Skip to content

Custom Certificate Authority (CA) connectors

Introduction

TLS Protect Cloud provides the ability to create connections to custom certificate authorities that aren't already supported by TLS Protect Cloud. With custom CAs, you can issue certificates, manually import certificates on demand, and schedule imports to ensure new certificates are added to TLS Protect Cloud automatically.

For reference, we have created and tested a custom EJBCA connector, which you can use as a guide for creating your own connector.

Prerequisites

Before you try to set up a CA connector in TLS Protect Cloud, you'll need to do the following:

  • Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
  • Your custom connector must exist in TLS Protect Cloud. You can learn how to build and upload your connector by following the instructions on Dev Central. If you are using EJBCA, this step has already been done for you.

High-level steps for setting up a CA connector in TLS Protect Cloud

Once the prerequisites are complete, you'll do all the following steps to create and configure a CA connector in TLS Protect Cloud.

Step 1: Export certificates and keys

Before you can configure a CA connector, you need the root certificate for the CA's site, and the client authentication certificate (which includes the private key) in PEM format. Show me how

Step 2: Create and configure the custom CA connector in TLS Protect Cloud

You need to provide TLS Protect Cloud with information about the CA so that it can request certificates. This involves creating a new entry in the Certificate Authority inventory. Show me how

Step 3: Create an issuing template for the new CA

Issuing templates connect applications to certificate authorities and specify parameters to use for issuing certificates. Show me how

Step 4: Create (or update) an application to use the issuing template

Applications are what help you issue certificates. Once you've created an issuing template for your new CA connector, you create a new application (or update an existing application), and select the linked issuing template in the application settings.

Show me how to create an application or show me how to add an issuing template to an application.

Step 5: Create a certificate request

You can test if everything worked correctly by creating a new certificate request using the application and issuing template you've configured in the prior steps. Show me how