Venafi Cloud

Suggest Edits

To work with the Venafi Cloud platform, you can choose either to work with Venafi as your certificate issuer or to work with Akeyless as your issuer.

Prerequisites

Akeyless Gateway.
Venafi Cloud.

Usage

Venafi Issuer

The following command creates a Venafi Dynamic Secret using Venafi as the certificate issuer.

akeyless dynamic-secret create venafi \
  --name my-venafi-dynamic-secret \
  --gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
  --venafi-api-key <YOUR VENAFI API KEY> \
  --venafi-zone <YOUR VENAFI ZONE>

Where:

name: Dynamic secret name.

gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).

venafi-api-key: Venafi API key.

venafi-zone: Venafi zone.

Akeyless Issuer

The following commands create a Venafi Dynamic Secret using Akeyless as the certificate issuer.

When using Akeyless as the issuer, first, you need to create an RSA key with a self-signed certificate attached:

akeyless create-dfc-key \
--name venafi-cloud \
--alg RSA2048 \
--generate-self-signed-certificate \
--certificate-common-name venafi-cloud \
--certificate-ttl 10

Where:

name: A unique name for the encryption key. The name can include the path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the encryption key.

alg: Supporting algorithms: RSA1024,RSA2048, RSA3072 RSA4096.

generate-self-signed-certificate: Generate a self-signed certificate.

certificate-common-name: Common name for the generated certificate.

certificate-ttl: TTL in days for the generated certificate.

Note: Once the key is created, it will be uploaded automatically to Akeyless.

The certificate attached to the private key must have at least a Common Name (CN) with it.

Create the Venafi Dynamic Secret in Akeyless gateway:

akeyless dynamic-secret create venafi \
  --name my-venafi-dynamic-secret \
  --gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
  --venafi-api-key <YOUR VENAFI API KEY> \
  --venafi-zone <YOUR VENAFI ZONE> \
  --allowed-domains '[*]' \
  --allow-subdomains \
  --sign-using-akeyless-pki \
  --signer-key-name venafi-cloud \
  --user-ttl 2160h

Where:

name: Dynamic secret name.

gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).

venafi-api-key: Venafi-API-Key.

venafi-zone: Venafi zone.

allowed-domains: List of allowed-domains.

allow-subdomains: Whether to allow subdomains.

sign-using-akeyless-pki: Issue certificates using Akeyless PKI.

signer-key-name: Signer key name in Akeyless.

Once your Venafi dynamic secret has been successfully created, you can request a new certificate.

Certificate request:

Certificate request using Common Name (CN):

akeyless get-dynamic-secret-value \
  -n my-venafi-dynamic-secret \
  --args common_name=any-common-name.company.example.com

Certificate request using a Certificate Signing Request (CSR):

To fetch a new certificate via CSR , you need to create your CSR in Akeyless:

CSR=$(akeyless generate-csr \
--name venafi-test \
--generate-key \
--key-type dfc \
--alg RSA2048 \
--common-name marketing.newyork.company.com | base64)

Get the Dynamic Secret using the Certificate request:

akeyless get-dynamic-secret-value \
  -n my-venafi-dynamic secret \
  --args csr=$CSR

In the response you’ll see the relevant information and artifacts for the request including the certificate, serial number, common name, and expiration.

Depending on your flow you may also see the certificate chain, issuing ca, ca chain, and private key.

The artifacts certificate, certificate chain, and private key can also be found as Static Secrets under the Artifacts Folder defined in the Dynamic Secret's settings.

Updated 9 months ago