Adding a custom ACMEv2 certificate authority¶
Before you begin¶
You're going to need a few things to complete the CA configuration.
ACMEv2 server URL
During configuration, you'll need to provide the URL to your CA's ACMEv2 server.
DNS provider details
The Custom ACMEv2 CA in TLS Protect Cloud uses DNS Certificate Authority Authorization (CAA). TLS Protect Cloud supports the following DNS providers. Click your DNS provider of choice to see what information TLS Protect Cloud needs.
The account you use must have read, create, update, delete, and save permission.
- Access Key ID
- Secret Access Key
- Hosted Zone ID
The account you use must have read, create, update, delete, and save permission.
- Subscription ID
- Resource Group
- Client Secret
- Client ID
- Tenant ID
- For email and global API Key authentication type
- Account email
- Global API Key
- For DNS and zone tokens authentication type
- Edit zone API token
- Read zone API token
The account you use must have read, create, update, delete, and save permission.
- Service account JSON file
VSatellite
All ACMEv2 CAs require a VSatellite. If you already have a VSatellite installed, it will be available for you to select during configuration.
If not, you'll be able to set up a VSatellite during configuration. Just be sure to have a machine ready that meets the system requirements before you start.
Note
Some CAs might require additional setup in order to enable ACMEv2. See see your CAs documentation.
To set up the CA¶
Step 1: Set up the connection¶
- Sign in to Venafi Control Plane.
- Click Integrations > Certificate Authorities.
- Click New > Can't find your CA? Add it!.
- Enter a Name that this CA should be called in TLS Protect Cloud.
- (Optional) Select a Logo file to upload. If you don't upload a logo, the Venafi logo will be used.
- In the Server URL field, enter the URL to the ACMEv2 server provided by your CA.
- Select a VSatellite. If you don't yet have a VSatellite deployed, click Deploy a VSatellite, and follow the steps to deploy a new VSatellite.
- Click Test Connection.
- After the connection is successful, click Next.
Step 2: Enter additional information¶
- Enter the Email address of the person or group of contact for certificates issued by this CA.
- Review and agree to the Terms and Conditions
- Click Next.
Step 3: Enter DNS provider details¶
-
From the DNS Provider dropdown, select a DNS provider.
-
Complete the fields for your DNS provider.
You can select a native DNS provider, or you can select Custom to use any RFC 8555-compliant ACME server that supports DNS-01 challenge.
When using a custom DNS provider, you will be required to provide values to a JSON-formatted object (in the user interface) to specify the connection details. The variables are the same as documented for the go-acme LEGO project.
- Click Test Connection, and then click Done.
After completing the configuration, you are taken back to the Certificate Authorities page.
What's Next¶
This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.