Skip to content

Create a Certificate Authority connector

TLS Protect Cloud provides the ability to create connections to custom certificate authorities that aren't already supported by TLS Protect Cloud.

With custom CAs, you can manually import certificates on demand, and schedule imports to ensure new certificates are added to TLS Protect Cloud automatically.


Before you begin make sure you already have the following:

  • A deployed VSatellite that can resolve the hostname to the IP address of your certificate authority server.
  • The saved root certificate used to validate the TLS certificate used by your CA's site.
  • The client authentication certificate and private key used to authenticate into the CA's administration console. (The private key must be unencrypted, and the file must be in PEM format.)
  • Ensure your custom CA is added using our API for visibility and selection in TLS Protect Cloud's web console. You can learn more about this process on Dev Central.

    (If you are connecting to EJBCA, this step has already been done for you.)

  • If you are connecting to EJBCA, you must have at least one CA set up.

    (This is called out as a requirement for EJBCA since setting up a CA is an additional, separate step that must be done after EJBCA software is installed on your server. If you are connecting to another CA, this step may or may not be required.)

The instructions on this page are generic instructions that you can use for all custom CA connectors. For reference, you can read our Example: Creating a Custom CA connector topic, which covers these same steps specifically for EJBCA. You can use that to help you with your own custom CA connector.

To create a custom CA connector in TLS Protect Cloud

  1. In the Venafi TLS Protect Cloud menu, click Settings > Certificate Authorities.
  2. Click the New button, then click Add Certificate Authority connector. The New Certificate Authority wizard appears.

Provide basic information

  1. Enter a Name that will be used as the display name for the CA connector you are creating.
  2. Select the VSatellite that can resolve the hostname to the IP address of your CA server.
  3. Select the Certificate Authority Type.


    EJBCA is currently the only CA connector available in step. Once you have added your custom CA connector and submitted it as outlined in our Dev Central documentation, you will see it listed here.

  4. Click Next.

Provide connection information

  1. Enter the fully-qualified URL for the CA server.

    For example:

  2. Click Choose a file to upload the unencrypted Client Authentication certificate and private key in PEM format.

    Where do I get the client authentication certificate?

    This depends on your CA. For example, for EJBCA, the client authentication certificate was created as part of the initial setup of EJBCA when you installed the software on your server. To access the web-based administration UI, you must have this certificate.

    We only support PEM format, so if you downloaded in another format (like P12, for example), you need to convert the certificate to PEM format for use in TLS Protect Cloud.

    More information is available in Export the CA certificate and keys.

  3. Click Choose a file to upload the Root Certificate.

  4. Click the Test Connection button.

    If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.

  5. Click Next.

Set up issuance (optional)

  1. In Product Options, select the options needed for your CA.

  2. Select the checkbox for Default Product.

    What is this field for?

    If your CA doesn't provide multiple products, you will only see the option for Default Product. Some CAs do support multiple products (or issuing templates), so if the CA you are connecting to supports this feature, you must select the desired product (or issuing template) here.

  3. Click Next.

Set up import (optional)

The *Import options* fields are only available if you select product options.
  1. In the Import options section, specify if you want to include revoked or expired certificates.
  2. To schedule importing new certificates from this CA, enable the Scheduled import option, then select the scheduling options. Enter the UTC time when you want the import to occur. For reference, the current UTC time is displayed.

    When selecting the Month option

    If you select the Month option, you will specify the day of the month to run the import. If you select a value like 31, the job will only run on months with the specified number of days and will not run on months without.

  3. Click Create.

You will see your new custom CA in the Certificate Authority list.

What's Next?

Now that you have created a new CA connector, you need to create an issuing template that uses this new CA connector. Pay attention to the section that gives specific instructions on extra fields that are required for custom connectors.

Once you have an issuing template for your new CA connector, you must add the issuing template to an application.