Venafi Trust Protection Platform (TPP)

Suggest Edits

To work with Venafi TPP, you can choose either to work with Venafi as your certificate issuer, or to work with Akeyless as your issuer.

Prerequisites

  • Akeyless GW.

  • Venafi TPP.

Usage

Venafi Issuer

The following command creates a Certificate Automation dynamic secret producer using Venafi as the certificate issuer.

akeyless gateway-create-producer-certificate-automation \
  --gateway-url https://hvp.akeyless.io \
  --name my-venafi-producer \
  --venafi-use-tpp \
  --venafi-access-token <Venafi Access Token> \
  --venafi-refresh-token <Venafi Refresh Token> \
  --venafi-baseurl <YOUR TPP ENVIRONMENT BASE URL> \
  --venafi-zone <YOUR VENAFI ZONE>

Akeyless Issuer

The following commands creates a Certificate Automation dynamic secret producer using Akeyless as the certificate issuer.

When using Akeyless as the issuer, first, you need to upload an RSA key with a certificate attached.

You can create a key with self-signed certificate: 

openssl req -x509 \
  -nodes \
  -newkey rsa:2048 \
  -keyout key.pem \
  -out cert.pem \
  -subj "/CN=my-common-name.example.com"

The certificate attached to the private key must have at least a Common Name (CN) with it.

Upload the key with the certificate to Akeyless Vault 

akeyless upload-rsa -n <SIGNER KEY NAME> \
  -a RSA2048 \
  -p key.pem \
  --cert cert.pem

After uploading the certificate and key to Akeyless vault, you can create the Certificate Automation producer in Akeyless GW: 

akeyless gateway-create-producer-certificate-automation  \
  --gateway-url https://hvp.akeyless.io \
  --name my-venafi-producer \
  --sign-using-akeyless-pki \
  --signer-key-name <SIGNER KEY NAME> \
  --allowed-domains '[*]' \
  --allow-subdomains \
  --user-ttl 2160h \
  --venafi-use-tpp \
  --venafi-access-token <Venafi Access Token> \
  --venafi-refresh-token <Venafi Refresh Token> \
  --venafi-baseurl <YOUR TPP ENVIRONMENT BASE URL> \
  --venafi-zone <YOUR VENAFI ZONE>

Once your Venafi producer has been successfully created, you can request a new certificate.

Certificate request:

Certificate request via Common Name (CN): 

akeyless get-dynamic-secret-value \
  -n my-venafi-producer \
  --args common_name=any-common-name.company.example.com

Certificate request via Certificate Signing Request (CSR):

To fetch a new certificate via CSR , you need to create your CSR and send it to Akeyless GW in base64 encoding.

Create CSR: 

# Creating a RSA key for the CSR
openssl genrsa -out yourdomain.key 2048

# Creating the CSR with the RSA key
openssl req -new \
  -key yourdomain.key \
  -out yourdomain.csr \
  -subj "/C=US/L=NewYork/O=Company/OU=Marketing/CN=marketing.newyork.company.com"
  
# Encoding the CSR to base64
csr_b64=$(cat yourdomain.csr | base64 -w 0)

Certificate request: 

akeyless get-dynamic-secret-value \
  -n my-venafi-producer \
  --args csr=${csr_b64}

In the response you’ll see the relevant information and artifacts for the request including the certificate, serial number, common name and expiration.

Depending on your flow you may also see the certificate chain, issuing ca, ca chain and private key.

The artifacts certificate, certificate chain and private key can also be found as static secrets under the Artifacts Folder defined in the producer settings.

Updated 2 months ago