Example 5: Provision a certificate to AWS
Problem
You want Amazon Certificate Manager(ACM) to supply a certificate and deploy it on AWS resources such as Elastic Load Balancer.
Solution
The solution is to request a certificate and provision it to AWS.
Before you start
Get an bearer token. Use an Authorize call. For each subsequent API call, be sure to include the token in the request header.
Time Estimate
About 30 mins
Create the Device and Application
-
Reuse or create a bearer token that includes the scope certificate:manage. The bearer token grants your client access to Trust Protection Platform.
To get a bearer token, see Getting a token. For each subsequent API call, be sure to include the token in the request header. -
If you don't already have a place to store information about the certificate, create policy folder(s) for the certificate, credential, CA, and device. The folders are also known as objects with Distinguished Names (DN). Then you call POST Certificates/Request.
POST https://tpp.venafi.example/vedsdk/Certificates/Request
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"PolicyDN":"\\VED\\Policy\\Certificates",
"CADN":"\\VED\\Policy\\CAs",
"ObjectName":"CreateMyCertname",
"Subject":"MyCertSubject",
"SubjectAltNames":[
{
"TypeName":"DNS",
"Name":"aws.venafi.example"
},
{
"TypeName":"IPAddress",
"Name":"192.168.1.100"
}
],
"ManagementType":"Provisioning",
"SetWorkToDo":true,
"Devices":[
{
"PolicyDN":"\\VED\\Policy\\Certificates\\DeviceFolder",
"ObjectName":"CreateMyAWS DEVICE1",
"Host":"192.168.1.1",
"Applications":[
{
"ObjectName":"CreateMyAWS APP ACM1",
"Class":"Amazon App",
"DriverName":"appamazon",
"ClassSpecificAttributes":[
{
"Name":"MyGeneratedAws Credential DN",
"Value":"\\VED\\Policy\\Credentials"
},
{
"Name":"Provisioning To",
"Value":"0"
},
{
"Name":"Binding Target",
"Value":"0"
}
]
}
]
}
]
}
Copy
JSON
POST https://tpp.venafi.example/vedauth/authorize/oauth
{
"client_id": "MyClient",
"username": "local:admin",
"password": "MyPassword!",
"scope": "certificate:manage"
}
And
POST https://tpp.venafi.example/vedsdk/Certififcates/Request
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"PolicyDN":"\\VED\\Policy\\Certificates",
"CADN":"\\VED\\Policy\\CATemplates\\myCA",
"ObjectName":"CreateMyCertname2",
"Subject":"MyCertSubject",
"SubjectAltNames":[
{
"TypeName":"DNS",
"Name":"aws.venafi.example"
},
{
"TypeName":"IPAddress",
"Name":"192.168.1.100"
}
],
"ManagementType":"Provisioning",
"SetWorkToDo":true,
"Devices":[
{
"PolicyDN":"\\VED\\Policy\\Certificates\\DeviceFolder",
"ObjectName":"CreateMyAWS DEVICE1",
"Host":"192.168.1.1",
"Applications":[
{
"ObjectName":"CreateMyAWS APP ACM1",
"Class":"Amazon App",
"DriverName":"appamazon",
"ClassSpecificAttributes":[
{
"Name":"Aws Credential DN",
"Value":"\\VED\\Policy\\Credentials\\MyGeneratedAws Credential DN"
},
{
"Name":"Provisioning To",
"Value":"0"
},
{
"Name":"Binding Target",
"Value":"0"
}
]
}
]
}
]
}
Copy
Powershell
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$RestAPIServer = "https://tpp.venafi.example"
#Get a token. Token scope applies to all API calls in this section
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/json")
$RestAPIURI = '/vedauth/authorize/oauth'
$RestRequest = $RestAPIServer + $RestAPIURI
# Certificates/Request.
#If Venafi is not running on an AWS instance, all objects create but provisioning result is false
