Skip to content

Configuring Venafi Control Plane access for Venafi Connection

Learn how to configure remote access to the Venafi Control Plane REST API so that Venafi Connection can use them.

There are two ways you can configure remote access to the Venafi Control Plane REST API:

  • Using the API key generated in the Venafi Control Plane UI.
  • Configuring Venafi Control Plane for Datacenters (TPP).

Option 1: Using the API key (Cloud)

  1. Sign into the Venafi Control Plane UI.
  2. Click the you account icon on the top right, and then Preferences from the drop-down list.
  3. Copy your API key from the API keys tab.

Option 2: Configuring Venafi Control Plane for Datacenters (TPP)

In this example it is assumed that your application teams have their own user account and policy folder in Venafi TPP.

  1. In the TPP UI, create a user account and generate a strong random password.

    For more information on how to create a user account, see the TPP Administration Guide.

    Retain the username / password for later when you need to share it with the platform team or upload it to a secret store. You need to perform this step for every team that requires access to the Venafi TPP API server.

  2. Create an application integration. Venafi Enhanced Issuer needs permission to manage certificates using the TLS Protect Datacenter API, which corresponds to the scope certificate:manage.

    Note

    Venafi Enhanced Issuer 0.11.0 and earlier also required the permission to revoke certificates, which corresponded to the scope certificate:manager;revoke. With Venafi Enhanced Issuer 0.12.0 and later, this permission is no longer needed.

    If you will be using the Contact feature, which allows you to configure the email contacts to be notified per certificate resource or per issuer resource, you will need to give the permission to manage certificates as well as the permission to read configuration. The corresponding scope is certificate:manage;configuration. You can learn more about the contact feature in the page Configuring email contacts when requesting certificates.

    For more information on API integrations, see the TPP Administration Guide.

  3. Next, create a policy folder in the Policy Tree.

    For more information on adding objects to Policy Tree, see the TPP Administration Guide.

  4. Grant the user you created in Step 1 the following permissions: Write and Create.

    For more information on assigning permissions to an object in Policy Tree, see the TPP Administration Guide.

Create a JWT mapping

Note

This step is only required if you use the secretless JWT Mapping authentication method. This method is limited to TLS Protect Datacenter (TPP) 23.1 or later. TLS Protect Cloud is not yet supported.

  1. In the TLS Protect Datacenter UI, go to Platform > API > Default Settings, and click the JSON web token (JWT) checkbox.

    You need to create one JWT Mapping for each user account and per Kubernetes cluster. You need to know the issuer URL of the given Kubernetes cluster. You can find that by running the following command:

    kubectl get --raw /.well-known/openid-configuration | jq .issuer -r

    In the screenshot below, the issuer URL is https://storage.googleapis.com/test_oidc_endpoint/

  2. In the Venafi Configuration Console, create the JWT mapping:

    1. Enter a Name. In the example below, the Kubernetes cluster name cluster-a with the Kubernetes service account name application-team-1 are used.
    2. Set the Audience field to aud and the Must match field to tpp. You need set this same value when you configure the Venafi Connection.

    3. Set the Subscriber field to sub. The value must match the name of the Kubernetes service account that you use in Venafi Connection. The format of the name is as follows:

      system:serviceaccount:<namespace>:<service-account-name>
      Put all of the Kubernetes service accounts meant to be used with the Venafi Connection in the namespace venafi.

      TPP JWT mapping