Make a place for certificates
Problem
You want a place to store and set policy for certificates.
Solution
Create a Policy folder, set attributes, and then lock them. You can also do this for credentials, CAs, and other information.
In the Policy tree, a folder stores settings that apply to child objects. The folder organizes Certificate, Device, Application, and other objects. Once the policy folder is created, we'll assign Team Alpha's security group as the contact and approver for all certificates and Application objects. We'll lock the policy so it cannot be overridden.
Before you start
You need:
-
The location and new folder name. Verify that the parent folder doesn't have a policy that applies to your new folder. Otherwise, you API calls will not be able to change the policy.
Time Estimate
About 30 mins
Create a folder for certificates
- Reuse or create a bearer token that includes the scope security;configuration. The bearer token grants your client access to Trust Protection Platform. To get a bearer token, see Getting a token. For each subsequent API call, be sure to include the token in the request header.
-
To avoid name collisions, call POST Config/IsValid with the intended path and folder name. ObjectDN. The ObjectDN is the path and new folder name. If a HTTP 400 ObjectDoesNotExist occurs, the ObjectDN is available for you to use. If this method returns data describing an existing object, retry with a different name. For example:
CopyJSONPOST https://tpp.venafi.example/vedauth/authorize/oauth
{
"client_id": "MyClient",
"username": "local:admin",
"password": "MyPassword!",
"scope": "security:manage;configuration:manage"
}
And
POST https://tpp.venafi.example/vedsdk/Config/IsValid/
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha"
}
CopyPowershelladd-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$RestAPIServer = "https://tpp.venafi.example"
#Get a token. Token scope applies to all API calls in this section
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/json")
$RestAPIURI = '/vedauth/authorize/oauth'
$RestRequest = $RestAPIServer + $RestAPIURI
$payloadToken = @{
client_id = "MyClient";
username = "local:admin";
password = "MyPassword";
scope = "security:manage;configuration:manage"
}
$json = ConvertTo-Json $payloadToken
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
$headers.Add("Authorization", "Bearer " + $result.access_token)
# iF policy does not exist, create it
$RestAPIURI = '/vedsdk/Config/IsValid'
$RestRequest = $RestAPIServer + $RestAPIURI
Write-Output $RestRequest`
$policybody = @{ObjectDN="\\VED\\Policy\\Certificates\\Team Alpha"}
$json = ConvertTo-Json $policybody
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
$HTTPStatus = $result[0].Result
$HTTPError = $result[0].Error
#Verify that the policy folder is not present; create folder
if ($HTTPError -And $HTTPError.Contains("ObjectDoesNotExist"))
{
$NameAttributeList = @{
Name = "Description"
Value = "My new Policy"
}
$payload = @{Class="Policy"; "ObjectDN" = "\\VED\\Policy\\Certificates\\Team Alpha"; NameAttributeList = $NameAttributeList}
$json = ConvertTo-Json $payload
$RestAPIURI = '/vedsdk/Config/Create'
$RestRequest = $RestAPIServer + $RestAPIURI
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result
}CopyPythonimport requests
requests.packages.urllib3.disable_warnings()
# Create a policy folder
# Globals
uri = "https://tpp.venafi.example"
headerswToken = {
"Content-Type": "application/json",
"Authorization": "empty"
}
# End of Globals
def makepolicy():
headers= {
'Content-Type': 'application/json'
}
# End of Globals
# Get a token. Token scope applies to all API calls in this section
url = uri + "/vedauth/authorize/oauth"
payloadToken = {
"client_id": "MyClient",
"username": "local:admin",
"password": "MyPassw0rd",
"scope": "security:manage;configuration:manage"
}
r = requests.post(url, headers = headers, json = payloadToken, verify = False)
jsonResponse = r.json()
Token = (jsonResponse["access_token"])
global headerswToken
headerswToken.update({"Authorization": "Bearer " + Token})
# Does the policy exist?
url = uri + "/vedsdk/Config/IsValid"
payload = {
"ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha",
}
r = requests.post(url, headers = headerswToken, json = payload, verify = False)
data = r.json()
print(r.status_code, "was the response")
