About cloud integrations with Venafi

As business workloads have moved to the cloud, the need to secure and protect certificates and keys is greater than ever. Venafi is leading the way in securing and protecting digital assets in the cloud.

Cloud applications are most often designed for DevOps, which means that they are deployed and re-deployed frequently. This strategy has led to the use of more, shorter-validity certificates and all but eliminated concerns about problems caused by certificate expiration. Lifecycle automation is still important for user-facing certificates because if they're not renewed before they expire, they will cause outages.

Venafi integrates with Amazon Web Services and Microsoft Azure.

Amazon Web Services

  • Amazon Certificate Manager (ACM): Amazon's certificate authority and primary certificate store

    Trust Protection Platform can facilitate the enrollment of certificates from the Amazon CA or upload certificates by other CAs to ACM, and then provision them to supported cloud services.

    See Integrating Amazon Certificate Manager with Venafi for more information.

  • Amazon Elastic Load Balancer: Amazon's very popular solution for distributing network traffic across multiple application servers

    Trust Protection Platform can automate the full certificate lifecycle by provisioning certificates issued by any CA to either application load balancer (ALB) or classic load balancer (ELB) listeners.

    See Amazon Web Services (AWS)—Overview for more information.

  • Amazon CloudFront: Amazon's content delivery network (CDN)

    Trust Protection Platform can automate the full certificate lifecycle by provisioning certificates issued by any CA to existing CloudFront instances.

    See Amazon Web Services (AWS)—Overview for more information.

  • Amazon Elastic Cloud Computing (EC2) Instances: Virtual machines in the Amazon Web Services cloud

    These instances generally run the same Linux and Windows operating systems that Trust Protection Platform has supported using both agent and agentless provisioning inside the firewall. However, unlike traditional on-premise machines, EC2 instances usually have a much shorter lifespan. This is because they are expected to be created and destroyed as the load on the application increases and decreases. This difference is significant because a software configuration management solution is usually involved in the deployment of applications to new instances at the time of their creation; and that kind of solution is perfectly positioned to orchestrate the provisioning of a new certificate and private key to the instance.

Microsoft Azure

Azure Key Vault is Azure’s central secure repository for certificates, keys, and other secrets consumed by cloud applications. Trust Protection Platform can automate the full certificate lifecycle by provisioning certificates issued by any CA into an Azure Key Vault. Consumers of Azure Key Vault certificates and keys like Azure Web App Services are designed to automatically self-update whenever a new version of a certificate they’re using is provisioned to the Key Vault. This means that Trust Protection Platform doesn’t need to worry about what is using the certificate.

See Azure Key Vault configuration for more information.

Venafi's open source projects on GitHub

Venafi sponsors more than fifteen GitHub repositories, open source projects that you can implement into your environment, or even improve and submit pull requests to. Some of Venafi's open source projects include:

  • vCert. Go client SDK and command-line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

  • valut-pki-monitor-venafi. Venafi PKI Monitoring Secrets Engine for HashiCorp Vault that enforces security policy and provides certificate visibility to the enterprise.

  • vault-pki-backend-venafi. Venafi PKI Secrets Engine plugin for HashiCorp Vault that enables certificate enrollment using Venafi machine identity services.

  • vCert-java. Java client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

  • openstack-heat-plugin-venafi. OpenStack Heat plugin that uses Venafi to streamline machine identity (certificate and key) acquisition.

  • vCert-python. Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafimachine identity services.

  • vCert-ruby. Ruby client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

  • terraform-provider-venafi. HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.

  • ansible-role-venafi. Ansible Role that uses Venafi to streamline machine identity (certificate and key) acquisition.

  • aws-private-ca-policy-venafi. Venafi Lambda functions for AWS that enforce enterprise security policy for the AWS Private CA.

To learn more about these (and other) Venafi open source projects, visit our GitHub page at https://github.com/Venafi.