Sub CA Providers¶
Once you have a CA account, you can create Subordinate CA Providers. Sub CA providers are necessary because they do the following:
- Determine which CA account will issue the CA certificate for Firefly.
- Determine the composition of the CA certificate for the Firefly.
Sub CA providers link back to a specific CA account. Depending on the CA account, they also can have a limited scope. For example, with Microsoft AD CS, you are required to select an AD CS issuing template. If you wanted to use multiple AD CS issuing templates, you would create multiple sub CA providers for Microsoft AD CS. Or you might create additional sub CA providers if you want to issue certificates from multiple certificate authorities.
The Sub CA Providers page shows an inventory of all Sub CA Providers that have been created for your organization. Like other inventories in Firefly and TLS Protect Cloud, you can search, filter, and export entries. (When exporting entries, you must export the entire list. You can export it to CSV, where you can manage it in a spreadsheet program.)
Before you begin¶
Before you create a Sub CA account, consider the following:
- You'll need to create a CA Account. Learn more
- If you plan to use a signing key stored in an HSM:
- You will need to know the slot and PIN for the HSM.
- (Optional) Know the checksums of the client libraries that Firefly is allowed to use.
For details about HSMs, see HSMs and Firefly.
Create a new Sub CA Provider¶
The steps you need to follow to create a Sub CA Provider depend on the certificate authority that the Sub CA will chain back to for validity.
Before you can create a Sub CA Provider for Microsoft AD CS, you will need an AD CS template. These are created in Microsoft AD CS and are imported into Firefly when a new CA Account is created for Microsoft AD CS. The CA Accounts page is where you can control which CA accounts have access to which AD CS issuing templates.
-
Sign in to Venafi Control Plane.
-
Click Policies > Firefly Sub CA.
-
Click New > Microsoft AD CS.
-
In the modal window, enter the requested information.
Field Details Name This name will be shown in the Sub CA inventory, and in other places where you pick between sub CAs. CA Account This field shows the existing CA Accounts that use Microsoft AD CS.
If the account you need isn't listed, click Cancel and choose a different certificate authority in Step 2, or create a new CA AccountMicrosoft AD CS Issuance Template Pick an existing issuance template. The templates you can see depend on which CA Account you selected in the previous field. Issuer Cert Validity Specifies the validity period of the Firefly CA certificate, which should be at least as long as the validity period of any certificate Firefly will issue for its clients. Type in the value, then select a unit by clicking a button. Require HSM Requires Firefly to use hardware protection (an HSM) for its signing key. When enabled, the following fields are displayed:
- Slot - Enter the Slot ID for the HSM partition where you want Firefly to store the signing keys.
- PIN - Enter the PIN that is required to access the HSM. Consult the vendor documentation for the required format of the PIN.
- Allowed Client Libraries - [Optional] Specify the SHA-256 checksum of the PKCS#11 library Firefly is allowed to use. This ensures Firefly is connected to the correct client. If nothing is entered here, Firefly could use any PKCS#11 library, which could be a potential security risk.
Common Name Suffix that gets appended to the instanceNaming value in the config.yaml
file which becomes the common name of the CA certificate for Firefly.Organization (Optional) Your organization's legal name helps your users verify that they can trust Firefly's certificate. Organizational Unit (Optional) The division of your organization that is managing the certificate. City, State, Country (Optional) Location data helps your users trust Firefly's certificate. Key Algorithm This is the algorithm as well as the size (or curve) for the keypair Firefly will generate when it starts. -
Click Create.
- From the menu bar, click Sub CA Providers > New.
- Click Zero Touch PKI.
-
In the modal window, enter the requested information.
Field Details Name This name will be shown in the Sub CA inventory, and in other places where you pick between sub CAs. CA Account This field shows the existing CA Accounts that use Zero Touch PKI. If the account you need isn't listed, click Cancel and choose a different certificate authority in Step 2, or create a new CA Account CA Policy Pick an existing CA Policy. The policies you can see are set on the Zero Touch PKI server. Issuer Cert Validity Specifies the validity period of the Firefly CA certificate, which should be at least as long as the validity period of any certificate Firefly will issue for its clients. Type in the value, then select a unit by clicking a button. Require HSM Requires Firefly to use hardware protection (an HSM) for its signing key. When enabled, the following fields are displayed:
- Slot - Enter the Slot ID for the HSM partition where you want Firefly to store the signing keys.
