Configuring the Adaptable CA Driver
After deploying the Venafi Adaptable CA service in , you need to deploy a client endpoint. Endpoints refer to devices that are authorized to access this service. In Endpoints menu, you can view and filter details about existing endpoints. You can also add new endpoints by selecting [ Add New ]. This prompts you to enter the device address and specify the endpoint. Perform the following tasks to deploy a client endpoint and install the client library files:
Perform the following steps to deploy client endpoint:
Go to the Endpoints menu inside the service you deployed.
In the Manage Endpoints menu, select [ Add New ].
In the Add Endpoint dialog:
- Enter a Name for the endpoint (optional).
- Leave the values set to the Hostname that is auto-populated.
- Select the Platform on which to deploy Venafi Adaptable.
Select [ Add Endpoint ]. The browser should prompt the user to download a zip file containing the Futurex KMES CA.ps1 and FuturexCreateCustomFields.ps1 scripts, a credential file, and client PKI for establishing a TLS mutually authenticated connection to the instance.
Perform the following steps to configure the Adaptable CA PowerShell scripts on the machine where you installed Venafi TPP:
Open the PowerShell application.
Go to the directory containing the Venafi Adaptable CA endpoint zip generated for the service in
Extract the endpoint zip file using the unzip command, producing the following files:
- Futurex KMES CA.ps1
- FuturexCreateCustomFields.ps1
- README.md
- credential.txt
- info.txt
- pki-password.txt
- pki.p12
Copy the password value inside the pki-password.txt file to your clipboard before proceeding. You must paste it in place of yourpassword in the following OpenSSL commands.
Perform the following steps to extract the client PKI and root CA certificate by using OpenSSL:
Open the PowerShell application.
Navigate to the directory containing the pki.p12 file extracted in the previous step.
Run the following OpenSSL command to extract the signed client certificate:
Run the following OpenSSL command to extract the clear client private key:
Run the following OpenSSL command to extract the CA certificates:
The entire CA certificate chain is output to the cacerts.pem file. Copy the contents of the Client Application TLS CA certificate that issued the client PKI, and paste it into a new file and save.
Perform the following steps to import the Client Application TLS CA certificate into the Trusted Root Certificate Authorities store in Windows:
Open the Manage computer certificates program.
Right-click the Trusted Root Certificate Authorities store and select All Tasks > Import.
In the Certificate Import Wizard, select [ Next ].
Select [ Browse ]. In the File Explorer, select the Client Application TLS CA file and click [ Open ], then select [ Next ].
Leave selected the Trusted Root Certificate Authorities store as the location to import the certificate and click [ Next ].
Select [ Finish ]. You should see a confirmation message that the import was successful.
Perform the following steps to install the Futurex Adaptable CA driver:
Open the PowerShell application.
Go to the directory containing the extracted Venafi Adaptable CA endpoint files.
Run the Adaptable CA PowerShell script by executing the following command:
This sets all required configuration parameters to use the Adaptable CA driver inside Venafi TPP.
The FuturexCreateCustomFields.ps1 script defines three custom fields in Trust Protection Platform. These define the approval group within the that controls issuance request approvals, defining the validity period, and defining X.509 extension profiles. X.509 extension profiles enable you to define the type of certificate being deployed. This must match an option defined for the relevant issuance policy.
These fields are optional and can provide additional levels of granular control over Venafi policies for certificate attributes and issuance structure.
Perform the following steps to run the Custom Fields PowerShell script:
Open the PowerShell application.
Go to the directory containing the extracted Venafi Adaptable CA endpoint files.
Open FuturexCreateCustomFields.ps1 in a text editor and change the following variables to ones appropriate for the Venafi TPP installation. Refer to this Venafi Docs article for instructions on getting a token using browser-based authentication.
After you make the preceding changes, run the script with the following command in PowerShell:
You need to run the script only once on each server running Venafi TPP, regardless of how many 's or issuance policies you define.