Using Automated Secure Keypair to request certificates¶
Before Automated Secure Keypair can be used to request certificates, you need to do the following:
- Install and start a VSatellite in your environment
- Configure a certificate issuing template that allows Venafi-generated keys
- Configure an application to use the same certificate issuing template
As long as these criteria are met, any certificate request submitted for the application can take advantage of Automated Secure Keypair.
The steps below walk you through that setup.
Step 1: Deploy a VSatellite¶
Performed by: PKI Administrator
When you deploy VSatellite in your network, the Automated Secure Keypair service automatically activates. All key generation activity takes place on a VSatellite in your environment so that private keys remain secure.
Do you already have a VSatellite deployed?
To see if you already have a VSatellite deployed, sign in to TLS Protect Cloud and click Settings > VSatellites. Any VSatellites that you have running in your environment will be listed here. If you don't have a VSatellite, follow the steps in Deploying VSatellites.
You can click a VSatellite to open its details. In the Supported Services section, verify that you see Automated Secure Keypair in the Service Type column.
If the service is active, you're good to go on to Step 2 below.
To deploy a VSatellite, follow the steps in Deploying VSatellites.
After the VSatellite is up and running, you can verify that Automated Secure Keypair is active by following the steps in the note above.
Multiple VSatellites for Automated Secure Keypair redundancy
Setting up two or more VSatellites provides redundancy for Automated Secure Keypair. If the primary VSatellite becomes unavailable, Automated Secure Keypair automatically fails over to a healthy VSatellite.
Step 2: Create a certificate issuing template¶
Performed by: PKI Administrator
With one or more VSatellites deployed, Automated Secure Keypair is now active. The next step is to create a Certificate Issuing Template that uses Automated Secure Keypair.
When creating the Certificate Issuing Template, be sure to select either Venafi or user generated key pair or Venafi generated key pair from the Key Pair Generation options. These options allow Resource Owners to submit certificate requests that use Automated Secure Keypair.
Step 3: Create an application¶
Performed by: Resource Owner or higher
Now that there is a Certificate Issuing Template with Automated Secure Keypair enabled, those templates can be assigned to applications.
You can add issuing templates to applications when creating a new application or by editing an existing application.
To use Automated Secure Keypair for certificate requests, you'll need to choose an issuing template that has either Venafi or user generated key pair or Venafi generated key pair as the key generation option.
Step 4: Create a certificate request¶
Performed by: Resource Owner or higher
For the applications that have an Automated Secure Keypair-enabled issuing templates assigned, you can submit certificate requests using the Venafi generated key pair option.
Follow the steps in creating a certificate request to create the certificate request.
When creating the request, you will select the application and use-case for the request. The use-case maps back to the Certificate Issuing Templates assigned to the application.
What's Next¶
You can view your request by clicking Inventory > Certificate Requests in the menu bar. Once the certificate is issued, you can view it directly from the certificate request. It also appears on the Inventory > Certificates menu.