You can import certificates based on an issuing certificate authority (CA) by configuring a Certificate Import job. After the import is configured, all certificates issued by your specified CA are identified and placed into folders that you designate.
NOTE The certificate import feature imports only those certificates that were issued since the last time the import job ran. So this means that for a new import job, all certificates previously issued would be imported.
Re-running an import job does not restore certificates that were deleted; Trust Protection Platform assumes that when you delete a certificate, you did so because you don't want it in your inventory (and you also don't want it to be restored every time you run an import job).
Therefore, if you want to restore deleted certificates, you must create and run a new certificate import job.
To create a new Certificate Import job using Adaptable CA
From the TLS Protect menu bar, click Configuration > Jobs.
(Optional) To filter the Jobs list by one or more specific job types, use the Job Type filter. See Filtering the Jobs list by job type.
Click + Create New Job to start the Create New Job wizard.
On the Create New Job page, click Certificate Import, and then click Start.
- On the Details panel, in the Job Name field of the New Certificate Import Job page, type a name for your new job.
(Optional) In the Description field, type a description that describes the purpose of your new job.
A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.
- From the Import Type list, select Adaptable.
(Optional) In the Contacts field, begin typing a user name to specify one or more contacts for your new job, and then click Next.
To add multiple contact names, press Enter after finding each name.
On the Settings page under Job Settings, do the following:
From the PowerShell Script list, select your Windows PowerShell script.
Only scripts that are contained in the Program Files\Venafi\Scripts\AdaptableCA folder appear in this list. If the script you want to use isn't listed, verify that it has been placed into the correct directory on your Trust Protection Platform server.
For information about creating and modifying Adaptable CA PowerShell scripts, see About the Adaptable CA PowerShell script.
(Optional) If you want to enhance troubleshooting capabilities of your
Adaptable CA-enabled Certificate Import jobAdaptable Flow, select the Enable Debug Logging check box.
For information about how enabling this option works with the PowerShell script, see
About debug loggingin the Adaptable CAAdaptable Flow PowerShell script reference.
(Optional) In Service Address, type the URL, FQDN, or IP address of your certificate authority API, according to how you've implemented this in your PowerShell script.
For example, https://domain.net, subdomain.domain.org, 123.456.1.2, or localhost.
Specifying the URL of your CA's API lets you use the same script to target different instances of the same CA vendor product. So this option is primarily applicable to CAs that are not available on the public Internet because those service addresses are the same for every customer.
TIP Unless you're developing and testing a PowerShell script, configuring Service Address or Profile String (below) is typically not something you'll need to do. The primary benefit of these settings is for third-party Venafi partners, enabling the PowerShell scripts they provide to be used as-is without customers having to customize them.
A secondary benefit is that in the event that service URL or configuration changes are made, the values you specify are passed to every PowerShell function in your scripts automatically, preventing service interruptions and avoiding the need to update or re-validate your PowerShell scripts. For more information, see About automating PowerShell script updates following service URL and configuration changes.
(Optional) In Profile String, type the profile string used by your PowerShell script.
Specifying a certificate product, profile, or template here lets you use the same script for different types of certificates supported by the target CA.
This setting works with Service Address (previous step) and depends on your script. For example, your script might reference the name of an identifier, a certificate product, profile, or template (e.g. x456-5424454:ssl_private:25423g-542352-2463). Refer to the previous step.
TIP This field is designed to provide flexibility to your implementation of a PowerShell script. If you're implementing the script, it's important that you verify the value specified is valid and uses the required syntax.
Use Username Credential and Certificate Credential to select one or both credentials.
TIP If your organization requires two-factor authentication, then specify both credentials.
(Optional)(Conditional) If you need to select another credential, then from the Secondary Credential field, select a username, certificate, or password credential object.
TIP Use this option to avoid having to hard code additional credentials in your script or having to utilize other solutions outside of Trust Protection Platform.
(Optional) Below the PowerShell Script box, select or clear the following check boxes:
- Include Expired Certificates and Include Revoked Certificates: Select one or both options if you want to include expired and revoked certificates during the import.
Assign Contact value to Issued To: Select this option if you're importing user certificates so you can associate certificates with the correct user identity. You'll likely want to select this option if you're using Venafi Client Protect.
For more information about Client Protect, see Client Protect Introduction.
In Certificate Origin, type in custom text related to the certificate's origin.
This option lets you provide text that can aid your team in tracking certificates and is for reporting purposes only.
- Click Next.
On the Placement page, under Placement Settings, select a folder where you want newly found certificates to be placed.
TIP You can create a Certificate and Device Placement job to reorganize your certificates automatically after they've been placed in a folder by your certificate import job.
For more information, see Certificate and Device Placement jobs.
- Click Next.
- On the Occurrence page, if you want this new job to run at a specific time automatically, use the Frequency list to configure it. specify when you want this new job to run.
When you're finished, click Create Job.
(Optional) If you want to run the new job immediately, click Create & Run.