Configuring the Venafi CSP

This topic provides instruction on configuring the Venafi CSP. After installing the CSP, the configuration wizard opens, which is where this procedure begins. After completing this procedure, the CSP will be able to communicate with the Trust Protection Platform for authentication and virtual HSM functions.

Configuring the CSP using the configuration wizard

1. If the Venafi CSP Configuration wizard is already open, skip to the next step. If not, navigate to C:\Program Files\Venafi\MMC and run Venafi Csp Configuration.msc.

   Just looking to create an answer file?

   If you've not previously created a Venafi CSP Configuration, you can proceed with these steps, and at the end, you'll have the option to create an answer file.

   If you already have a configuration in place, you'll need to first delete that configuration, and then re-run the Venafi CSP Configuration wizard. You'll know you already have a configuration if, after running Venafi Csp Configuration.msc, the Venafi CSP Configuration console opens rather than the Venafi CSP Configuration Wizard

   To delete an existing configuration, in the Windows Registry, delete the following two folders:

   • HKEY_CURRENT_USER > Software > Venafi > CSP
   • HKEY_LOCAL_MACHINE > SOFTWARE > Venafi > CSP

   Once those are deleted, re-run Venafi Csp Configuration.msc and follow the steps in this procedure.

2. On the Welcome screen, if you already have an answer file, select whether you want to use it for this installation. Click Next.

   An answer file is an XML file that contains pre-determined configuration settings. You have an option to create an answer file at the end of the CSP installation wizard. Once you have an answer file, you can use it to pre-populate configuration settings, making it much faster to deploy future CSP installations.

   You can create an answer file without deploying the software by checking the appropriate option on the Configure CSP screen. (More information below.)

   If you are using an answer file, the Answer File screen opens. Click the Browse button to locate the answer file. If the answer file is encrypted with a password, enter the password, then click Next.

3. On the Before You Begin screen, verify that you have all the information you need to complete installation.

4. On the Host URLs screen, enter the addresses for your Authentication server and your HSM server.

   EXAMPLE  If your company's Trust Protection Platform URL is TPP_SERVER_URL, enter the following:

   • Authentication Server URL: https://TPP_SERVER_URL/vedauth
   • HSM Server URL: https://TPP_SERVER_URL/vedhsm

   Click Next.

5. On the Access Authorization screen, enter your Trust Protection Platform Key User and password. Check whether you want to enable access for the Current User only, Local Machine only, or both.

   Learn more about Current User and Local Machine

   The Enable access for Current User and Enable access for Local Machine checkboxes control what grants get issued to this workstation by the Trust Protection Platform server.

   • Enable access for Current User issues a grant that is valid only for the user who is logged in when installing the CSP. This grant is stored in the registry under HKEY_CURRENT_USER\Software\Venafi\CSP.
   • Enable access for Local Machine issues a grant that is valid for the workstation itself. This grant allows code to be signed from this workstation even if no user is currently signed in. This grant is stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Venafi\CSP. It is considered less secure than the Current User grant.

   Selecting both issues two separate grants, although the scope and the user the grant is associated with are the same. For instructions on getting new grants, see the following:

   • For getting a grant using the Venafi CSP Configuration Console graphical user interface, see Using the Venafi CSP Configuration Console

   • For getting a grant using the CSPConfig.exe command line utility, see CSPConfig.exe configuration utility reference.

6. On the Configure CSP screen, do the following:

   • Determine the location where the configuration progress and errors will be logged. If there is a problem with the configuration of the CSP, this file will show you where the error occurred, which will help Venafi Customer Support troubleshoot your issue more quickly and efficiently.
   • Specify whether Venafi Platform services should be started immediately upon completion of configuration.

   • We recommend you save your configuration as an answer file. With an answer file, you are able to script the installation of the CSP MSI and apply the configuration.

     • If you create an answer file, it is recommended that you encrypt your answer file with a password. An unencrypted answer file is a plain text XML file that contains the user name, password, and other configuration items you've selected in the wizard.
     • If you are just completing the wizard to create an answer file, select the appropriate option. The wizard will save the answer file and will close when you click the Finish button.

After the installation is complete, the Venafi CSP Configuration console opens. For more information about the CSP Configuration Console, see Using the Venafi CSP Configuration Console.

Installing and configuring the CSP using the command line

To make mass deployments easier, you can script the CSP installation and configuration.

In order to script the configuration, you'll need an answer file. If you don't already have an answer file, follow the steps in Configuring the CSP using the configuration wizard. At the end of that procedure, you'll have the chance to save an answer file, which you can then use to script configuration of the CSP.

To install the CSP

To configure the CSP

Use the CSPConfig, PKCS11Config, or GPGConfig commands to script configuration.