Creating a Sectigo connector¶

This is an example of how to specify the CA (Certificate Authority) connector settings in TLS Protect Cloud for Sectigo. The connector was created using the Venafi CA Connector Framework.

You can use this topic to configure a Sectigo CA connector (if you are a Sectigo customer), or you can use this as a reference for designing other CA connectors. Remember that your CA may use other terminology than what is documented in this example.

Before you begin¶

Before you try to set up a CA connector in TLS Protect Cloud, ensure you have a deployed VSatellite that can resolve the Sectigo service address to an IP address. Learn more about VSatellite

Create the Sectigo CA connector in TLS Protect Cloud¶

Here are the steps to configure a Sectigo CA connector. Before you complete these steps, be sure to read the entire Create custom CA connector topic, including the pre-requisites and notes.

1. In the Venafi TLS Protect Cloud menu, click Settings > Certificate Authorities.
2. Click the New button, then click Add Certificate Authority connector.

3. Specify the Connection information.

   1. Enter a Name that will be used as the display name for the CA connector you are creating.
   2. Select the VSatellite that can resolve the hostname to the IP address of your Sectigo CA server.
   3. Select the Sectigo Certificate Manager Certificate Authority Type.
   4. Click Next.

4. Provide the Information needed to connect to your Sectigo account.

   1. In the Service Address field, enter the URL for the Sectigo CA server.

      For example: cert-manager.com

      If you have a custom URL associated with your account, you can enter it here.

   2. Enter your Customer URI.

      This is the last part of your Web Admin Console URL.

      Example

      For example, if your Web Admin Console were https://cert-manager.com/customer/MyCustomerName, your Customer URI would be MyCustomerName.

   3. Enter your Username and Password you use to log in to your Sectigo account.

   4. Click Test Connection to verify that VSatellite can test the connection to your account.

      When VSatellite has connected to Sectigo you will see a confirmation box with a green check mark, and a message that the connection was successful.

   5. Click Next.

5. Specify the Issuance options by specifying the product offerings to include.

   1. In Product Options, select the products you want to use on an issuing template.

      How do I know which product options to select?

      In this step, we recommend you select all products that you might want to use with TLS Protect Cloud.

      You can restrict which products are available to specific users when you create the issuing template. Selecting them here makes them available for issuing templates that use this CA connector.

      You can easily modify this at a later point by editing the CA connector settings.

   2. Click Add.

      It's easy to miss this step, so be careful. You want to see all the selected product options visible in the Name box before you continue.

   3. Click Next.

6. (Optional) Specify the Import settings.

   The rest of these steps are to set up the import of certificates, which is optional. If you don't want to set up import steps, click Create.

   1. In the Import options section, specify if you want to include revoked or expired certificates.

   2. To schedule importing certificates from Sectigo server, enable the Scheduled import option, then select the scheduling options.

      Selecting a scheduled import frequency

      When you import certificates from Sectigo, the Sectigo API does not allow you to filter the import to only download updates, so every import will import the entire inventory of certificates in your account. This may be a significant number, especially if you include revoked or expired certificates.

      Because this can take a significant amount of time, you may want to decrease the frequency of your scheduled import. Many customers have found that a weekly scheduled import is sufficient.

   3. Click Create.

You will see your new Sectigo CA in the Certificate Authority list.

What's next?¶

Now that you have created a new CA connector, you need to create an issuing template that uses this new CA connector. Pay attention to the section that gives specific instructions on extra fields that are required for CA connectors created using the CA Connector Framework.

Once you have an issuing template for your new CA connector, you need to add the issuing template to an application.

Related Links¶

• Sectigo certificate issuance terms
• CA Connector overview
• Creating a custom CA connector
• Custom CAs in the CA inventory
• Create an issuing template