Venafi Trust Protection Platform
To work with Venafi TPP, you can choose either to work with Venafi as your certificate issuer, or to work with Akeyless as your issuer.
Prerequisites
-
Akeyless GW.
-
Venafi TPP.
Usage
Venafi Issuer
The following command creates a Certificate Automation dynamic secret producer using Venafi as the certificate issuer.
akeyless gateway-create-certificate-automation \
--gateway-url https://hvp.akeyless.io \
--name my-venafi-producer \
--venafi-use-tpp \
--venafi-username <YOUR TPP USERNAME> \
--venafi-password <YOUR TPP PASSWORD> \
--venafi-baseurl <YOUR TPP ENVIRONMENT BASE URL> \
--venafi-zone <YOUR VENAFI ZONE>
Akeyless Issuer
The following commands creates a Certificate Automation dynamic secret producer using Akeyless as the certificate issuer.
When using Akeyless as the issuer, first, you need to upload an RSA key with a certificate attached.
You can create a key with self-signed certificate:
openssl req -x509 \
-nodes \
-newkey rsa:2048 \
-keyout key.pem \
-out cert.pem \
-subj "/CN=my-common-name.example.com"
The certificate attached to the private key must have at least a Common Name (CN) with it.
Upload the key with the certificate to Akeyless Vault
akeyless upload-rsa -n <SIGNER KEY NAME> \
-a RSA2048 \
-p key.pem \
--cert cert.pem
After uploading the certificate and key to Akeyless vault, you can create the Certificate Automation producer in Akeyless GW:
akeyless gateway-create-certificate-automation \
--gateway-url https://hvp.akeyless.io \
--name my-venafi-producer \
--sign-using-akeyless-pki \
--signer-key-name <SIGNER KEY NAME> \
--allowed-domains '[*]' \
--allow-subdomains \
--user-ttl 2160h \
--venafi-use-tpp \
--venafi-username <YOUR TPP USERNAME> \
--venafi-password <YOUR TPP PASSWORD> \
--venafi-baseurl <YOUR TPP ENVIRONMENT BASE URL> \
--venafi-zone <YOUR VENAFI ZONE>
Once your Venafi producer has been successfully created, you can request a new certificate.
Certificate request:
Certificate request via Common Name (CN):
akeyless get-dynamic-secret-value \
-n my-venafi-producer \
--args common_name=any-common-name.company.example.com
Certificate request via Certificate Signing Request (CSR):
To fetch a new certificate via CSR , you need to create your CSR and send it to Akeyless GW in base64 encoding.
Create CSR:
# Creating a RSA key for the CSR
openssl genrsa -out yourdomain.key 2048
# Creating the CSR with the RSA key
openssl req -new \
-key yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/L=NewYork/O=Company/OU=Marketing/CN=marketing.newyork.company.com"
# Encoding the CSR to base64
csr_b64=$(cat yourdomain.csr | base64 -w 0)
Certificate request:
akeyless get-dynamic-secret-value \
-n my-venafi-producer \
--args csr=${csr_b64}
In the response you’ll see the relevant information and artifacts for the request including the certificate
, serial number
, common name
and expiration
.
Depending on your flow you may also see the certificate chain
, issuing ca
, ca chain
and private key
.
The artifacts certificate
, certificate chain
and private key
can also be found as static secrets under the Artifacts Folder defined in the producer settings.

Updated 5 months ago