Configure Venafi TPP to use the Futurex Adaptable CA driver
This section outlines how to configure Venafi TPP before requesting certificates through the Futurex Adaptable CA driver by describing the following tasks:
- Manage credentials.
- Create a CA template.
- Create a certificate policy.
Perform the following tasks to add the identity and TLS client certificate that you created on the KMES Series 3 as "credentials" in Venafi TPP:
- Define user credentials.
- Define TLS client certificate credentials.
The following sections show you how to perform these tasks.
To define user credentials, perform the following steps:
Log in to Venafi TPP.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Credential > Username Credential.
In the Username Credential window, add the username and password created for the Venafi identity on the KMES Series 3 earlier in the integration process, and add any other settings needed for the environment, such as a credential expiration date.
Select [ Save ] to save the credential.
Repeat steps 3-5 for each additional user needed.
You can use TLS client certificates to mutually authenticate with the KMES Series 3, allowing only authorized operation and establishing an encrypted tunnel to prevent man-in-the-middle eavesdropping on traffic.
To define TLS client certificate credentials, perform the following steps:
Log in to the Venafi TPP.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Credential > Certificate Credential.
In the Certificate Credential window, enter the credential name, choose the option to import a certificate, and select the binary-encoded PFX/PKCS #12 certificate that you exported from the KMES Series 3 earlier in this integration guide.
Specify the corresponding private key password and begin the import process.
After the certificate imports, select [ Save ] to complete the process.
To create CA templates, perform the following steps:
Log in to Venafi Trust Protection Platform.
Select Policy Tree in the main menu.
In the main policy tree, select Add > CA Template > Adaptable.
In the Add New Adaptable window, define the following General and Connection fields:
Field
Required configuration
CA Name
The desired CA name.
Username Credential
The username credential you created in the Define user credentials section.
Certificate Credential
The certificate credential you created in the Define TLS client certificate credentials section.
Service Address
The KMES IP address or hostname and the Host API port number. This must use the following format:
ex://<IP Address/Hostname>:<Host API port>
For example, ex://216.177.186.25:2001.
Profile String
The container name and name of the issuing CA certificate on the KMES. This must use the following format:
<Container Name>;<Issuing CA>
For example, Venafi Adaptable CA;IssuingCA.
PowerShell Script
Futurex KMES CA.
If you need custom X.509 extensions, validity periods, or Futurex approval groups, define them in the Custom Fields section.
For these to be visible, you must have run the custom fields PowerShell script defined earlier in this guide, resulting in successful execution.
Select Validate to test the connection and authentication with the KMES Series 3. This can take 5-15 seconds to complete.
Select [ Save ] to complete the process.
To create certificate policies, perform the following steps:
Log in to Venafi TPP.
Select Policy Tree in the main menu.
In the main policy tree, select Add > Policy.
In the Add New Policy window, define the policy name and other necessary settings, and select [ Save ].
Go to the Certificate tab of the new policy.
In the Other Information section, select the three dots next to the CA Template field and select the CA template you created previously.
Select [ Save ] to complete the process.