- PIN - Enter the PIN that is required to access the HSM. Consult the vendor documentation for the required format of the PIN.
- Allowed Client Libraries - [Optional] Specify the SHA-256 checksum of the PKCS#11 library Firefly is allowed to use. This ensures Firefly is connected to the correct client. If nothing is entered here, Firefly could use any PKCS#11 library, which could be a potential security risk.
Common Name Suffix that gets appended to the instanceNaming value in the config.yaml
file which becomes the common name of the CA certificate for Firefly.Organization (Optional) Your organization's legal name helps your users verify that they can trust Firefly's certificate. Organizational Unit (Optional) The division of your organization that is managing the certificate. City, State, Country (Optional) Location data helps your users trust Firefly's certificate. Key Algorithm This is the algorithm as well as the size (or curve) for the keypair Firefly will generate when it starts. -
Click Create.
Caution
Do not use the Venafi Built-in CA for production use. It is designed for use in development and testing environments only, since it is not chained back to a trusted certificate authority.
- From the menu bar, click Sub CA Providers > New.
- Click Venafi Built-in CA.
-
In the modal window, enter the requested information.
Field Details Name This name will be shown in the Sub CA inventory, and in other places where you pick between sub CAs. CA Account This field shows the existing CA Accounts that use the Venafi Built-in CA. If the account you need isn't listed, click Cancel and choose a different certificate authority in Step 2, or create a new CA Account Issuer Cert Validity Specifies the validity period of the Firefly CA certificate, which should be at least as long as the validity period of any certificate Firefly will issue for its clients. Type in the value, then select a unit by clicking a button. Require HSM Requires Firefly to use hardware protection (an HSM) for its signing key. When enabled, the following fields are displayed:
- Slot - Enter the Slot ID for the HSM partition where you want Firefly to store the signing keys.
- PIN - Enter the PIN that is required to access the HSM. Consult the vendor documentation for the required format of the PIN.
- Allowed Client Libraries - [Optional] Specify the SHA-256 checksum of the PKCS#11 library Firefly is allowed to use. This ensures Firefly is connected to the correct client. If nothing is entered here, Firefly could use any PKCS#11 library, which could be a potential security risk.
Common Name Suffix that gets appended to the instanceNaming value in the config.yaml
file which becomes the common name of the CA certificate for Firefly.Organizational Unit (Optional) The division of your organization that is managing the certificate. City, State, Country (Optional) Location data helps your users trust Firefly's certificate. Key Algorithm This is the algorithm as well as the size (or curve) for the keypair Firefly will generate when it starts. -
Click Create.
- From the menu bar, click Sub CA Providers > New.
- Click TLS Protect Datacenter.
-
In the modal window, enter the requested information.
Field Details Name This name will be shown in the Sub CA inventory, and in other places where you pick between sub CAs. CA Account This field shows the existing CA Accounts that use TLS Protect Datacenter. If the account you need isn't listed, click Cancel and choose a different certificate authority in Step 2, or create a new CA Account Policy Folder Pick a policy folder. The policy folders you can see are set on the TLS Protect Datacenter CA Account. Issuer Cert Validity Specifies the validity period of the Firefly CA certificate, which should be at least as long as the validity period of any certificate Firefly will issue for its clients. Type in the value, then select a unit by clicking a button. Require HSM Requires Firefly to use hardware protection (an HSM) for its signing key. When enabled, the following fields are displayed:
- Slot - Enter the Slot ID for the HSM partition where you want Firefly to store the signing keys.
- PIN - Enter the PIN that is required to access the HSM. Consult the vendor documentation for the required format of the PIN.
- Allowed Client Libraries - [Optional] Specify the SHA-256 checksum of the PKCS#11 library Firefly is allowed to use. This ensures Firefly is connected to the correct client. If nothing is entered here, Firefly could use any PKCS#11 library, which could be a potential security risk.
Common Name Suffix that gets appended to the instanceNaming value in the config.yaml
file which becomes the common name of the CA certificate for Firefly.Organization (Optional) Your organization's legal name helps your users verify that they can trust Firefly's certificate. Organizational Unit (Optional) The division of your organization that is managing the certificate. City, State, Country (Optional) Location data helps your users trust Firefly's certificate. Key Algorithm This is the algorithm (as well as the size / curve or curve) for the keypair Firefly will generate when it starts. -
Click Create.
What's next?¶
Now that you have a Sub CA set up, you should create some policies that will apply when people request certificates.