Create an Adaptable CA template

An Adaptable CA can be used in place of a CA or application driver that does not yet exist or in place of a supported driver requiring advanced and tighter integration. For more information, see Adaptable CA.

To create and configure a new Adaptable CA template object

  1. Access Venafi Configuration Console.
  2. From Venafi Code Signing (TPP Code Signing) > Certificate Authority Templates, click Create, and then select Adaptable CA Connector.
  3. Specify a name for the new CA template. This name displays when adding a CA template to an Environment Template.
  4. Click Create. The Configure New Connector screen displays.
  5. Refer to the following table to configure the connector:





    Enter a description that describes the purpose of your new job.

    A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.

    Contact Select one or more users to be contacts.
    Username Credential Select an existing credential or create a new credential by selecting a container.
    Certificate Credential If your organization requires two-factor authentication, then select both a user name credential and a certificate credential.
    Secondary Credential

    If you need to select another credential, then from the Secondary Credential property, select a user name, certificate, password, or CyberArk credential object.

    TIP  Use this option to avoid having to hard code additional credentials in your script or having to utilize other solutions outside of Trust Protection Platform.

    Service Address

    Type the URL, FQDN, or IP address of your certificate authority API, according to how you've implemented this in your PowerShell script.

    For example,,, 123.456.1.2, or localhost.

    Specifying the URL of your CA's API lets you use the same script to target different instances of the same CA vendor product. So this option is primarily applicable to CAs that are not available on the public Internet because those service addresses are the same for every customer.

    TIP  Unless you're developing and testing a PowerShell script, configuring Service Address or Profile String (below) is typically not something you'll need to do. The primary benefit of these settings is for third-party Venafi partners, enabling the PowerShell scripts they provide to be used as-is without customers having to customize them.

    A secondary benefit is that in the event that service URL or configuration changes are made, the values you specify are passed to every PowerShell function in your scripts automatically, preventing service interruptions and avoiding the need to update or re-validate your PowerShell scripts. For more information, see About automating PowerShell script updates following service URL and configuration changes.

    Profile String

    Type the profile string used by your PowerShell script.

    Specifying a certificate product, profile, or template lets you use the same script for different types of certificates supported by the target CA. This setting works with Service Address and depends on your script. For example, your script might reference the name of an identifier, a certificate product, profile, or template (e.g. x456-5424454:ssl_private:25423g-542352-2463).

    TIP  This field is designed to provide flexibility to your implementation of a PowerShell script. If you're implementing the script, it's important that you verify the value specified is valid and uses the required syntax.

    PowerShell Script

    Select your Windows PowerShell script from the PowerShell Script list.

    Only scripts contained in the Program Files\Venafi\Scripts\AdaptableCA folder appear in this list. If the script you want to use isn't listed, verify it has been placed into the correct directory on your Trust Protection Platform server.

    See About the Adaptable CA PowerShell script.





    Renewal Window (days) Specify how many days prior to the expiration of an existing certificate that the certificate should be renewed. Any certificates falling outside the renewal window are handled through a replacement or re-issuance.
    Allow Reissuance Enables renewal without changing the original expiration date.
    Subject Alt Name Enabled In X.509 certificates, a Subject Alternative Name extension allows a certificate subject to be associated with the service name and domain name components of a DNS Service Resource Record. See About Subject Alternative Names (SANs).
    When script is updated, fix related certificate errors

    Enables Trust Protection Platform to fix certificates affected by changes to the associated PowerShell script.

    For more information about how changes to scripts can affect certificate enrollment, see Protecting against unapproved changes to Adaptable CA scripts.

    Enable Debug Logging

    Logs debug information to enhance troubleshooting capabilities.

    For information about how enabling this option works with the PowerShell script, see About debug logging.

    Custom Fields

    Data related to the custom fields you select are passed using functions defined in the PowerShell script.

    See Working with custom fields.


    What's next?

    After you create a CA template object, you can use it in setting up CodeSign Protect by following instructions at Administrator setup