certificate Manager - Self-Hosted, see Workload Identity Manager and Certificate Manager - Self-Hosted

To help you get started using Workload Identity Manager on Venafi Control Plane, review the following information and complete all steps.

This document is intended to provide you with a high level understanding of the process, from start to finish. The details of how to do specific steps are in the linked topics. Use this document as a road map to help you get started with Workload Identity Manager.

Prerequisites¶

Before you begin, meet the following requirements:

A Linux server with Docker installed.
Download and run the Workload Identity Manager Docker image.

Make sure you have access¶

Use the product switcher (in the upper right, near your user icon) to open the Workload Identity Manager administrative interface. If you don't see Workload Identity Manager in the product switcher, try the following solutions.

Log in with the correct user typeWorkload Identity Manager must be enabled

Make sure your user is a PKI Administrator or System Administrator. The Workload Identity Manager web interface is currently only available to administrators.

In this case, start with Workload Identity Manager Developer Mode as documented in Dev Central

Once you are happy with deploying and using Workload Identity Manager, talk to your Certificate Manager - SaaS admins about using Workload Identity Manager with the Control Plane.

If you don't see Workload Identity Manager in the product switcher, your account may not have Workload Identity Manager enabled.

You can sign up for an Workload Identity Manager trial (which will create a new Certificate Manager - SaaS tenant where you can evaluate Workload Identity Manager without impacting your existing environment), or you can contact your CyberArk Sales account executive about starting an Workload Identity Manager trial in your existing Certificate Manager - SaaS tenant.

Let's begin¶

Here are the steps we'll take in getting started with CyberArk Workload Identity Manager (formerly known as Firefly).

Step 1: Create a CA account¶

Machine identity management is about trust. You want to ensure that the certificates that Workload Identity Manager will issue will be trustable. For that, you need to chain back to a trusted certificate authority. So your first step is to connect Workload Identity Manager to a certificate authority.

Tip

While Workload Identity Manager does have its own built-in certificate authority, it's not designed for production use. However, if you are deploying an Workload Identity Manager in a test or development environment, you can probably skip this step.

In addition to CyberArk's built-in CA, you can add connections to Microsoft AD CS, as well as to Zero Touch PKI.

Learn how to link a CA account

Step 2: Create a subordinate CA provider¶

Subordinate CA (sub CA) providers are necessary because they do the following:

Determine which CA account will issue the CA certificate for Workload Identity Manager.
Determine the composition of the CA certificate for the Workload Identity Manager.

Sub CA providers link back to a specific CA account. Depending on the CA account, they also can have a limited scope. For example, with Microsoft AD CS, you are required to select an AD CS issuing template. If you wanted to use multiple AD CS issuing templates, you would create multiple sub CA providers for Microsoft AD CS.

Learn how to configure sub CA providers

Step 3: Create a new policy¶

Chances are you don't want your end users generating CSRs without any kinds of restrictions. At the minimum, you generally want to specify the key algorithms that can be used to generate the CSRs. Policies are sets of rules that allow you to enforce organizational policies on what kinds of certificates can be issued. Policies can have default settings that users can override, or they can be settings enforced so CSRs can't be generated outside of the policy's defined values.

Policies constrain certificate issuance and key generation by your users. You can have multiple policies with different settings to meet a wide array of organizational applications.

Learn how to create a policy

Step 4: Create a team¶

You need a team before you can create a service account, and Workload Identity Manager makes it easy to create a team, which helps ensure continued access to the service account regardless of team membership changes.

Learn how to create a team for Workload Identity Manager

Step 5: Add a service account¶

Service accounts allow your Workload Identity Manager systems to authenticate with Certificate Manager - SaaS so they can obtain the configuration settings, and communicate with the Venafi Control Plane.

Learn how to create a service account for Workload Identity Manager

Step 6: Create a new configuration¶

Once you have one or more policies, you create a configuration. Configurations are the Workload Identity Manager runtime configurations that link the following together:

The sub CA provider that will provide the template for the Workload Identity Manager's CA certificate. This sub CA provider will also issue Workload Identity Manager's CA certificate when it starts up.
The policies that will be used to determine the certificates Workload Identity Manager can issue to its clients, and which policies those clients are allowed to request from Workload Identity Manager.
The identity provider Workload Identity Manager should trust when evaluating the JWTs that clients present to it.

Workload Identity Manager supports the following identity provider methods for evaluating the validity of JWTs it receives:

JWKS (JSON Web Key Set), which contains a list of public keys we use to verify the signature of the JWT.
OIDC Discovery, which uses an IdP (like Okta, Azure, or built-in Kubernetes) to verify the signature of the JWTs.

You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.

Learn how to create a configuration

Step 7: Deploy Workload Identity Manager using Docker or Kubernetes¶

Now that you've configured the Control Plane to work with your Workload Identity Manager server, you need to take some steps to deploy the Workload Identity Manager server so you can use it to issue certificates. You can deploy the Workload Identity Manager server in a Kubernetes cluster using a Helm chart, or using a Docker container.

Learn how to deploy Workload Identity Manager instances using Kubernetes or using Docker

Step 8: Start requesting certificates¶

With Workload Identity Manager configured and running, you're ready to utilize the APIs you enabled (gRPC or REST) for requesting certificates from Workload Identity Manager. Learn more about that in our API documentation.

Workload Identity Manager API Reference for Clients

Step 9: Review certificates in the inventory¶

That's it! Workload Identity Manager has been deployed, and if you followed the previous step, it's already started to generate certificates. Now you can watch the Issuer Certificates page to see what certificates Workload Identity Manager has issued.

Learn about the Workload Identity Manager Certificate inventory

What's next¶

Once your Workload Identity Manager instances are deployed, you can use the Issuer Certificate page to see an inventory of all certificates that have been issued by an Workload Identity Manager instance.

For help while using the Workload Identity Manager user interface, click the "What can I do here?" link found on each page to launch the related Quick Help.

Overview: Workload Identity Manager