Using your own DigiCert Private PKI Certificates in your Venafi as a Service environment
DigiCert has integrated with Venafi as a Service (formerly called Venafi Cloud) to improve how DevOps testing environments incorporate digital certificates into their process by providing convenient and seamless access to free Private PKI certificates for their private testing and build environments only. DigiCert is offering Venafi as a Service customers free limited-use Private PKI certificates making it easier to:
- protect their DevOps environments.
- ensure that security can be part of their development cycle right from the start.
- enforce their security policies.
If you plan to make Venafi as a Service a more permanent part of your DevOps environment, you may want to turn your Venafi as a Service instance into a dedicated trust environment by using your own Private PKI certificates for added security. Venafi has made it easy for their customers to issue their own DigiCert Private PKI certificate within their Cloud environments through our CertCentral® platform.
For more information, see our blog.
Issuing Your Own Private PKI Certificates in Your Venafi as a Service Environment
To begin issuing your own Private PKI certificates in your Venafi as a Service environment you need two things: private root with intermediate certificates and CertCentral account.
Private PKI Certificates
With the DigiCert Private PKI solution, we will create your own private root and secure it, while allowing you oversight of your intermediate, its properties, what types of certificates it can issue, and the names on those certificates.
Want to learn more about getting your own DigiCert Private PKI solution? Call 1.855.800.3444 or contact email@example.com for further information.
Linking Your Private PKI Solution to Your Venafi as a Service Account
Once you’ve secured your DigiCert Private PKI Certificate, follow the steps below to link Venafi as a Service account to your DigiCert CertCentral® account so that you can begin issuing your own SSL/TLS Private PKI Certificates.
1. Create an API Key in Your DigiCert CertCentral Account
Inside your CertCentral account, you need to create an API key that will be used to link your Venafi as a Service account to your CertCentral account.
Managing Your API Key: How to Create Your Own CertCentral API Key
In your CertCentral account, you can issue an API Keys through your user Profile Settings.
In your CertCentral account, in top right corner, in the “User Name” drop-down list, select My Profile.
On the Profile Settings page, click API Keys.
On the API Keys page, click +Add API Key.
Next, open a text editor (such as Notepad).
In the Add API Key window, do the following:
Description: In the box, type a description/name for the API key.
User: In the drop-down list, select yourself.
Note: Because the User role can't issue API keys for other users, the drop-down list doesn't appear in their UI.
When you are done, click Add API Key.
In the New API Key window, above “For security reasons, we cannot show this again.” copy your API key and paste it in to your text editor.
You will eventually need to enter your API key (this string of random numbers and letters) into the appropriate field in your Venafi as a Service account.
CAUTION: Do not close the New API Key window until you have saved a copy of the API key. If you close the window without recording your new API key, you will not be able to retrieve it. You will need to revoke the API key that you just created and create a new one.
Save your text editor document, making sure to note its location.
API Key Storage Recommendations:
Because your API Key effectively the same thing as a username and password, we recommend storing your API key in a secure secret management system (e.g., Last Pass or KeePass).
In the New API Key window, once you have saved a copy of your API key, click I understand I will not see this again.
2. Add the CertCentral API Key to Your Venafi as a Service Account
In your Venafi as a Service account, on the Health Maps dashboard, in the top menu, click Admin > Certificate Providers./
On the Certificate Providers page, click +.
In the Add a Certificate Provider window, to the following tasks and then click Add Provider:
Name: Enter a name for the SSL Certificate that can be ordered.
Certificate Authority: In the drop-down list, select DIGICERT.
API Key: Enter your CertCentral API key.
On the Certificate Provider page, you should now see DigiCert as your certificate provider.