Skip to content

Using Automated Secure Keypair to request certificates

Before Automated Secure Keypair can be used to request certificates, you need to do the following:

  • Install and start a VSatellite in your environment
  • Configure a certificate issuing template that allows Venafi-generated keys
  • Configure an application to use the same certificate issuing template

As long as these criteria are met, any certificate request submitted for the application can take advantage of Automated Secure Keypair.

The steps below walk you through that setup.

Step 1: Deploy a VSatellite

Performed by: PKI Administrator

When you deploy VSatellite in your network, the Automated Secure Keypair service automatically activates. All key generation activity takes place on a VSatellite in your environment so that private keys remain secure.

Do you already have a VSatellite deployed?

To see if you already have a VSatellite deployed, sign in to Venafi as a Service and click Settings > VSatellites. Any VSatellites that you have running in your environment will be listed here. If you don't have a VSatellite, follow the steps in Deploying VSatellites.

You can click a VSatellite to open its details. In the Supported Services section, verify that you see Automated Secure Keypair in the Service Type column.

If the service is active, you're good to go on to Step 2 below.

To deploy a VSatellite, follow the steps in Deploying VSatellites.

After the VSatellite is up and running, you can verify that Automated Secure Keypair is active by following the steps in the note above.

Multiple VSatellites for Automated Secure Keypair redundancy

Setting up two or more VSatellites provides redundancy for Automated Secure Keypair. If the primary VSatellite becomes unavailable, Automated Secure Keypair automatically fails over to a healthy VSatellite.

Step 2: Create a certificate issuing template

Performed by: PKI Administrator

With one or more VSatellites deployed, Automated Secure Keypair is now active. The next step is to create a Certificate Issuing Template that uses Automated Secure Keypair.

When creating the Certificate Issuing Template, be sure to select either Venafi or user generated key pair or Venafi generated key pair from the Key Pair Generation options. These options allow Resource Owners to submit certificate requests that use Automated Secure Keypair.

Screenshot of the Key Pair Generation section of the Certificate Issuing Template screen

Step 3: Create an application

Performed by: Resource Owner

Now that there is a Certificate Issuing Template with Automated Secure Keypair enabled, those templates can be assigned to applications.

You can add issuing templates to applications when creating a new application or by editing an existing application.

To use Automated Secure Keypair for certificate requests, you'll need to choose an issuing template that has either Venafi or user generated key pair or Venafi generated key pair as the key generation option.

Step 4: Create a certificate request

Performed by: Resource Owner

For the applications that have an Automated Secure Keypair-enabled issuing templates assigned, you can submit certificate requests using the Venafi generated key pair option.

Follow the steps in creating a certificate request to create the certificate request.

When creating the request, you will select the application and use-case for the request. The use-case maps back to the Certificate Issuing Templates assigned to the application.

What's Next

You can view your request by clicking Inventory > Certificate Requests in the menu bar. Once the certificate is issued, you can view it directly from the certificate request. It also appears on the Inventory > Certificates menu.


Last update: November 16, 2021