Skip to content

Adding a Venafi Zero Touch PKI certificate authority

Before you begin

You're going to need a few things to complete the CA configuration.

  • Zero Touch PKI (ZTPKI) account: If you don't already have an account, you'll need to set that up first. Contact your ZTPKI administrator to establish an account with the proper account role that you can use to create a new ZTPKI certificate authority.
    • You must have the ZTPKI CA URL, API Key ID, and API Key.
    • Determine which ZTPKI policy you want to use for importing certificate; you'll need to select one or more of these during this procedure.
    • Make sure you understand the size and scope of the certificates under each policy, especially if importing a large volume.
  • Permissions on TLS Protect Cloud: You must have administrative access (Platform Administrator, PKI Administrator, or System Administrator roles).

To set up the CA

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.
  3. Click New > Venafi Zero Touch PKI.
  4. Enter a Name that this CA should be called in TLS Protect Cloud.
  5. In the Server URL field, select the URL for the ZTPKI service where your private PKI is hosted.
  6. Enter the API key ID and API key generated from one of the users in your ZTPKI account.

    Note

    This user must have the proper role with permissions to the certificate policies that will be used when creating certificate issuing templates. Contact your Zero Touch PKI administrator if you do not have a user account with the correct permissions.

  7. Click Test Connection.

  8. On Step 2 (Import) of the wizard, do the following:

    1. (Optional) Choose ZTPKI policies (Product Options) to import certificates from, and then click Add.

      Only certificates issued by the policies you select will be imported.

    2. Specify available import options, such as including revoked certificates as part of the import.

    3. If you want this certificate import to run regulary, select Scheduled Import and specify Day, Week, Month, and the time of day you want it to run.

    You can run the import manually after you finish this task.

  9. Click Done.

After completing this process, your TLS Protect Cloud inventory should reflect the imported certificates issued by the selected ZTPKI policy. Verify the results in the Certificate Inventory. Use the filter or search features to confirm that the expected certificates are present.

What's Next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.