Skip to content

Adding a certificate authority in Venafi as a Service

When you add a certificate authority (CA) in Venafi as a Service, you create a connection between Venafi as a Service and a Certificate Authority that provides certificate life cycle services.

Important

You must be a System Administrator or PKI Administrator to add a new certificate authority.

To add a new certificate authority

  1. In the menu bar, click Settings > Certificate Authorities.

    Tip

    Venafi as a Service comes with a built-in CA which can you use for testing purposes or for any applications or use cases that don't require the use of a publicly trusted certificate.

  2. Click New, and then select a Certificate Authority. Follow the steps below for the specific CA you selected.

    1. Enter a Name that this CA should be called in Venafi as a Service.

    2. Copy and paste your API Key from DigiCert CertCentral.

      Important

      You must have the Manager role or higher in Digicert CertCentral.

    3. Click Validate.

    4. Click Add Account.

    If you don't yet have a GlobalSign account, visit https://www.globalsign.com/en/lp/venafi/ to create one.

    1. Enter a Name that this CA should be called in Venafi as a Service.

    2. Browse to your Credentials File.

      How do I find my GlobalSign credentials file?

      The Credentials file is supplied to you directly from when you create your account.

    3. Click Validate.

      Note and Example

      After you authenticate, we'll show you GlobalSign's validation policy. This is a list of requirements that your certificate request must comply with before GlobalSign will issue a certificate for you. We'll also display this information, in a more readable form when you start setting up policies for your organization.

      Example

      {

      'validity': {'secondsmin': 60, 'secondsmax': 7776000, 'notBeforeNegativeSkew': 200, 'notBeforePositiveSkew': 200},

      'subjectDn': {

      'commonName': {

      'presence': 'REQUIRED',

      'format': '^([a-z0-9-_]+\.)*(venafi\.io|vfidev\.com|thehotelcook\.com)$'

      },

      'organization': {'presence': 'STATIC', 'format': 'Venafi, Inc.'},

      'organizationalUnit': {'isStatic': false, 'list': ['^.*$'], 'mincount': 0, 'maxcount': 3},

      'country': {'presence': 'STATIC', 'format': 'US'},

      'state': {'presence': 'STATIC', 'format': 'UT'},

      'locality': {'presence': 'STATIC', 'format': 'Salt Lake City'},

      'streetAddress': {'presence': 'FORBIDDEN', 'format': ''},

      'email': {'presence': 'FORBIDDEN', 'format': ''},

      'joiLocalityName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiStateOrProvinceName': {'presence': 'FORBIDDEN', 'format': ''},

      'joiCountryName': {'presence': 'FORBIDDEN', 'format': ''},

      'businessCategory': {'presence': 'FORBIDDEN', 'format': ''}

      },

      'extendedKeyUsages': {

      'ekus': {

      'isStatic': true,

      'list': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.1'],

      'mincount': 2,

      'maxcount': 2

      }, 'critical': false

      },

      'publicKey': {'keyType': 'RSA', 'allowedLengths': [4096, 3072, 2048], 'keyFormat': 'PKCS10'},

      'publicKeySignature': 'FORBIDDEN'

      }

    Entrust features a tool that helps streamline the procurement and administration of SSL certificates. Venafi has partnered with Entrust to give you the ability to quickly and easily request and renew certificates.

    1. Type in an Name for your Entrust account.

    2. Upload an API SSL (client) certificate.

      Note

      The client certificate must have the Client Authentication EKU.

      How do I create a client certificate?
      1. Log in to the Entrust Certificate Services web console.

      2. In the top menu, navigate to Administration > Advanced Settings.

      3. Click API.

        Image of Entrust Advanced Settings screen

      4. Click the highlighted link to download the REST API for ECS Enterprise User Guide and Method Reference.

      5. Follow the steps in the Authentication section that includes instructions on how to create a public/private key pair, SSL certificate, and an API user and key.

    3. After you've uploaded the certificate, enter its Passphrase.

    4. Type your Entrust Username and provide the associated API Key. To learn how to retrieve your Entrust API key, see Entrust's Help document here.
    5. Click Validate.
    6. After successful authentication, click Add Account..

    For information on setting up Microsoft AD CS, see Set up Microsoft AD CS for issuing and importing certificates.


Last update: November 9, 2021