Configuring the Adaptable CA Driver

7min
After deploying the Venafi Adaptable CA service in , you need to deploy a client endpoint. Endpoints refer to devices that are authorized to access this service. In Endpoints menu, you can view and filter details about existing endpoints. You can also add new endpoints by selecting [ Add New ]. This prompts you to enter the device address and specify the endpoint. Perform the following tasks to deploy a client endpoint and install the client library files:
Deploy client endpoint
Perform the following steps to deploy client endpoint:
1
Go to the Endpoints menu inside the service you deployed.
2
In the Manage Endpoints menu, select [ Add New ].
3
In the Add Endpoint dialog:
Enter a Name for the endpoint (optional).
Leave the values set to the  Hostname that is auto-populated.
Select the Platform on which to deploy Venafi Adaptable.
4
Select [ Add Endpoint ]. The browser should prompt the user to download a zip file containing the Futurex KMES CA.ps1 and FuturexCreateCustomFields.ps1 scripts, a credential file, and client PKI for establishing a TLS mutually authenticated connection to the  instance.
Extract the Venafi Adaptable CA endpoint zip
Perform the following steps to configure the  Adaptable CA PowerShell scripts on the machine where you installed Venafi TPP:
1
Open the PowerShell application.
2
Go to the directory containing the Venafi Adaptable CA endpoint zip generated for the service in  
3
Extract the endpoint zip file using the unzip command, producing the following files:
Futurex KMES CA.ps1
FuturexCreateCustomFields.ps1
README.md
credential.txt
info.txt
pki-password.txt
pki.p12
Extract the PKI and certificate
Copy the password value inside the pki-password.txt file to your clipboard before proceeding. You must paste it in place of yourpassword in the following OpenSSL commands.
Perform the following steps to extract the client PKI and root CA certificate by using OpenSSL:
1
Open the PowerShell application.
2
Navigate to the directory containing the pki.p12 file extracted in the previous step.
3
Run the following OpenSSL command to extract the signed client certificate:
Shell
openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
﻿
4
Run the following OpenSSL command to extract the clear client private key:
Shell
openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
﻿
5
Run the following OpenSSL command to extract the CA certificates:
Shell
openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
﻿
6
The entire CA certificate chain is output to the cacerts.pem file. Copy the contents of the Client Application TLS CA certificate that issued the client PKI, and paste it into a new file and save.
Import the certificate
Perform the following steps to import the Client Application TLS CA certificate into the Trusted Root Certificate Authorities store in Windows:
1
Open the Manage computer certificates program.
2
Right-click the Trusted Root Certificate Authorities store and select All Tasks > Import.
3
In the Certificate Import Wizard, select [ Next ].
4
Select [ Browse ]. In the File Explorer, select the Client Application TLS CA file and click [ Open ], then select [ Next ].
5
Leave selected the Trusted Root Certificate Authorities store as the location to import the certificate and click [ Next ].
6
Select [ Finish ]. You should see a confirmation message that the import was successful.
Install the driver
Perform the following steps to install the Futurex Adaptable CA driver:
1
Open the PowerShell application.
2
Go to the directory containing the extracted Venafi Adaptable CA endpoint files.
3
Run the  Adaptable CA PowerShell script by executing the following command:
Shell
.\Futurex KMES CA.ps1
.\Futurex KMES CA.ps1
﻿
This sets all required configuration parameters to use the  Adaptable CA driver inside Venafi TPP.
Run the PowerShell script
The FuturexCreateCustomFields.ps1 script defines three custom fields in Trust Protection Platform. These define the approval group within the  that controls issuance request approvals, defining the validity period, and defining X.509 extension profiles. X.509 extension profiles enable you to define the type of certificate being deployed. This must match an option defined for the relevant issuance policy.
These fields are optional and can provide additional levels of granular control over Venafi policies for certificate attributes and issuance structure.
Perform the following steps to run the Custom Fields PowerShell script:
1
Open the PowerShell application.
2
Go to the directory containing the extracted Venafi Adaptable CA endpoint files.
3
Open FuturexCreateCustomFields.ps1 in a text editor and change the following variables to ones appropriate for the Venafi TPP installation. Refer to this Venafi Docs article for instructions on getting a token using browser-based authentication.
Text
# Configuration
$SdkUri = "<VENAFI TRUST PROTECTION PLATFORM HOSTNAME OR IP>"
$SdkToken = "<VENAFI TRUST PROTECTION PLATFORM TOKEN>"
# Configuration
$SdkUri = "<VENAFI TRUST PROTECTION PLATFORM HOSTNAME OR IP>"
$SdkToken = "<VENAFI TRUST PROTECTION PLATFORM TOKEN>"
﻿
4
After you make the preceding changes, run the script with the following command in PowerShell:
Shell
.\FuturexCreateCustomFields.ps1
.\FuturexCreateCustomFields.ps1
﻿
You need to run the script only once on each server running Venafi TPP, regardless of how many 's or issuance policies you define.
﻿
Deploy the service
Configuring Venafi TPP to use the Futurex Adaptable CA Driver