Creating Certificate Authority (CA) connectors using the Venafi CA Connector Framework¶

Introduction¶

Certificate Manager - SaaS provides the ability to create connections to certificate authorities, including some that aren't already supported by Certificate Manager - SaaS. With custom CAs, you can issue certificates, manually import certificates on demand, and schedule imports to ensure new certificates are added to Certificate Manager - SaaS automatically.

To help you understand how CA connectors developed using the framework look and feel in Certificate Manager - SaaS, we have created and tested the following connectors.

• EJBCA CA Connector
• Sectigo CA Connector

Prerequisites¶

Before you try to set up a CA connector in Certificate Manager - SaaS, you'll need to do the following:

• Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
• Your custom connector must exist in Certificate Manager - SaaS. You can learn how to build and upload your connector by following the instructions on Dev Central. If you are using EJBCA, this step has already been done for you.

High-level steps for setting up a CA connector in Certificate Manager - SaaS¶

Once the prerequisites are complete, you'll do all the following steps to create and configure a CA connector in Certificate Manager - SaaS.

Step 1: Export certificates and keys¶

Before you can configure a CA connector, you need the root certificate for the CA's site, and the client authentication certificate (which includes the private key) in PEM format. Show me how

Step 2: Create and configure the custom CA connector in Certificate Manager - SaaS¶

You need to provide Certificate Manager - SaaS with information about the CA so that it can request certificates. This involves creating a new entry in the Certificate Authority inventory. Show me how

Step 3: Create an issuing template for the new CA¶

Issuing templates connect applications to certificate authorities and specify parameters to use for issuing certificates. Show me how

Step 4: Create (or update) an application to use the issuing template¶

Applications are what help you issue certificates. Once you've created an issuing template for your new CA connector, you create a new application (or update an existing application), and select the linked issuing template in the application settings.

Show me how to create an application or show me how to add an issuing template to an application.

Step 5: Create a certificate request¶

You can test if everything worked correctly by creating a new certificate request using the application and issuing template you've configured in the prior steps. Show me how