Certificate Authority (CA) connectors overview¶
While TLS Protect Cloud provides direct integrations with several popular certificate authorities (CAs), you may find that your preferred CA isn't in our list of default options.
Venafi is creating a new framework that will eventually support the ability to create CA connectors of a variety of types. Today we support one CA connector, which is for EJBCA.
Before you begin¶
Before you try to set up a CA connector, you'll need to do the following:
- Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
- Verify you can log in to the CA's admin UI.
Once the prerequisites are complete, you'll do all the following steps to create and configure a CA connector in TLS Protect Cloud.
Step 1: Export certificates and keys for EJBCA¶
Before you can configure a CA connector for EJBCA, you need the root certificate for the CA's site, as well as the client authentication certificate (which includes the private key) in PEM format. Show me how
Step 2: Create the EJBCA CA connector in TLS Protect Cloud¶
You need to provide TLS Protect Cloud with information about the CA so that it can request certificates. This involves creating a new entry in the Certificate Authority inventory. Show me how
Step 3: Create an issuing template for the new CA¶
Issuing templates connect applications to certificate authorities and specify parameters to use for issuing certificates. Show me how
Step 4: Create (or update) an application to use the issuing template¶
Applications are what help you issue certificates. Once you've created an issuing template for your new CA connector, you create a new application (or update an existing application), and select the linked issuing template in the application settings.
Step 5: Create a certificate request¶
You can test if everything worked correctly by creating a new certificate request using the application and issuing template you've configured in the prior steps. Show me how