# This syntax works best for objects with so many levels of serializion.
$payload = "{
`"PolicyDN`": `"`\`\VED`\`\Policy`\`\Certificates`",
`"CADN`": `"`\`\VED`\`\Policy`\`\CATemplates`\`\myCA`",
`"ObjectName`": `"CreateMyCertname2`",
`"Subject`": `"MyCertSubject`",
`"SubjectAltNames`": [
{
`"TypeName`": `"DNS`",
`"Name`": `"aws.venafi.example`"
},
{
`"TypeName`": `"IPAddress`",
`"Name`": `"192.168.1.100`"
}
],
`"ManagementType`": `"Provisioning`",
`"SetWorkToDo`": true,
`"Devices`": [
{
`"PolicyDN`": `"`\`\VED`\`\Policy`\`\Certificates`\`\DeviceFolder`",
`"ObjectName`": `"CreateMyAWS DEVICE1`",
`"Host`": `"192.168.1.1`",
`"Applications`": [
{
`"ObjectName`": `"CreateMyAWS APP ACM1`",
`"Class`": `"Amazon App`",
`"DriverName`": `"appamazon`",
`"ClassSpecificAttributes`": [
{
`"Name`": `"Aws Credential DN`",
`"Value`": `"`\`\VED`\`\Policy`\`\Credentials`\`\MyGeneratedAws Credential DN`"
},
{
`"Name`": `"Provisioning To`",
`"Value`": `"0`"
},
{
`"Name`": `"Binding Target`",
`"Value`": `"0`"
}
]
}
]
}
]
}"
$json = $payload
Write-Output $json
$RestAPIURI = '/vedsdk/Certificates/Request'
$RestRequest = $RestAPIServer + $RestAPIURI
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result
Copy
Python
import requests
requests.packages.urllib3.disable_warnings()
# Globals
uri = "https://tpp.venafi.example"
headerswToken = {
"Content-Type": "application/json",
"Authorization": "empty"
}
# End of Globals
# Get a token. Token scope applies to all API calls in this section
def CSRprovision():
headers= {
'Content-Type': 'application/json'
}
# End of Globals
# Get a token. Token scope applies to all API calls in this section
url = uri + "/vedauth/authorize/oauth"
payloadToken = {
"client_id": "MyClient",
"username": "local:admin",
"password": "MyPassw0rd",
"scope": "security:manage;configuration:manage"
}
r = requests.post(url, headers = headers, json = payloadToken, verify = False)
jsonResponse = r.json()
Token = (jsonResponse["access_token"])
global headerswToken
headerswToken.update({"Authorization": "Bearer " + Token})
Provision the certificate to AWS
To provision the certificate to AWS, call POST Certificates/Associate.
POST https://tpp.venafi.example/vedsdk/Certificates/Associate
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"CertificateDN":"\\VED\\Policy\\MyCertificates\\CreateMyCertname",
"ApplicationDN":[
"\\VED\\Policy\\MyCertificates\\MyDevices\\CreateMyAWS APP ACM1"
],
}
Copy
JSON
POST https://tpp.venafi.example/vedsdk/Certificates/Associate
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"CertificateDN":"\\VED\\Policy\\MyCertificates\\CreateMyCertname",
"ApplicationDN":[
"\\VED\\Policy\\MyCertificates\\MyDevices\\CreateMyAWS APP ACM1"
],
}
Copy
Powershell
# Certificates/Associate
$payload = "{
`"CertificateDN`": `"`\`\VED`\`\Policy`\`\Certificates`\`\CreateMyCertname2`",
`"ApplicationDN`": [
`"`\`\VED`\`\Policy`\`\Certificates`\`\DeviceFolder`\`\CreateMyAWS DEVICE1`\`\CreateMyAWS APP ACM1`"
],
`"PushToNew`": `"true`"
}"
$json = $payload
$RestAPIURI = '/vedsdk/Certificates/Associate'
$RestRequest = $RestAPIServer + $RestAPIURI
$result = Invoke-RestMethod -Headers $headers -Uri $RestRequest -Method Post -Body $json -ContentType 'application/json'
$result | ConvertTo-Json
Write-Output $result Copy
Python
r = requests.post(url, headers = headerswToken, json = payload, verify = False)
data = r.json()
print(r.status_code, "was the response")
# Certificates/Associate
url = uri + "/vedsdk/Certificates/Associate"
provisionPayload = {
"CertificateDN": "\\VED\\Policy\\Certificates\\CreateMyCertname2",
"ApplicationDN": [
"\\VED\\Policy\\Certificates\\DeviceFolder\\CreateMyAWS DEVICE1\\CreateMyAWS APP ACM1"
],
"PushToNew": "true"
}
r = requests.post(url, headers=headerswToken, json=provisionPayload, verify=False)
data = r.json()
print(r.status_code)
CSRprovision()Clean up and go home
The token grants access until it expires. To remove the token, call GET Revoke/Token.