Skip to content

Adding a Let's Encrypt (ACMEv2) certificate authority

Before you begin

You're going to need a few things to complete the CA configuration.

DNS provider details

The Let's Encrypt CA in TLS Protect Cloud uses DNS Certificate Authority Authorization (CAA). TLS Protect Cloud supports the following DNS providers. Click your DNS provider of choice to see what information TLS Protect Cloud needs.

The account you use must have read, create, update, delete, and save permission.

  • Access Key ID
  • Secret Access Key
  • Hosted Zone ID

The account you use must have read, create, update, delete, and save permission.

  • Subscription ID
  • Resource Group
  • Client Secret
  • Client ID
  • Tenant ID
  • For email and global API Key authentication type
    • Account email
    • Global API Key
  • For DNS and zone tokens authentication type
    • Edit zone API token
    • Read zone API token

The account you use must have read, create, update, delete, and save permission.

  • Service account JSON file

VSatellite

All ACMEv2 CAs require a VSatellite. If you already have a VSatellite installed, it will be available for you to select during configuration.

If not, you'll be able to set up a VSatellite during configuration. Just be sure to have a machine ready that meets the system requirements before you start.

To set up the CA

Step 1: Set up the connection

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.
  3. Click New > Let's Encrypt (ACMEv2).
  4. Enter a Name for this CA as it should appear in TLS Protect Cloud.

  5. From the Server URL drop-down, select either the production or staging URL.

    Note

    These URLs are provided by Let's Encrypt and can't be changed. The Custom ACMEv2 CA in TLS Protect Cloud allows you to enter custom server URLs if needed.

  6. Select a VSatellite. If you don’t have one deployed yet, click Deploy a VSatellite, and follow the steps to deploy a new VSatellite.

    To take advantage of high availability for certificate issuance and management, select a primary VSatellite that belongs to a high availability group. The system will automatically choose a healthy VSatellite from that group to initiate operations. This helps ensure reliability even if one VSatellite becomes temporarily unavailable.

  7. Click Test Connection.

  8. After the connection is successful, click Next.

Step 2: Enter additional information

  1. Enter the Email address of the person or team responsible for certificates issued by this CA.
  2. Review and agree to the Terms and Conditions.
  3. Click Next.

Step 3: Enter DNS provider details

Tip

TLS Protect Cloud uses the DNS-01 challenge method with Azure DNS. This requires automated TXT record management using the Azure API. The DNS provider details section above lists the required Azure fields, but the following section provides important additional context and permission requirements for Let's Encrypt/ACMEv2.

  1. From the DNS Provider drop-down, select a DNS provider.

  2. Complete the fields for your selected DNS provider. To validate domain ownership, TLS Protect Cloud uses the DNS-01 challenge type with Azure DNS, which requires dynamically creating and deleting TXT records through the Azure API.

    The following are required Azure properties:

    Field Purpose
    Subscription ID Identifies the Azure subscription hosting your DNS zones.
    Resource Group Identifies the resource group that contains the DNS zones to use.
    Client ID The application (service-principal) ID 1 registered in Azure AD.
    Client Secret A secure string that, along with the Client ID, authenticates requests.
    Tenant ID Identifies your Azure Active Directory (AAD) instance.

    The service principal must be assigned the DNS Zone Contributor role at the resource group or DNS zone level. This role enables:

    • Reading DNS zones and records
    • Creating TXT records for validation
    • Updating DNS records
    • Deleting TXT records after validation

    These permissions are required to complete all DNS-01 challenge operations.

  3. Click Test Connection.

  4. Click Done.

    After completing the configuration, you're returned to the Certificate Authorities page.

What's Next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.

  1. You must create a service principal in Azure AD, and assign it the DNS Zone Contributor role at the appropriate scope. See Microsoft's docs on creating service principals for help.