Skip to content

Firefly path to success

To help you get started using Firefly, review the following information and complete all steps.

This document is intended to provide you with a high level understanding of the process, from start to finish. The details of how to do specific steps are in the linked topics. Use this document as a road map to help you get started with Firefly.


Before you begin, meet the following requirements:

Make sure you have access

Use the product switcher (in the upper right, near your user icon) to open the Firefly administrative interface. If you don't see Firefly in the product switcher, try the following solutions.

Make sure your user is a PKI Administrator or System Administrator. The Firefly web interface is currently only available to administrators.

In this case, start with Firefly Developer Mode as documented in Dev Central

Once you are happy with deploying and using Firefly, talk to your TLS Protect Cloud admins about using Firefly with the Control Plane.

If you don't see Firefly in the product switcher, your account may not have Firefly enabled.

You can sign up for a Firefly trial (which will create a new TLS Protect Cloud tenant where you can evaluate Firefly without impacting your existing environment), or you can contact your Venafi Sales account executive about starting a Firefly trial in your existing TLS Protect Cloud tenant.

Let's begin

Here are the steps we'll take in getting started with Firefly:

  1. Create a CA account
  2. Create a subordinate CA provider
  3. Create a new policy
  4. Create a team
  5. Add a service account
  6. Create a new configuration
  7. Deploy Firefly using Docker or Kubernetes
  8. Start requesting certificates
  9. Review certificates in the inventory

Step 1: Create a CA account

Machine identity management is about trust. You want to ensure that the certificates that Firefly will issue will be trustable. For that, you need to chain back to a trusted certificate authority. So your first step is to connect Firefly to a certificate authority.


While Firefly does have its own built-in certificate authority, it's not designed for production use. However, if you are deploying a Firefly in a test or development environment, you can probably skip this step.

In addition to Venafi's built-in CA, you can add connections to Microsoft AD CS, as well as to Zero Touch PKI.

Learn how to link a CA account

Step 2: Create a subordinate CA provider

Subordinate CA (sub CA) providers are necessary because they do the following:

  • Determine which CA account will issue the CA certificate for Firefly.
  • Determine the composition of the CA certificate for the Firefly.

Sub CA providers link back to a specific CA account. Depending on the CA account, they also can have a limited scope. For example, with Microsoft AD CS, you are required to select an AD CS issuing template. If you wanted to use multiple AD CS issuing templates, you would create multiple sub CA providers for Microsoft AD CS.

Learn how to configure sub CA providers

Step 3: Create a new policy

Chances are you don't want your end users generating CSRs without any kinds of restrictions. At the minimum, you generally want to specify the key algorithms that can be used to generate the CSRs. Policies are sets of rules that allow you to enforce organizational policies on what kinds of certificates can be issued. Policies can have default settings that users can override, or they can be settings enforced so CSRs can't be generated outside of the policy's defined values.

Policies constrain certificate issuance and key generation by your users. You can have multiple policies with different settings to meet a wide array of organizational applications.

Learn how to create a policy

Step 4: Create a team

You need a team before you can create a service account, and Firefly makes it easy to create a team, which helps ensure continued access to the service account regardless of team membership changes.

Learn how to create a team for Firefly

Step 5: Add a service account

Service accounts allow your Firefly systems to authenticate with TLS Protect Cloud so they can obtain the configuration settings, and communicate with the Venafi Control Plane.

Learn how to create a service account for Firefly

Step 6: Create a new configuration

Once you have one or more policies, you create a configuration. Configurations are the Firefly runtime configurations that link the following together:

  • The sub CA provider that will provide the template for the Firefly's CA certificate. This sub CA provider will also issue Firefly's CA certificate when it starts up.
  • The policies that will be used to determine the certificates Firefly can issue to its clients, and which policies those clients are allowed to request from Firefly.
  • The identity provider Firefly should trust when evaluating the JWTs that clients present to it.

Firefly supports the following identity provider methods for evaluating the validity of JWTs it receives:

  • JWKS (JSON Web Key Set), which contains a list of public keys we use to verify the signature of the JWT.
  • OIDC Discovery, which uses an SSO provider (like Okta or Azure) to verify the signature of the JWTs.

You will need to know if your organization uses JWKS or OIDC Discovery, and you will need the URLs used for the IdP.

Learn how to create a configuration

Step 7: Deploy Firefly using Docker or Kubernetes

Now that you've configured the Control Plane to work with your Firefly server, you need to take some steps to deploy the Firefly server so you can use it to issue certificates. You can deploy the Firefly server in a Kubernetes cluster using a Helm chart, or using a Docker container.

Learn how to deploy Firefly instances using Kubernetes or using Docker

Step 8: Start requesting certificates

With Firefly configured and running, you're ready to utilize the APIs you enabled (gRPC, GraphQL, or REST) for requesting certificates from Firefly. Learn more about that in our API documentation.

Firefly API Reference for Clients

Step 9: Review certificates in the inventory

That's it! Firefly has been deployed, and if you followed the previous step, it's already started to generate certificates. Now you can watch the Issuer Certificates page to see what certificates Firefly has issued.

Learn about the Issuer Certificate inventory

What's next

Once your Firefly instances are deployed, you can use the Issuer Certificate page to see an inventory of all certificates that have been issued by a Firefly instance.

For help while using the Firefly user interface, click the "What can I do here?" link found on each page to launch the related Quick Help.