Setting up Venafi for integration with Entrust CA Gateway

Make sure you've already configured Entrust before continuing. Your Entrust service account must be operational for Venafi to connect and do its thing.

First things first

Let's take care of a couple of prerequisites first.

  • Verify network connectivity to Entrust CA Gateway.
  • Confirming that the CA's web service is reachable helps to ensure that the Trust Protection Platform server can also reach that service. Use whatever tool or method you want to use to send a simple request to your CA's web service. For example, you could use the Windows command line utility and send a ping request.
  • Update your firewall rules to allow the Trust Protection Platform server to connect to the CA web service.
  • Make sure you have the Create permission to the Policy folders where you'll be creating credentials and CA template objects.

    TIP  Not sure how to set permissions on Policy folders? See Setting policy on a folder, and then come back when you're ready.

  • Create a certificate credential and import the certificate and private key used to authenticate with Entrust CA Gateway. We'll show you how to do that next.
  • Have your Entrust Web Service URL handy.

    Example: https://webservices.host.com:1234/cagw

Creating a certificate credential

First, you need to create a certificate credential where you'll import the certificate and private key used to authenticate with Entrust CA Gateway.

To create the new certificate credential

  1. From the TLS Protect menu bar, click Inventory > Credentials.
  2. Click Create a New Credential.
  3. Click Credential Type and select Certificate.
  4. Click Folder and select the policy folder in which to create your new credential.
  5. In Credential Name, type a unique name for the new credential object, and then click Create and Configure.
  6. In Edit Credential Settings, click the Certificate field to locate and select the certificate to use for this credential.

    The certificate you select must have a corresponding private key stored in Trust Protection Platform.

  7. When you're finished, click Save.

Create and configure an Entrust CA Gateway object

A CA template object provides the information Trust Protection Platform needs to request, renew, and revoke certificates while also enabling automated provisioning of the certificate to associated devices.

To create and configure Entrust CA Gateway object

  1. From the TLS Protect menu bar, click Policy Tree.

  2. From the Policy tree, select the folder where you want to create the Entrust CA Gateway object, and then click Add > CA Template > Entrust CA Gateway.
  3. In CA Name, type a name for the new template.
  4. (Optional) Do the following:
    1. If you find it helpful, type a description for the new template. This might help other users who might want to work with your template.
    2. Click and select other users who should receive email notifications related to your new Entrust CA Gateway.

      If another system administrator manages this new CA, it can be helpful to add them as contacts so they'll be notified about changes to this object's settings when they occur.

  5. Under Connection, do the following:
    1. Enter the Entrust Web Service URL. Example: https://webservices.host.com:1234/cagw
    2. Click and select the certificate credential you created previously, and then click Validate.
    3. Trust Protection Platform parses the credential to ensure it's valid, which occurs when CA and Profile under Options are populated.
  6. Under Options, do the following:
    1. Select one of the available CAs from the CA drop-down.
    2. Select one of the available profiles from the Profile list.
    3. Depending on which profile you've selected, do the following:
      1. (Optional) When Keys are generated by the CA is selected, the format of the certificate request is PKCS#12.

      2. (Optional) Select Exclude subjectVariables when requesting certificates, if you do not want the subject variables (CN, O, OU, L, ST, C, and DC) included in the certificate request.

      3. (Optional) Select Subject Alt Name Enabled if you want this CA object to support CSRs with DNS-based subject alt name (SAN) values.

        If you do not select this option, the current CA template object will not accept CSRs with SAN values. If Trust Protection Platform attempts to submit a CSR with SAN values, the CA Template object returns the following error:

        Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

        For additional information on defining SAN values in a certificate, see Subject Alt Name in the topicAbout certificate object settings.

      4. (Optional) Select Allow Users to Specify End Date if you want this CA object to let users specify expiration (end) dates for certificates requested from the CA.

        The Allow Users to Specify End Date option lets users specify expiration (end) dates for certificates requested from the CA so that they do not expire during your known freeze periods.

        Typically, renewing certificates that expire during freeze periods requires a more challenging approval process. Setting expiration (or end) dates that fall outside of freeze periods avoids potential interruptions.

        When a specific end date has been specified, the issued certificate has that date as its expiration date.

        This check box is cleared after successful enrollment (so that the validity period takes effect thereafter).

      5. In Validity Period, type a number (in days) that certificates are valid.

        This setting is used when enrolling certificates. You can enter any positive integer. The default is 365 (days).

        Assign a validity period to be used when enrolling certificates. Options include 90 days, 6 months, and 1 year (default).

        TIP  If you need to define multiple validity periods, create additional CA objects that differ only in the validity period assignment.

  7. (Optional) To see additional attributes, review the settings on the Support tab.
  8. When you're finished, click Save.

What's next?

After you create a CA object, you can select it from the Policy tree, and then view important information and manage various settings.

  • Click the General tab to view and modify log and permissions settings.

    • Click the Log sub-tab to view any logged events that are triggered by the template object.

      IMPORTANT  You must have the Read permission to view the Log tab.

      For more information about options found on the Log tab, see Viewing log events.

    • On the Permissions sub-tab, you can configure the users or groups to whom you want to grant permissions to the new template object.

      Consider managing object permissions via parent objects so that you can take advantage of inheritance. For more information, see Permission inheritance and flow down.