Adding a CA account in OutagePREDICT

When you add a CA Account, you create a connection to a Certificate Authority who provides certificate life cycle services.

To add a new CA account

1. In the menu bar, click Settings > CA Accounts.

   TIP  OutagePREDICT comes with a built-in CA which can you use for testing purposes or for any applications or use cases that don't require the use of a publicly trusted certificate

2. Click New.

3. Enter an Account Name, then select a Certificate Authority from the list.

4. Depending on the CA you chose, you'll be asked to supply your CA account's credentials.

   For DigiCert CertCentral

   1. On the DevOpsACCELERATE home page, click Settings > CA Accounts.

   2. In CA accounts, click Add New Account.

   3. Copy and paste your API Key from DigiCert CertCentral.

      IMPORTANT  You must have the Manager role or higher in Digicert CertCentral.

   4. Click Add Account.

   in CA Accounts, you'll see a tile for the new Digicert account you added.

   For GlobalSign atlas

   NOTE  If you don't yet have a GlobalSign account, visit https://www.globalsign.com/en/lp/venafi/ to create one.

   1. On the DevOpsACCELERATE home page, click Settings > CA Accounts.

   2. In CA accounts, click Add New Account.
   3. Select GlobalSignas the Certificate Authority.

   4. Browse to your Credentials File.

      How do I find my GlobalSign credentials file?

      The Credentials file is supplied to you directly from GlobalSign when you create your GlobalSign account.

   5. Click Authenticate.

      NOTE  After you authenticate, we'll show you GlobalSign's validation policy. This is a list of requirements that your certificate request must comply with before GlobalSign will issue a certificate for you. We'll also display this information, in a more readable form when you start setting up policies for your organization.

      Example

      {

      'validity': {'secondsmin': 60, 'secondsmax': 7776000, 'notBeforeNegativeSkew': 200, 'notBeforePositiveSkew': 200},

      'subjectDn': {

      'commonName': {

      'presence': 'REQUIRED',

      'format': '^([a-z0-9-_]+\\.)*(venafi\\.io|vfidev\\.com|thehotelcook\\.com)$'

      },

      'organization': {'presence': 'STATIC', 'format': 'Venafi, Inc.'},

      'organizationalUnit': {'isStatic': false, 'list': ['^.*$'], 'mincount': 0, 'maxcount': 3},

      'country': {'presence': 'STATIC', 'format': 'US'},

      'state': {'presence': 'STATIC', 'format': 'UT'},

      'locality': {'presence': 'STATIC', 'format': 'Salt Lake City'},

      'streetAddress': {'presence': 'FORBIDDEN', 'format': ''},

      'email': {'presence': 'FORBIDDEN', 'format': ''},

      'joiLocalityName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiStateOrProvinceName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiCountryName': {'presence': 'FORBIDDEN', 'format': ''},

      'businessCategory': {'presence': 'FORBIDDEN', 'format': ''}

      },

      'extendedKeyUsages': {

      'ekus': {

      'isStatic': true,

      'list': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.1'],

      'mincount': 2,

      'maxcount': 2

      }, 'critical': false

      },

      'publicKey': {'keyType': 'RSA', 'allowedLengths': [4096, 3072, 2048], 'keyFormat': 'PKCS10'},

      'publicKeySignature': 'FORBIDDEN'

      }

   6. After the credential is authenticated, click Add Account.

      In CA Accounts, you'll see a tile for the new GlobalSign account you added.

   For Entrust Certificate Services

   Entrust Certificate Services features a tool that helps streamline the procurement and administration of SSL certificates. Venafi Cloud has partnered with Entrust Certificate Services to give you the ability to quickly and easily request and renew certificates.

   1. On the DevOpsACCELERATE home page, click Settings > CA Accounts.

   2. In CA accounts, click New.

   3. Type in an Account Name for your Entrust account.

      

   4. Select Entrust from the Certificate Authority list.

   5. Upload an API SSL (client) certificate.

      NOTE  The client certificate must have the Client Authentication EKU.

      How do I create a client certificate?

      1. Log in to the Entrust Certificate Services web console.
      2. In the top menu, navigate to Administration > Advanced Settings.

      3. Click API.

         

      4. Click the highlighted link to download the REST API for ECS Enterprise User Guide and Method Reference.

      5. Follow the steps in the Authentication section that includes instructions on how to create a public/private key pair, SSL certificate, and an API user and key.

   1. After you've uploaded the certificate, private key, and chain in PKCS#12 format, enter its passphrase.

   2. Type your Entrust username and provide the associated API Key.

      To learn how to retrieve your Entrust API key, see Entrust's Help document here.

      

   3. Click Validate.
   4. After successful authentication, click Add Account.

   You'll see the CA account you created as a new tile on the CA Accounts page.

5. When you're done, click Add Account.

   You'll see the new CA account in the CA Accounts list.