Certificate Authority
Venafi Adaptable CA
Configure general KMES Series 3 settings
11min
this section shows you the configurations to make on the {{k3}} to enable venafi ttp to integrate through its adaptable ca functionality to configure the {{k}} , perform the following tasks, detailed in this section enable the required host api commands create {{k}} credentials for venafi tpp create a signing approval group create an issuing ca add an issuance policy allow user defined extensions for x 509 extension profiles (optional) enable the required commands because venafi tpp connects to the host api port on the {{k}} , you must define which host api commands to enable to set the allowed host api commands, complete the following steps log in to the {{k3}} application interface with the default admin identities go to administration > configuration > host api options and enable the following commands command description ragx retrieve request (x 509 csr) rasx manipulate signed request raux upload request (x 509 csr) rayx approve requests rklo login user rkrk retrieve generated keys select \[ save ] to finish create {{k}} credentials for venafi tpp venafi tpp supports two options for user credential management the single user role option establishes one user per issuance policy that is permitted to submit certificate issuance requests, approve or deny requests, and revoke certificates the dual user role option establishes two users per issuance policy, with one permitted only to submit certificate issuance requests and one permitted only to approve or deny issuance requests or revoke issued certificates for a greater degree of administrative separation and adherence to principles of role based access control, we recommend using the dual user method select the following dual user or single user role and identity creation methods and follow the steps dual user role option (recommended) perform the following steps to set up a dual user role to control certificate requests, approval, and revocation one user is responsible for submitting certificate issuance requests, while the other is solely responsible for approving, rejecting, and revoking certificates log in to the {{k3}} application interface with the default admin identities go to identity management > roles and select \[ add ] at the bottom of the window on the info tab of the role editor window, specify a name for the role and set the number of logins required to 1 on the permissions tab, enable the following permissions permission subpermission certificate authority export, upload on the advanced tab, allow authentication to the host api port only select \[ ok ] to finish creating the role go to identity management > identities , right click anywhere in the window, and select add > client application on the info tab of the identity editor window, select application for the storage location and specify a name for the identity on the assigned roles tab, select the role you just created on the authentication tab, remove the default api key authentication mechanism, add the password authentication mechanism, and configure it select \[ ok ] to finish creating the identity use the preceding steps to configure a second role and identity, but enable the approve permission under the signing approval permission category instead single user role option perform the following steps to set up a single user role to control certificate requests, approval, and revocation log in to the {{k3}} application interface with the default admin identities go to identity management > roles and select \[ add ] at the bottom of the page on the info tab of the role editor window, specify a name for the role and set the number of logins required to 1 on the permissions tab, enable the following permissions permission subpermission certificate authority export, upload signing approval approve on the advanced tab, allow authentication to the host api port only select \[ ok ] to finish creating the role go to identity management > identities , right click anywhere in the window, and select add > client application on the info tab of the identity editor window, select application for the storage location and specify a name for the identity on the assigned roles tab, select the role you just created on the authentication tab, remove the default api key mechanism, add the password authentication mechanism, and configure it select \[ ok ] to finish creating the identity create a signing approval group to enable certificate signing approval workflows on the {{k3}} , perform the following steps to create a signing approval group log in to the {{k3}} application interface with the default admin identities go to pki > signing workflow select \[ add approval group ] specify a name for the approval group and select \[ ok ] to save right click the newly created approval group and select \[ permission ] grant the venafi adaptable ca role the use permission and select \[ ok ] to save remember the group name because you use it to configure the adaptable ca driver configuration in a later section of this guide create an issuing ca perform the following steps to create an issuing ca certificate tree on the {{k3}} log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] at the bottom of the page in the certificate authority window, enter a name for the certificate container, select the venafi adaptable ca role in the owner group drop down menu, and select \[ ok ] right click the certificate container and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as rootca on the basic info tab, leave the fields set to the default values on the v3 extensions tab, select the certificate authority profile and select \[ ok ] to create the certificate right click the root ca certificate and select add certificate > new certificate on the subject dn tab, set a common name for the certificate, such as issuingca on the basic info tab, leave the default values set on the v3 extensions tab, select the certificate authority profile, then select \[ ok ] to create the certificate the root and issuing ca certificates now display in the venafi adaptable ca certificate container add an issuance policy perform the following steps to add an issuance policy log in to the {{k3}} application interface with the default admin identities go to pki > certificate authorities right click the issuing ca certificate and select issuance policy > add on the basic info tab of the issuance policy window, set an alias for the issuance policy (optional), set the desired number of approvals required for certificate requests, and set the hashes that you want to allow on the x 509 tab, perform the following actions select the allow csr uploads checkbox set the default approval group to the approval group you created if you set the number of required approvals to 0 , you must select the allow self approval checkbox otherwise, leave it unchecked add at least one extension profile if you set the number of approvals required to 0 , you must set anonymous signing security usage on the issuing ca certificate to do so, right click on the issuing ca certificate and select change security usage then, in the drop down menu, select anonymous signing and select \[ ok ] to save the changes select \[ ok ] to save the issuance policy (optional) allow user defined extensions if you want to allow users to define subject alternate names (sans) or other custom x 509 v3 extension profiles in venafi tpp when creating certificates, select one of the following methods and perform the steps enable allow user defined extensions perform the following steps to enable the allow user defined extensions option for the x 509 v3 extension profiles you plan to use with venafi adaptable ca log in to the {{k3}} application interface with the default admin identities go to pki > x 509 extensions right click the x 509 v3 extension profile you want to modify and select \[ edit ] select the allow user defined extensions checkbox select \[ ok ] to save changes add subject alternate names perform the following steps to add subject alternate names (sans) to the x 509 v3 extension profiles you plan to use with venafi adaptable ca log in to the {{k3}} application interface with the default admin identities go to pki > x 509 extensions right click the x 509 v3 extension profile you want to modify and select \[ edit ] select \[ add ] , select the subject alternate name extension type in the drop down menu, and select \[ ok ] add at least one subject alternate name entry and select \[ ok ] select \[ ok ] to save changes