Configuring the Adaptable CA Driver

after deploying the venafi adaptable ca service in {{ch}} , you need to deploy a client endpoint endpoints refer to devices that are authorized to access this service in endpoints menu, you can view and filter details about existing endpoints you can also add new endpoints by selecting \[ add new ] this prompts you to enter the device address and specify the endpoint perform the following tasks to deploy a client endpoint and install the client library files deploy client endpoint perform the following steps to deploy client endpoint go to the endpoints menu inside the service you deployed in the manage endpoints menu, select \[ add new ] in the add endpoint dialog enter a name for the endpoint (optional) leave the values set to the {{ch}} hostname that is auto populated select the platform on which to deploy venafi adaptable select \[ add endpoint ] the browser should prompt the user to download a zip file containing the futurex kmes ca ps1 and futurexcreatecustomfields ps1 scripts, a credential file, and client pki for establishing a tls mutually authenticated connection to the {{ch}} instance extract the venafi adaptable ca endpoint zip perform the following steps to configure the {{futurex}} adaptable ca powershell scripts on the machine where you installed venafi tpp open the powershell application go to the directory containing the venafi adaptable ca endpoint zip generated for the service in {{ch}} extract the endpoint zip file using the unzip command, producing the following files futurex kmes ca ps1 futurexcreatecustomfields ps1 readme md credential txt info txt pki password txt pki p12 extract the pki and certificate copy the password value inside the pki password txt file to your clipboard before proceeding you must paste it in place of yourpassword in the following openssl commands perform the following steps to extract the client pki and root ca certificate by using openssl open the powershell application navigate to the directory containing the pki p12 file extracted in the previous step run the following openssl command to extract the signed client certificate openssl pkcs12 in yourfile p12 out clientcert pem clcerts nokeys passin pass\ yourpassword run the following openssl command to extract the clear client private key openssl pkcs12 in yourfile p12 out clientkey pem nocerts nodes passin pass\ yourpassword run the following openssl command to extract the ca certificates openssl pkcs12 in yourfile p12 out cacerts pem cacerts nokeys passin pass\ yourpassword the entire ca certificate chain is output to the cacerts pem file copy the contents of the client application tls ca certificate that issued the client pki, and paste it into a new file and save import the certificate perform the following steps to import the client application tls ca certificate into the trusted root certificate authorities store in windows open the manage computer certificates program right click the trusted root certificate authorities store and select all tasks > import in the certificate import wizard, select \[ next ] select \[ browse ] in the file explorer, select the client application tls ca file and click \[ open ] , then select \[ next ] leave selected the trusted root certificate authorities store as the location to import the certificate and click \[ next ] select \[ finish ] you should see a confirmation message that the import was successful install the driver perform the following steps to install the futurex adaptable ca driver open the powershell application go to the directory containing the extracted venafi adaptable ca endpoint files run the {{futurex}} adaptable ca powershell script by executing the following command \futurex kmes ca ps1 this sets all required configuration parameters to use the {{futurex}} adaptable ca driver inside venafi tpp run the powershell script the futurexcreatecustomfields ps1 script defines three custom fields in trust protection platform these define the approval group within the {{ch}} that controls issuance request approvals, defining the validity period, and defining x 509 extension profiles x 509 extension profiles enable you to define the type of certificate being deployed this must match an option defined for the relevant issuance policy these fields are optional and can provide additional levels of granular control over venafi policies for certificate attributes and issuance structure perform the following steps to run the custom fields powershell script open the powershell application go to the directory containing the extracted venafi adaptable ca endpoint files open futurexcreatecustomfields ps1 in a text editor and change the following variables to ones appropriate for the venafi tpp installation refer to this venafi docs article https //docs venafi com/docs/current/topnav/content/sdk/authsdk/t sdka oauthdevicehow\ php?tocpath=rest%20apis%7cauth%20rest%20for%20token%20management%7c 4 for instructions on getting a token using browser based authentication # configuration $sdkuri = "\<venafi trust protection platform hostname or ip>" $sdktoken = "\<venafi trust protection platform token>" after you make the preceding changes, run the script with the following command in powershell \futurexcreatecustomfields ps1 you need to run the script only once on each server running venafi tpp, regardless of how many {{ch}} 's or issuance policies you define