Skip to content

Certificate Authority (CA) connectors overview


While TLS Protect Cloud provides direct integrations with several popular certificate authorities (CAs), you may find that your preferred CA isn't in our list of default options.

Venafi is creating a new framework that will eventually support the ability to create CA connectors of a variety of types. Today we support one CA connector, which is for EJBCA.

Before you begin

Before you try to set up a CA connector, you'll need to do the following:

  • Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
  • Verify you can log in to the CA's admin UI.

Setup steps

Once the prerequisites are complete, you'll do all the following steps to create and configure a CA connector in TLS Protect Cloud.

Step 1: Export certificates and keys for EJBCA

Before you can configure a CA connector for EJBCA, you need the root certificate for the CA's site, as well as the client authentication certificate (which includes the private key) in PEM format. Show me how

Step 2: Create the EJBCA CA connector in TLS Protect Cloud

You need to provide TLS Protect Cloud with information about the CA so that it can request certificates. This involves creating a new entry in the Certificate Authority inventory. Show me how

Step 3: Create an issuing template for the new CA

Issuing templates connect applications to certificate authorities and specify parameters to use for issuing certificates. Show me how

Step 4: Create (or update) an application to use the issuing template

Applications are what help you issue certificates. Once you've created an issuing template for your new CA connector, you create a new application (or update an existing application), and select the linked issuing template in the application settings.

Show me how to create an application or show me how to add an issuing template to an application.

Step 5: Create a certificate request

You can test if everything worked correctly by creating a new certificate request using the application and issuing template you've configured in the prior steps. Show me how