Skip to content

Adding a custom ACMEv2 certificate authority

Before you begin

You're going to need to provide the URL to your ACMEv2 server during configuration.

DNS provider details

The Custom ACMEv2 CA in TLS Protect Cloud uses DNS Certificate Authority Authorization (CAA). TLS Protect Cloud supports the following DNS providers. Click your DNS provider of choice to see what information TLS Protect Cloud needs.

The account you use must have read, create, update, delete, and save permission.

  • Access Key ID
  • Secret Access Key
  • Hosted Zone ID

The account you use must have read, create, update, delete, and save permission.

  • Subscription ID
  • Resource Group
  • Client Secret
  • Client ID
  • Tenant ID
  • For email and global API Key authentication type
    • Account email
    • Global API Key
  • For DNS and zone tokens authentication type
    • Edit zone API token
    • Read zone API token

The account you use must have read, create, update, delete, and save permission.

  • Service account JSON file

VSatellite

All ACMEv2 CAs require a VSatellite. If you already have a VSatellite installed, it will be available for you to select during configuration.

If not, you'll be able to set up a VSatellite during configuration. Just be sure to have a machine ready that meets the system requirements before you start.

Note

Some CAs might require additional setup to enable ACMEv2. See your CA’s documentation to determine if this applies to you.

To set up the CA

Step 1: Set up the connection

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.

  3. Click New > Can't find your CA? Add it!

  4. Enter a Name for this CA as it should appear in TLS Protect Cloud.

  5. (Optional) Click Logo and upload an image to represent the CA. If you skip this field, a default logo is used.

  6. In Server URL, enter the ACMEv2 directory URL provided by your CA.

  7. Select a VSatellite. If you don’t have one deployed yet, click Deploy a VSatellite and follow the deployment steps.

    To take advantage of high availability for certificate issuance and management, select a primary VSatellite that belongs to a high availability group. The system will automatically choose a healthy VSatellite from that group to initiate operations. This helps ensure reliability even if one VSatellite becomes temporarily unavailable.

  8. Click Test Connection.

  9. After the connection succeeds, click Next.

Step 2: Enter additional information

  1. Enter the Email address of the person or team responsible for certificates issued by this CA.

  2. Review and agree to the Terms and Conditions.

  3. Click Next.

Step 3: Enter DNS provider details

  1. From the DNS Provider drop-down, select a provider.

  2. Complete the credential fields for your provider.

    For Azure DNS

    If you select Azure DNS, TLS Protect Cloud uses the DNS-01 challenge method to validate domain ownership. This requires TLS Protect Cloud to create and delete TXT records using the Azure API. The DNS provider details section above lists the required Azure fields, but the guidance below adds critical context and permission requirements for Custom ACMEv2 workflows.

    Required Azure properties
    Field Purpose
    Subscription ID Identifies the Azure subscription hosting your DNS zones.
    Resource Group Identifies the resource group that contains those DNS zones.
    Client ID The application (service-principal) ID1 registered in Azure AD.
    Client Secret Secret string that, with the Client ID, authenticates requests.
    Tenant ID Identifies your Azure Active Directory instance.
    Permissions
    • Create a service principal (Azure AD application) and assign it the DNS Zone Contributor role at the resource-group or DNS-zone scope. This role lets TLS Protect Cloud:
      • Read DNS zones and records
      • Create TXT records for validation
      • Update or delete those records when validation completes

    Tip

    Need help creating a service principal? See Microsoft’s guide:
    https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
    You may need assistance from your Azure administrator to create the principal and assign roles.

    Custom DNS provider option (Feature Preview)

    Feature Preview

    The following capability is in preview. Contact Customer Support to enable it.

    Select Custom to use any RFC 8555-compliant ACME server that supports DNS-01.

    When you choose Custom, a JSON editor appears. Provide key–value pairs that match the variables documented for the go-acme LEGO project.

  3. Click Test Connection to validate DNS credentials, then Done.

After the configuration saves, you return to the Certificate Authorities page.

What's next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.


  1. You must create a service principal in Azure AD, and assign it the DNS Zone Contributor role at the appropriate scope. See Microsoft's docs on creating service principals for help.