Skip to content

Policies for Firefly

Policies are sets of rules that determine how certificates can be issued. You create a policy, then you add rules to the policy. When new certificates are issued based on that policy, they must follow the rules set by the policy.

For example, if you only want to issue certificates that have a specific key type, you can create a rule that requires that key type be used.

Policies help maintain both order and security by ensuring Firefly only issues the types of certificates you want.


We recommend you create a policy after you have created a subordinate CA provider. Show me how

To create a policy

Create your policy to specify the rules with which end entities must comply.

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Firefly Issuance Policies.
  3. On the Policies page, click New.
  4. Enter a Name for your new policy.
  5. Specify a Client Cert Validity.
    • If the Firefly client specifies a validity in their request, this is the maximum that will be allowed, but it will allow a lower value from the request.
    • If the Firefly client doesn't specify a validity, this value will be used.
  6. Specify the Subject and Subject Alternative Names (SAN), which are used as the rules with which end entities must comply.

    The Subject and SAN fields are standard TLS certificate fields. The Subject identifies the owner of the certificate. The SAN fields restrict how the certificate can be used; if it is used in a way not listed on the SANs, it won't be trusted.

    What's a type?

    Types are how Firefly determines whether or not a specific CSR is valid.

    • Ignored Use for properties that you don't want to appear in the issued certificate (whether it's requested or not).
    • Forbidden Use for properties that you don't want included in the CSR.
    • Optional Use for properties that you want included in the issued certificate; it will appear there as long as it complies with policy. The request will fail for properties that are requested but don't comply with policy. Also, if a property is not present in the request and policy default value will appear in the issued certificate (does not apply to CN or SANs).
    • Required Use to require that a field must be specified in the CSR.
    • Locked Use to prevent users from changing the common name you specify; and also to prevent adding additional common names.
    How do I use Default Value for subjects?
    • If the type is Optional, the Default Value determine what will be entered on the CSR if nothing is included in the request.
    • If the type is Locked, the Default Value is the only valid value and cannot be changed by a request.
  7. Under Key Constraint, select one or more key algorithms.

    • If there is only one key algorithm, the Firefly's clients must use that algorithm.
    • If there are multiple key algorithms, the Firefly's clients can use any of the approved algorithms. If no algorithm is specified, the one specified as the Default Value will be used.
    • Key algorithms are always Required type.
  8. Select Issuance Parameters options.

    • Key usage. For a TLS certificates, select both Digital Signature AND Key Encipherment.
    • Extended key usage. Select one or more of the following:
      • If issuing server certificates, select Server Authentication.
      • If issuing client certificates, select Client Authentication.
  9. When you're finished, click Create.

What's next?

Now that you have created a policy, your next step is to create a service account that will allow the Firefly server to connect to the Venafi Control Plane using a specific configuration (that you will configure in a future step). However, before you can create a service account, you will need to create a team, if you haven't yet.

What do you want to do?