Skip to content

Installing Connection for CyberArk Certificate Manager using the CLI tool for CyberArk Certificate Manager

Connection for CyberArk Certificate Manager (formerly known as Venafi Connection) is a sub-component used by other CyberArk components. When you install components that rely on Connection for CyberArk Certificate Manager, such as Enterprise Issuer for CyberArk Certificate Manager, the Connection for CyberArk Certificate Manager sub-component is automatically included. This guide details how to customize the Connection resource configuration.

The CLI tool for CyberArk Certificate Manager offers the quickest and easiest method for installing Connection for CyberArk Certificate Manager.

Step 1: Configure access to the CyberArk OC registry

  1. If installing the component from a CyberArk OCI registry, follow the instructions in Configuring access to the CyberArk OCI Registry to enable access to the artifacts required for this component. Use venafi as the namespace.

Step 2: Generate the CyberArk Kubernetes manifest

To install the default version of Connection for CyberArk Certificate Manager using the CLI tool for CyberArk Certificate Manager:

  1. If not already installed, download and install the relevant version of the CLI tool for CyberArk Certificate Manager for your platform.

  2. Use one of the following commands to install the default version of Connection for CyberArk Certificate Manager along with Enterprise Approver Policy for CyberArk Certificate Manager or Enterprise Issuer for CyberArk Certificate Manager:

    Sample commands for users of the US region OCI registry:

    To install the Connection resource along with Enterprise Issuer:

    venctl components kubernetes manifest generate --region us --venafi-enhanced-issuer > venafi-components.yaml

    To install the Connection resource along with Enterprise Approver Policy:

    venctl components kubernetes manifest generate --region us --approver-policy-enterprise > venafi-components.yaml

    To install the Connection resource along with Enterprise Issuer and Enterprise Approver Policy:

    venctl components kubernetes manifest generate --region us --venafi-enhanced-issuer --approver-policy-enterprise > venafi-components.yaml

    Regional registries

    The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

    For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

    Sample commands for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    To install the Connection resource along with Enterprise Issuer:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --venafi-connection-custom-chart-repository oci://myregistry.example.com/charts \
    --venafi-enhanced-issuer > venafi-components.yaml

    To install the Connection resource along with Enterprise Approver Policy:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --venafi-connection-custom-chart-repository oci://myregistry.example.com/charts \
    --approver-policy-enterprise > venafi-components.yaml

    To install the Connection resource along with Enterprise Issuer and Enterprise Approver Policy:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --venafi-connection-custom-chart-repository oci://myregistry.example.com/charts \
    --venafi-enhanced-issuer \
    --approver-policy-enterprise > venafi-components.yaml

    For more information on the venctl components kubernetes manifest generate command and its associated flags, see the venctl reference page.

    Tip

    To find out the current default version of Connection for CyberArk Certificate Manager (and all the CyberArk Kubernetes components you can install with venctl), use the venctl components kubernetes manifest print-versions command.

  3. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the CLI tool for CyberArk Certificate Manager to install this component, see the CLI tool for CyberArk Certificate Manager reference page.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.