Skip to content

Adding a Certificate Manager - Self-Hosted certificate authority

Before you begin

This topic assumes you know your Certificate Manager - Self-Hosted user account information, and have an API integration set up for Workload Identity Manager.

Before starting, make sure you have a Certificate Manager - Self-Hosted user account, know the URL for invoking APIs, and know the Client ID assigned for this API Integration.

What information do I need from Certificate Manager - Self-Hosted?

You're going to need information about your Certificate Manager - Self-Hosted account and settings to complete the CA configuration. You may need to contact your Certificate Manager - Self-Hosted administrator for help in setting up the configuration.

You will need:

  • A Certificate Manager - Self-Hosted API configuration for Workload Identity Manager.
    • Follow the steps to create an API Integration
    • Use the longest grant period allowed by your organization.
    • Make sure token refresh is enabled.
    • Set the scope to certificate:manage.
    • Assign the correct user to it. (See the note below)
  • Certificate Manager - Self-Hosted API Base URL
  • Username
  • Password
  • Client ID for the API configuration
  • Policy Folders (one or more) where the certificates requested by Certificate Manager - SaaS will be stored.
    • The user will need to have at least read, write, and create permissions to these folders.
    • These policy folders must be assigned a CA template by policy and allow enrollment using CSRs.
    • Important: The policy folders must have Allow Duplicate Common and Subject Alternative Names set to Yes or Certificate Manager - SaaS will not be able to renew any certificates.
What user account should I use for Certificate Manager - Self-Hosted?

You should create a dedicated Certificate Manager - Self-Hosted user account for Certificate Manager - SaaS. This can be a local account or can come from your identity provider. You should not use an individual's personal account, because if this user's account becomes inactive, the integration with Certificate Manager - SaaS will break.

To set up the CA

Step 1: Set up the connection

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.
  3. Click New > Venafi Certificate Manager - Self-Hosted.
  4. Enter a Name that this CA should be called in Certificate Manager - SaaS.
  5. Select a VSatellite. If you don't yet have a VSatellite deployed, click Deploy a VSatellite, and follow the steps to deploy a new VSatellite.
  6. Click Next.

Step 2: Enter additional information

  1. In the Certificate Manager - Self-Hosted API URL field, enter the base URL of the Certificate Manager - Self-Hosted API service. For example: https://venafi.example.com
  2. Enter the Username and Password for the user granted access to Certificate Manager - Self-Hosted.
  3. Enter the Client ID for the API Integration created for Certificate Manager - SaaS.
  4. Click Next.

Step 3: Enter issuance details

  1. Enter the abbreviated distinguished names of Certificate Manager - Self-Hosted policy folders (for example, Certificates\Cloud\Server Auth) and click the Add button to add them to the list.
  2. Click Done.

After completing the configuration, you are taken back to the Certificate Authorities page.

What's Next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.