# If the policy does not exist create one; else, do nothing.
for key, value in data.items():
if key == "Result" and value == 400:
url = uri + "/vedsdk/Config/Create"
payload = {"Class": "Policy",
"ObjectDN": "\\VED\\Policy\\Certificates\\Team Alpha",
"NameAttributeList":[{'Name': 'Description', 'Value': 'My new Policy'}]
}
r = requests.post(url, headers=headerswToken, json=payload, verify=False)
data = r.json()
print(r.status_code)
makepolicy() -
To create the policy folder in the Policy tree, call POST Config/Create. Be sure to apply your company’s standards for naming the policy folder. For example:
CopyJSONPOST https://tpp.venafi.example/vedsdk/Config/Create/
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"Class":"Policy",
"ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha",
"NameAttributeList":[
{
"Name":"Description",
"Value":"My new policy"
}
]
}CopyPowershell#Verify that the policy folder is not present; create folder
if ($HTTPError.Contains("ObjectDoesNotExist"))
{
$NameAttributeList = @{
Name = "Description"
Value = "My new Policy"
}
$payload = @{Class="Policy"; "ObjectDN" = "\\VED\\Policy\\Certificates\\Team Alpha"; NameAttributeList = $NameAttributeList}
$json = ConvertTo-Json $payload
$RestAPIURI = '/vedsdk/Config/Create'
$RestRequest = $RestAPIServer + $RestAPIURI
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result
}CopyPython# If the policy does not exist create one; else, do nothing.
for key, value in data.items():
if key == "Result" and value == 400:
url = uri + "/vedsdk/Config/Create"
payload = {"Class": "Policy",
"ObjectDN": "\\VED\\Policy\\Certificates\\Team Alpha",
"NameAttributeList":[{'Name': 'Description', 'Value': 'My new Policy'}]
}
r = requests.post(url, headers=headerswToken, json=payload, verify=False)
data = r.json()
print(r.status_code)
makepolicy()
Set policy for contacts and approvers
-
Before you can assign a person or group of people as contacts or approvers, get the PrefixedUniversal from POST Identity/Browse. For example, "TeamAlphaGroup" is an identity that we are searching.
-
From the response, get the PrefixedUniversal value for the next step. This value uniquely identifies a person or group's identity:
CopyJSONPOST https://tpp.venafi.example/vedsdk/Identity/Browse
{
"Filter":"TeamAlphaGroup",
"IdentityType":2,
"Limit":1
}CopyPowershell# Find PrefixedUniversal of a person or group
$RestAPIURI = '/vedsdk/Identity/Browse'
$RestRequest = $RestAPIServer + $RestAPIURI
$pubody = "`n{`n `"Filter`": `"admin`",`n `"Limit`": 2,`n `"IdentityType`": 1`n`n}"
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $pubody -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result
$PrefixedUniversal = "not set"
if ($result.Identities[0].PrefixedUniversal)
{
$PrefixedUniversal = $result.Identities[0].PrefixedUniversal
}CopyPython# Set policy for contacts and approvers with Identity/Browse
def setcontactapprovers():
url = uri + "/vedsdk/Identity/Browse"
payload = {
"Filter":"Everyone",
"IdentityType": 2,
"Limit": 1
}
r = requests.post(url, headers = headerswToken, json = payload, verify = False)
#Get the group's identity (PrefixedUniversial) from this list (array)
if 'Identities' not in r.json().keys():
return None
else:
identities = r.json()['Identities']
for i in identities:
prefixuniversal = i['PrefixedUniversal']
print(prefixuniversal) -
To assign and enforce a group as the contact for all Certificate objects within the policy, call POST Config/WritePolicy.
POST https://tpp.venafi.example/vedsdk/Config/WritePolicy Authorization:Bearer 4MyGeneratedBearerTknz== { "ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha", "AttributeName":"Contact", "Values":[ "local:{6d6d56a1-ab7e-4f8e-b745-defeb91f2905}" ], "Class":"X509 Certificate Base", "Locked":true }CopyJSONPOST https://tpp.venafi.example/vedsdk/Config/WritePolicy
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha",
"AttributeName":"Contact",
"Values":[
"local:{6d6d56a1-ab7e-4f8e-b745-defeb91f2905}"
],
"Class":"X509 Certificate Base",
"Locked":true
}
CopyPowershell#Add contact to policy
$RestAPIURI = '/vedsdk/Config/WritePolicy'
$RestRequest = $RestAPIServer + $RestAPIURI
$values = @($prefixedUniversal)
$payload = @{ObjectDN = "\\VED\\Policy\\Certificates\\Team Alpha"; Class = "X509 Certificate Base"; AttributeName = "Contact"; Values = $values; }
$json = ConvertTo-Json $payload
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $resultCopyPythonr = requests.post(url, headers = headerswToken, json = payload, verify = False)
identities_dict = r.json()['Identities']
for contact in identities_dict:
if contact['PrefixedUniversal'] != "":
prefixeduniversal = contact['PrefixedUniversal']
policypayload = {
"ObjectDN": "\\VED\\Policy\\Certificates\\Team Alpha",
"Class": "X509 Certificate",
"AttributeName":"Contact",
"Values": [ prefixeduniversal ]
}
url = uri + "/vedsdk/Config/WritePolicy"
r = requests.post(url, headers=headerswToken, json=policypayload, verify=False)
data = r.json()
print(r.status_code)
assigncontact() -
If you want to assign approvers call POST Config/WritePolicy with AttributeName:Approver.
