Skip to main content
This section outlines the configurations users must make in Venafi Trust Protection Platform before requesting certificates through the Futurex Adaptable CA driver.

Credential management

The identity and TLS client certificate CryptoHub created for the Venafi Adaptable CA service must be added as credentials in Venafi TPP.

Define user credentials

To define user credentials, perform the following steps:
1
Log in to the Venafi TPP web UI.
2
Select Policy Tree in the main menu.
3
In the main policy tree, select Add > Credential > Username Credential.Add > Credential > Username Credential menu in Venafi TPP
4
In the Username Credential window, add the username and password contained inside the credential.txt file extracted from the Venafi Adaptable endpoint zip.
5
Select [ Save ].

Define TLS client certificate credentials

The TLS client PKCS #12 file (pki.p12) is used to mutually authenticate with the CryptoHub, allowing only authorized operation and establishing an encrypted tunnel to prevent man-in-the-middle eavesdropping on traffic. To define TLS client certificate credentials in Venafi TPP, perform the following steps:
1
Log in to the Venafi TPP web UI.
2
Select Policy Tree in the main menu.
3
In the main policy tree, select Add > Credential > Certificate Credential.Add > Credential > Certificate Credential menu in Venafi TPP
4
In the Certificate Credential window, give the credential a name and choose the option to import a certificate and select the pki.p12 file you extracted from the Venafi Adaptable CA endpoint zip the CryptoHub generated for the service.
5
Specify the corresponding private key password contained within the pki-password.txt file that was also extracted from the Venafi Adaptable CA endpoint zip.
6
After successfully importing the certificate, select [ Save ] to complete the process.

CA template creation

To create CA templates in Venafi TPP, perform the following steps:
1
Log in to the Venafi TPP web UI.
2
Select Policy Tree in the main menu.
3
In the main policy tree, select Add > CA Template > Adaptable. The Add New Adaptable window will appear.
4
Define the following General and Connection fields:
  • CA Name: The desired CA name.
  • Username Credential: The username credential you created.
  • Certificate Credential: The certificate credential you created.
  • Service Address: The CryptoHub IP address or hostname and the Host API port number contained inside the info.txt file (it must be in the format shown in the image below).
  • Profile String: The container name and name of the issuing CA certificate on the CryptoHub (it must be in the format shown in the image below).
  • PowerShell Script: Futurex KMES CA Add New Adaptable CA template window showing General, Connection, Options, and Custom Fields sections
5
If custom X.509 extensions, validity periods, or Futurex approval groups are desired, define them in the Custom Fields section. Note that for these to be visible, the FuturexCreateCustomFields.ps1 script must have been successfully run.
6
Select [ Validate ] to test the connection and authentication with the CryptoHub. This can take up to 5-15 seconds to complete.
7
Select [ Save ].

Certificate policy creation

To create certificate policies, perform the following steps:
1
Log in to the Venafi TPP web UI.
2
Select Policy Tree in the main menu.
3
In the main policy tree, select Add > Policy. The Add New Policy window will appear.Add > Policy menu and Certificate tab in Venafi TPP
4
Define the policy name and any other desired settings and select [ Save ].
5
Go to the Certificate tab for the new policy.
6
In the Other Information section, select the three dots next to the CA Template field and select the CA template you created.
7
Select [ Save ].