Skip to content

Create a policy folder in Certificate Manager - Self-Hosted

To manage CyberArk Workload Identity Manager (formerly known as Firefly) from Certificate Manager - Self-Hosted, two separate policy folders must be used to adhere to best practices for the principle of least privilege. The first policy folder will store Workload Identity Manager’s security configuration. This folder must be configured to allow only authorized members of the security team to modify its contents. Additionally, Workload Identity Manager instances that will use this security configuration must only have read access, with no permission to modify it.

It is recommended to follow your organizational pattern for the policy structure. In this example, a simplified structure is used where a new policy folder, Workload Identity Manager, contains the security configuration object and a sub-folder for the subordinate CA certificates that your Workload Identity Manager will use.

πŸ“‚ Policy
└── πŸ“‚ firefly
      β”œβ”€β”€ πŸ“‚ SubCA
      β”‚   β”œβ”€β”€ πŸ“„ subca-cert-1
      β”‚   β”œβ”€β”€ πŸ“„ subca-cert-2
      β”‚   └── πŸ“„ subca-cert-3
      └── πŸ”‘ security-config

Create a policy folder for the Workload Identity Manager’s security configuration

Follow the instructions to add a new policy folder for firefly, Adding objects to the policy tree.

Once the firefly policy folder is created, set the permissions outlined in Assigning permissions to an object in Policy Tree.

Policy folder: firefly

  • User: firefly - Permissions: View, Read

  • Group: security-team - Permissions: View, Read, Write, Create, Delete, Rename

Policy folder for the subordinate CA certificates used by Workload Identity Manager

  1. Follow the instructions to add a new policy folder for Workload Identity Manager Adding objects to the policy tree.

  2. Once the firefly\SubCA policy folder is created, set the following permissions as outlined in Assigning permissions to an object in Policy Tree.

    Policy folder: firefly\SubCA

    • User: firefly - Permissions: Read, Write, and Create

    • Group: security-team - Permissions: View, Read, Write, Create, Delete, Rename

  3. In addition to the permission, you need to configure the policy folder for the subordinate CA to have the following certificate configuration:

    • Set Management Type to Enrollment.

    • Set CSR Generation to User Generated CSR.

    • Set Allow Duplicate Common and Subject Alternative Names to Yes.

    • A CA template is configured to issue valid subordinate CA certificates that follows the requirements described in Requirements for the subordinate CA certificate.

Using Zero Touch PKI

When using Zero Touch PKI, the method for setting the validity period of a requested subordinate certificate is different from other certificate authorities. The subCaProvider.validityPeriod property in the security configuration is not used. Instead, custom fields created during the Zero Touch PKI integration must be used.

To specify the validity period, configure the relevant custom fields in the policy folder where the subordinate certificate will be issued. For example, use the firefly\SubCA policy folder.

The following custom fields can be used to define the validity:

  • ZTPKI: Validity Days
  • ZTPKI: Validity Months
  • ZTPKI: Validity Years

What's next?