Assign permissions
-
(Optional) Run POST Config/DnToGuid and save the policy GUID that appears in the response for the next step. For example:
CopyJSONPOST https://tpp.venafi.example/vedsdk/Config/DntoGuid
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"ObjectDN":"\\VED\\Policy\\Certificates\\Team Alpha"
}
CopyPowershell# Get the GUID of the policy folder you just created
$RestAPIURI = '/vedsdk/Config/DNtoGuid'
$RestRequest = $RestAPIServer + $RestAPIURI
$payload=@{ObjectDN ="\\VED\\Policy\\Certificates\\Team Alpha"}
$json = ConvertTo-Json $payload
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result
$folderGuid = $result.GUID
Write-Output $folderGuidCopyPython
# Get the GUID of the policy folder you just created
url = uri + "/vedsdk/Config/DntoGuid"
payload = {
"ObjectDN": "\\VED\\Policy\\Certificates\\Team Alpha",
}
r = requests.post(url, headers=headerswToken, json=payload, verify=False)
folderguid = r.json()['GUID'] -
Use the policy GUID from the previous step to update permissions for TeamAlphaGroup. In this case, the GUID is {62d95abb-70ea-4c73-b202-79aa358c995c}. Run PUT Permissions/Object/{guid}/(ptype)/{principal}. For example:
CopyJSONPOST https://tpp.venafi.example/vedsdk/permissions/object/
{62d95abb-70ea-4c73-b202-79aa358c995c}/local/
{6d6d56a1-ab7e-4f8e-b745-defeb91f2905}
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"IsAssociateAllowed":false,
"IsCreateAllowed":true,
"IsDeleteAllowed":false,
"IsManagePermissionsAllowed":false,
"IsPolicyWriteAllowed":false,
"IsPrivateKeyReadAllowed":true,
"IsPrivateKeyWriteAllowed":true,
"IsReadAllowed":true,
"IsRenameAllowed":true,
"IsRevokeAllowed":true,
"IsViewAllowed":true,
"IsWriteAllowed":true
}CopyPowershell#Set policy permissions
#Format is .../permissions/object/[Policfy Folder GUID] local [Identity Universal]
#if permissions are already set call PUT instead of POST
$RestAPIURI = '/vedsdk/Permissions/object' + "/" + $folderGuid + "/" + "local" + "/" + $universal
$RestRequest = $RestAPIServer + $RestAPIURI
$payload = @{
IsAssociateAllowed = "False";
IsCreateAllowed = "True";
IsDeleteAllowed = "False";
IsManagePermissionsAllowed = "False";
IsPolicyWriteAllowed = "False";
IsPrivateKeyReadAllowed = "True";
IsPrivateKeyWriteAllowed = "True";
IsReadAllowed = "True";
IsRenameAllowed = "True";
IsRevokeAllowed = "True";
IsViewAllowed = "True";
IsWriteAllowed = "True"
}
$json = ConvertTo-Json $payload
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $resultCopyPython#Set policy permissions
#Format is .../permissions/object/[Policfy Folder GUID] local [Identity Universal]
#if permissions are already set call PUT instead of POST
if folderguid != "":
permissionsypayload = {
"IsAssociateAllowed": False,
"IsCreateAllowed": True,
"IsDeleteAllowed": False,
"IsManagePermissionsAllowed": False,
"IsPolicyWriteAllowed": False,
"IsPrivateKeyReadAllowed": True,
"IsPrivateKeyWriteAllowed": True,
"IsReadAllowed": True,
"IsRenameAllowed": True,
"IsRevokeAllowed": True,
"IsViewAllowed": True,
"IsWriteAllowed": True
}
url = uri + "/vedsdk/Permissions/object" + "/" + folderguid + "/" + "local" + "/" + universal
r = requests.post(url, headers=headerswToken, json=permissionsypayload, verify=False)
data = r.json()
print(r.status_code)
setpermissions()
Clean up and go home
- The token grants access until it expires. When your client application finishes, you can delete the token.
CopyJSON
POST https://tpp.venafi.example/vedauth/Revoke/Token
Authorization:Bearer 4MyGeneratedBearerTknz==CopyPowershell#Cleanup and go home
$RestAPIURI = '/vedauth/Revoke/Token'
$RestRequest = $RestAPIServer + $RestAPIURI
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Get
Write-Output $RestRequestCopyPythondef revoketoken():
# Clean up. Go home
url = uri + "/vedauth/Revoke/token"
r = requests.get(url, headers=headerswToken, verify=False)
print(r.status_code)
revoketoken()