Skip to content

Create a CA template in Certificate Manager - Self-Hosted

In this step, you will create a new CA template in Certificate Manager - Self-Hosted, which will be used to sign the subordinate CA certificate for CyberArk Workload Identity Manager (formerly known as Firefly). In this example, Microsoft Active Directory Certificate Services (ADCS) is used, but any CA capable of issuing subordinate CA certificates that meets the following requirements will also work.

Requirements for the subordinate CA certificate

The Certificate Authority (CA) must be configured with a template to issue the subordinate CA certificate, following the requirements below:

Basic Constraints Extension:

  • The subject must be a certification authority (CA).

  • It must not issue certificates to other CAs (pathLenConstraint set to 0).

  • This is a critical extension.

Key Usage Extension:

  • Signature requirements:

    • Digital signature

    • Certificate signing

  • This is a critical extension.

The Certificate Authority should be configured to allow clients to specify the end date of the required certificates. This will enable Workload Identity Manager to request subordinate CA certificates with validity specified by the PKI administrator responsible for configuring Workload Identity Manager.

  1. In the Certificate Manager - Self-Hosted policy tree, right-click on the policy folder where you want to create the CA template, and select Add > CA Template > Microsoft.

  2. Enter the relevant information for your CA in the following fields the fields according to your CA (the values below are for illustration purposes only), then click Save:

    • Name: ADCS SubCA

    • Hostname: adcs.example.com

    • Service Name: Example-CA

    • Credential: \VED\Policy\Administration\Credentials\adcs

    • Template: Subordinate Certification Authority

    • Allow Users to Specify End Date: Selected

To learn more about ADCS, see Microsoft Active Directory Certificate Services.

Prerequisites

To create a new Zero Touch PKI certificate authority (CA) template in Certificate Manager - Self-Hosted, ensure that you have the following:

  • A valid Zero Touch PKI account. If you do not have one, contact your administrator to set up an account with permissions to create a new Zero Touch PKI CA.
  • The Zero Touch PKI CA URL, API key ID, and API key.
  • The adaptable CA script for Zero Touch PKI installed in your Certificate Manager - Self-Hosted environment. Download the script and installation guide from the CyberArk Marketplace.
  • Custom fields created in Certificate Manager - Self-Hosted to support certificate validity settings. Refer to the Zero Touch PKI installation instructions for more details.

Steps

  1. Store credentials:

    1. In Certificate Manager - Self-Hosted, navigate to Credentials.
    2. Create and save a username credential for the Zero Touch PKI account.
  2. Add a new CA template:

    1. In the Certificate Manager - Self-Hosted Policies tree, right-click the folder where you want to create the new CA template.
    2. Select Add > CA Template > Adaptable.
  3. Configure the CA template:

    Complete the CA template configuration using the following fields (replace with actual values for your environment):

    • Name: ZTPKI SubCA
    • Username credential: Select the credential created in step 1.
    • Service address: Enter the URL for your Zero Touch PKI region.
    • Profile string: Enter the Policy ID from your Zero Touch PKI tenant.
    • PowerShell script: Select the adaptable script used for Zero Touch PKI integration.
  4. Test and save:

    1. Click Test to validate the configuration.
    2. If the test is successful, click Save to create the CA template.

What's next?