SSH certificate adaptable issuance flows

SSH certificate issuance flows utilize the Venafi Adaptable Framework to allow you to validate SSH certificate issuance requests with external solutions. This feature allows you to have significant control over the issuance of SSH certificates allowing you to, for example, do the following:

  • Ensure SSH host certificates are not issued for a server not managed by the company.

  • Modify certificate attribute values depending on the request. (For example, you can validate the FQDN through reverse DNS lookup of the requesting IP, rather than trusting the information provided by the requestor.)

  • Create restrictions on when users can request SSH certificates. Requests made during off hours can be rejected. Incidents can be logged in your ITSM tool.

Issuance flows allow you to define custom logic to be executed prior to certificate issuance. The custom logic is written in Windows PowerShell, and stored on the Venafi server. Administrators can remote to the Venafi server to modify PowerShell scripts as needed. By defining separate PowerShell scripts for different issuance flows, you have the flexibility to cover multiple use cases including:

  • Component Management database (CMDB) validation

  • Attribute modification

  • IT Service Management (ITSM) integration

SSH certificate issuance flows allow you to integrate with a wide-variety of third-party solutions, allowing you to integrate SSH Protect into your existing ecosystem.

SSH certificate issuance flows general process overview

When working with SSH certificate issuance flows, you will follow the following process:

  1. Perform issuance flows prerequisites. This includes installing PowerShell, updating .NET, creating a username credential to connect to the third party application, and creating an API application integration (if accessing the Venafi Web SDK).

  2. Edit the PowerShell script. This is where you configure custom attributes, and create the logic of the integration between your third-party application and Venafi SSH Protect.

  3. Configure the Adaptable Flow action. Using the Policy Tree, you will create (or edit) the Adaptable Flow action, where you configure the settings used to make the flow work.

What's next? Review issuance flow prerequisites

Now that you have been introduced to SSH issuance flows, you're ready to review the issuance flow prerequisites. See Adaptable Flow prerequisites.