Adding a TLS Protect Datacenter certificate authority¶
Before you begin
This topic assumes you know your TLS Protect Datacenter user account information, and have an API integration set up for Firefly.
Before starting, make sure you have a TLS Protect Datacenter user account, know the URL for invoking APIs, and know the Client ID assigned for this API Integration.
What information do I need from TLS Protect Datacenter?
You're going to need information about your TLS Protect Datacenter account and settings to complete the CA configuration. You may need to contact your TLS Protect Datacenter administrator for help in setting up the configuration.
You will need:
- A TLS Protect Datacenter API configuration for Firefly.
- Follow the steps to create an API Integration
- Use the longest grant period allowed by your organization.
- Make sure token refresh is enabled.
- Set the scope to
certificate:manage
. - Assign the correct user to it. (See the note below)
- TLS Protect Datacenter API Base URL
- Username
- Password
- Client ID for the API configuration
- Policy Folders (one or more) where the certificates requested by TLS Protect Cloud will be stored.
- The user will need to have at least
read
,write
, andcreate
permissions to these folders. - These policy folders must be assigned a CA template by policy and allow enrollment using CSRs.
- Important: The policy folders must have Allow Duplicate Common and Subject Alternative Names set to Yes or TLS Protect Cloud will not be able to renew any certificates.
- The user will need to have at least
What user account should I use for TLS Protect Datacenter?
You should create a dedicated TLS Protect Datacenter user account for TLS Protect Cloud. This can be a local account or can come from your identity provider. You should not use an individual's personal account, because if this user's account becomes inactive, the integration with TLS Protect Cloud will break.
To set up the CA¶
Step 1: Set up the connection¶
- Sign in to Venafi Control Plane.
- Click Integrations > Certificate Authorities.
- Click New > Venafi TLS Protect Datacenter.
- Enter a Name that this CA should be called in TLS Protect Cloud.
- Select a VSatellite. If you don't yet have a VSatellite deployed, click Deploy a VSatellite, and follow the steps to deploy a new VSatellite.
- Click Next.
Step 2: Enter additional information¶
- In the TLS Protect Datacenter API URL field, enter the base URL of the TLS Protect Datacenter API service. For example:
https://venafi.example.com
- Enter the Username and Password for the user granted access to TLS Protect Datacenter.
- Enter the Client ID for the API Integration created for TLS Protect Cloud.
- Click Next.
Step 3: Enter issuance details¶
- Enter the abbreviated distinguished names of TLS Protect Datacenter policy folders (for example,
Certificates\Cloud\Server Auth
) and click the Add button to add them to the list. - Click Done.
After completing the configuration, you are taken back to the Certificate Authorities page.
What's Next¶
This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.