Adding a certificate authority¶
When you add a certificate authority (CA) to Certificate Manager - SaaS, you create a connection between Certificate Manager - SaaS and that CA. That connection enables Certificate Manager - SaaS to manage certificate life-cycles.
Certificate Manager - SaaS can connect to both external and internal CAs, in addition to its own built-in CA.
Before you begin¶
Before setting up your CA, review the following:
- If you plan to use paid public trust CAs (like DigiCert, excluding free ones like Let's Encrypt), an enterprise CA account is required. Make sure you have a billing setup for pre-purchasing certificate units or for post-use billing. This is simply because our platform doesn't support purchasing individual certificates with a credit card for each transaction.
- Have your CA authentication credentials ready before you can configure and test issuance. Each CA provider has its own authentication methodology.
- Make sure you have been assigned either the System Administrator or PKI Administrator roles required to add new CAs.
- To take advantage of high availability for certificate issuance and management, select a primary VSatellite that belongs to a high availability group. The system will automatically choose a healthy VSatellite from that group to initiate operations. This helps ensure reliability even if one VSatellite becomes temporarily unavailable.
Getting started¶
Select your CA below for a detailed how-to.
Venafi TLS Protect¶
Built-in CA Certificate Manager - Self-Hosted
Public certificate authorities¶
AWS DigiCert Entrust GlobalSign Atlas GlobalSign MSSL Let's Encrypt (ACMEv2)
Private certificate authorities¶
AWS Venafi Zero Touch PKI Microsoft AD CS Google Cloud Certificate Authority Service
Custom certificate authority¶
Connector CAs using the CA Connector Framework¶
Because of the vast number of possible CAs, it's not possible for Certificate Manager - SaaS to natively support all options out of the box. However, if you use a CA that is not supported by Certificate Manager - SaaS, you can probably use their API to create a custom CA connector using the Venafi CA Connector Framework.
Venafi has developed two fully-supported CA connectors using the CA Connector Framework: one for a private CA, EJBCA, and another for a public CA, Sectigo.
You can use these connectors as-is. If you want to develop your own connector to a custom CA, these topics can help you see how to connect it to Certificate Manager - SaaS using the Certificate Manager - SaaS console.