Skip to content

Import certificates from a ZTPKI certificate authority

Use this procedure to import certificates issued by a Zero Touch PKI (ZTPKI) certificate authority into TLS Protect Cloud. This task helps you discover and onboard certificates issued by a specific ZTPKI policy for centralized inventory and management.

IMPORTANT!

You cannot use existing ZTPKI certificate authorities you'd created before the certificate import feature was introduced. This is because the ZTPKI CA creation wizard did not include the Import step. So if you want to import certificates from your ZTPKI CA, follow this procedure to create a new CA.

Before you begin

  • ZTPKI account: If you don't already have an account, you'll need to set that up first. Contact your ZTPKI administrator to establish an account with the proper account role that you can use to create a new ZTPKI certificate authority.
    • You must have the ZTPKI CA URL, API Key ID, and API Key.
    • Determine which ZTPKI policy you want to use for importing certificates; you'll need to select one or more of these during this procedure.
    • Make sure you understand the size and scope of the certificates under each policy, especially if importing a large volume.
  • Permissions on TLS Protect Cloud: You must have administrative access (Platform Administrator, PKI Administrator, or System Administrator roles).

To import certificates from a ZTPKI CA

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Certificate Authorities.
  3. Click New > Venafi Zero Touch PKI.
  4. Enter a Name that this CA should be called in TLS Protect Cloud.
  5. In the Server URL field, select the URL for the ZTPKI service where your private PKI is hosted.

  6. Enter the API key ID and API key generated from one of the users in your ZTPKI account.

    Note

    This user must have the proper role with permissions to the certificate policies that will be used when creating certificate issuing templates. Contact your Zero Touch PKI administrator if you do not have a user account with the correct permissions.

  7. Click Test Connection.

  8. On Step 2 (Import) of the wizard, do the following:

    1. (Optional) Choose ZTPKI policies (Product Options) to import certificates from, and then click Add.

      Only certificates issued by the policies you select will be imported.

    2. Specify available import options, such as including revoked certificates as part of the import.

    3. If you want this certificate import to run regulary, select Scheduled Import and specify Day, Week, Month, and the time of day you want it to run.

    You can run the import manually after you finish this task.

  9. Click Done.

After completing this process, your TLS Protect Cloud inventory should reflect the imported certificates issued by the selected ZTPKI policy. Verify the results in the Certificate Inventory. Use the filter or search features to confirm that the expected certificates are present.