Skip to content

Example: Create a custom CA connector using the CA Connector Framework

TLS Protect Cloud provides the ability to create connections to custom certificate authorities that aren't already supported by TLS Protect Cloud.

With custom CAs, you can manually import certificates on demand, and schedule imports to ensure new certificates are added to TLS Protect Cloud automatically.

Prerequisites

Before you begin make sure you already have the following:

  • A deployed VSatellite that can resolve the hostname to the IP address of your certificate authority server.
  • The saved root certificate used to validate the TLS certificate used by your CA's site.
  • The client authentication certificate and private key used to authenticate into the CA's administration console. (The private key must be unencrypted, and the file must be in PEM format.)

  • Ensure your custom CA is added using our API for visibility and selection in TLS Protect Cloud's web console. You can learn more about this process on Dev Central.

    (If you are connecting to EJBCA, this step has already been done for you.)

  • If you are connecting to EJBCA, you must have at least one CA set up.

    (This is called out as a requirement for EJBCA since setting up a CA is an additional, separate step that must be done after EJBCA software is installed on your server. If you are connecting to another CA, this step may or may not be required.)

The instructions on this page are generic instructions that you can use for all custom CA connectors. For reference, you can read our Creating an EJBCA connector topic and our Creating a Sectigo connector topic, which cover these same steps, but specifically for those CAs. You can use these two pages to help you with your own custom CA connector.

To create a custom CA connector in TLS Protect Cloud

  1. In the Venafi TLS Protect Cloud menu, click Settings > Certificate Authorities.
  2. Click the New button, then click Add Certificate Authority connector. The New Certificate Authority wizard appears.

  3. Provide Connection information about the CA connector.

    1. Enter a Name that will be used as the display name for the CA connector you are creating.
    2. Select the VSatellite that can resolve the hostname to the IP address of your CA server.

    3. Select the Certificate Authority Type.

      Note

      Your custom CA won't appear in this list until you have deployed your custom CA connector using our API or submitted it for broader availability as outlined in our Dev Central documentation.

    4. Click Next.

  4. Provide the Information needed to connect to the CA server.

    1. Enter the fully-qualified URL for the CA server.

      For example: https://your-custom-ca.example.com

      Depending on the CA you are connecting to, you'll probably see several other fields here. Refer to our EJBCA and Sectigo connection topics to see samples of what you might see.

    2. Click the Test Connection button.

      If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.

    3. Click Next.

  5. Set issuance options, if required for your CA

    1. In Product Options, select the options needed for your CA.

    2. Select the checkbox for Default Product.

      What is this field for?

      If your CA doesn't provide multiple products, you will only see the option for Default Product. Some CAs support multiple products (or issuing templates), so if the CA you are connecting to supports this feature, you must select the desired product (or products, or issuing template) here.

    3. Click Next.

  6. (Optional) Set up import

    1. In the Import options section, specify if you want to include revoked or expired certificates.

      Note

      The Import options fields are only available if you select product options.

    2. To schedule importing new certificates from this CA, enable the Scheduled import option, then select the scheduling options. Enter the UTC time when you want the import to occur. For reference, the current UTC time is displayed.

      When selecting the Month option

      If you select the Month option, you will specify the day of the month to run the import. If you select a value like 31, the job will only run on months with the specified number of days and will not run on months without.

    3. Click Create.

You will see your new custom CA in the Certificate Authority list.

What's Next?

Now that you have created a new CA connector, you need to create an issuing template that uses this new CA connector. Pay attention to the section that gives specific instructions on extra fields that are required for custom connectors.

Once you have an issuing template for your new CA connector, you must add the issuing template to an application.