Configuring the Adaptable CA Driver

7min
After deploying the Venafi Adaptable CA service in , you need to deploy a client endpoint. Endpoints refer to devices that are authorized to access this service. In Endpoints menu, you can view and filter details about existing endpoints. You can also add new endpoints by clicking the [ Add New ] button. This will prompt you to enter the device address and specify the endpoint. Detailed instructions for deploying a client endpoint and installing the client library files are provided below.
Deploy client endpoint
1
Navigate to the Endpoints menu inside the service you deployed.
2
In the Manage Endpoints menu, click the [ Add New ] button.
3
In the Add Endpoint dialog:
Enter a Name for the endpoint (optional).
Leave set the  Hostname that is auto-populated.
Select the Platform Venafi Adaptable will be deployed on.
4
Click [ Add Endpoint ]. The browser should prompt the user to download a zip file containing the Futurex KMES CA.ps1 and FuturexCreateCustomFields.ps1 scripts, a credential file, and client PKI for establishing a TLS mutually authenticated connection to the  instance.
Follow the steps below to configure the Futurex Adaptable CA PowerShell scripts on the machine where Venafi TPP is installed.
Extract the Venafi Adaptable CA endpoint zip
1
Open the PowerShell application.
2
Navigate to the directory containing the Venafi Adaptable CA endpoint zip generated for the service in  
3
Extract the endpoint zip file using the unzip command. It will output the following files:
Futurex KMES CA.ps1
FuturexCreateCustomFields.ps1
README.md
credential.txt
info.txt
pki-password.txt
pki.p12
Extract the client PKI and root CA certificate using OpenSSL
Copy the password value inside the pki-password.txt file to your clipboard before proceeding. You will need to paste it in place of "yourpassword" in the OpenSSL commands below.
1
Open the PowerShell application.
2
Navigate to the directory containing the pki.p12 file extracted in the previous step.
3
Run the following OpenSSL command to extract the signed client certificate:
Shell
openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out clientcert.pem -clcerts -nokeys -passin pass:yourpassword
﻿
4
Run the following OpenSSL command to extract the clear client private key:
Shell
openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out clientkey.pem -nocerts -nodes -passin pass:yourpassword
﻿
5
Run the following OpenSSL command to extract the CA certificates:
Shell
openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
openssl pkcs12 -in yourfile.p12 -out cacerts.pem -cacerts -nokeys -passin pass:yourpassword
﻿
6
The entire CA certificate chain is output to the cacerts.pem file. Copy the contents of the "Client Application TLS" CA certificate which issued the client PKI, then paste it into a new file and save.
Import the Client Application TLS CA certificate into the Trusted Root Certificate Authorities store in Windows
1
Open the Manage computer certificates program.
2
Right-click the Trusted Root Certificate Authorities store and select All Tasks > Import. This will open the Certificate Import Wizard.
3
Select [ Next ].
4
Select [ Browse ]. In the File Explorer, select the Client Application TLS CA file and click [ Open ], then select [ Next ].
5
Leave selected the Trusted Root Certificate Authorities store as the location to import the certificate and click [ Next ].
6
Select [ Finish ]. You should see a confirmation message that the import was successful.
Install the Futurex Adaptable CA Driver
1
Open the PowerShell application.
2
Navigate to the directory containing the extracted Venafi Adaptable CA endpoint files.
3
Run the Futurex Adaptable CA PowerShell script by executing the following command:
Shell
.\Futurex KMES CA.ps1
.\Futurex KMES CA.ps1
﻿
This sets all required configuration parameters to use the Futurex Adaptable CA driver inside Venafi TPP.
Run the Custom Fields PowerShell script
The FuturexCreateCustomFields.ps1 script defines three custom fields in Trust Protection Platform. These are used for defining the approval group within the  that will control approvals of issuance requests, defining the validity period, and defining X.509 extension profiles. X.509 extension profiles allow users to define the type of certificate being deployed. This must match an option defined for the relevant issuance policy.
These fields are optional and can provide additional levels of granular control over Venafi policies for certificate attributes and issuance structure.
1
Open the PowerShell application.
2
Navigate to the directory containing the extracted Venafi Adaptable CA endpoint files.
3
Open FuturexCreateCustomFields.ps1 in a text editor and change the following variables to ones appropriate for the Venafi TPP installation. Refer to this Venafi Docs article for instructions on getting a token using browser-based authentication.
Text
# Configuration
$SdkUri = "<VENAFI TRUST PROTECTION PLATFORM HOSTNAME OR IP>"
$SdkToken = "<VENAFI TRUST PROTECTION PLATFORM TOKEN>"
# Configuration
$SdkUri = "<VENAFI TRUST PROTECTION PLATFORM HOSTNAME OR IP>"
$SdkToken = "<VENAFI TRUST PROTECTION PLATFORM TOKEN>"
﻿
4
Once you have made the above changes, run the script with the following command in PowerShell:
Shell
.\FuturexCreateCustomFields.ps1
.\FuturexCreateCustomFields.ps1
﻿
The script only needs to be run once on each server running Venafi TPP, regardless of how many  's or issuance policies are defined.
﻿
Updated 06 Dec 2024
Did this page help you?
Deploy the service
Configuring Venafi TPP to use the Futurex Adaptable CA Driver