Private PKI for Venafi as a Service

Using your own DigiCert Private PKI Certificates in your Venafi as a Service DevOps environment

DigiCert has integrated with Venafi as a Service to improve how DevOps testing environments incorporate digital certificates into their workflows. DigiCert is offering Venafi as a Service for DevOps customers limited-use Private PKI certificates, making it easier for them to:

Protect their DevOps environments
Ensure that security can be part of their development cycle right from the start
Enforce their security policies

Are you planning to make Venafi as a Service for DevOps a more permanent part of your DevOps environment? You may want to turn your instance into a dedicated trust environment by using your own Private PKI certificates for added security. Venafi has made it easy for their customers to issue their own DigiCert Private PKI certificates within their environments through our CertCentral® platform.

For more information about DigiCert integration with Venafi as a Service for DevOps, see Automating PKI for Secure DevOps. To learn more about obtaining a Venafi as a Service for DevOps account, see Venafi as a Service for DevOps. To learn more about obtaining your own Private PKI Solution for your Venafi as a Service instance, please contact DigiCert at venafi-contact@digicert.com.

Issue Your Own Private PKI Certificates in Your Venafi as a Service for DevOps Environment

To begin issuing your own Private PKI certificates in your Venafi as a Service for DevOps environment you need three things:

Your own private root with intermediate certificates

With your personalized Private PKI solution from DigiCert, we will create your own private root and secure it, while allowing you oversight of your intermediate certificate, its properties, what types of certificates it can issue, and the names on those certificates.

If you don't already have your own Private PKI solution from DigiCert and want to learn more about getting your own Private PKI solution, please contact DigiCert at venafi-contact@digicert.com for further information.
A DigiCert CertCentral^® account

So you can begin using your Private PKI Solution, DigiCert will provide you with a DigiCert CertCentral account that can be connected to your Venafi as a Service for DevOps account via a CertCentral API key that you create.

To obtain your DigiCert CertCentral account so that begin using your Private PKI Solution in your Venafi as a Service for DevOps environment, please fill out the form below or please contact DigiCert at venafi-contact@digicert.com.
"Connect to an External Certificate Authority" feature enabled

Before you can begin using your personalized private PKI solution in your VVenafi as a Service for DevOps instance, you need to have the "Connect to an External Certificate Authority" feature turned on for your Venafi account. To have this feature enabled, please work with your DigiCert Sales representative or contact us at venafi-contact@digicert.com.

Linking Your Private PKI Solution to Your Venafi as a Service for DevOps Account

Follow the steps below to link your Venafi account to your DigiCert CertCentral^® account so you can begin issuing your own SSL/TLS Private PKI Certificates.

Create an API Key in Your DigiCert CertCentral Account

Add Your CertCentral API Key to Your Venafi as a Service Account

Create an API Key in Your DigiCert CertCentral Account

Inside your CertCentral account, you need to create an API key that will be used to link your Venafi as a Service account to your CertCentral account.

How to Create Your Own CertCentral API Key

In your CertCentral account, you can issue an API Keys through your user Profile Settings.

In your CertCentral account, in top right corner, in the “User Name” drop-down list, select My Profile.
On the Profile Settings page, click API Keys.
On the API Keys page, click +Add API Key.
Next, open a text editor (such as Notepad).

In the Add API Key window, do the following:

Description	In the box, type a description/name for the API key.

User	In the drop-down list, select yourself.
	Note: Because the User role can't issue API keys for other users, the drop-down list doesn't appear in their UI.

When you are done, click Add API Key.
In the New API Key window, above “For security reasons, we cannot show this again.” copy your API key and paste it in to your text editor.

You will eventually enter API key (this string of random numbers and letters) into the appropriate field in your Azure account.

CAUTION: Do not close the New API Key window until you have saved a copy of the API key. If you close the window without recording your new API key, you will not be able to retrieve it. You will need to revoke the API key that you just created and create a new one.
Save your text editor document, making sure to note its location.

API Key Storage Recommendations

Because your API Key is effectively the same thing as a username and password, we recommend storing your API key in a secure secret management system (e.g., Last Pass or KeePass).
In the New API Key window, once you have saved a copy of your API key, click I understand I will not see this again.

How to Revoke Your Own CertCentral API Key

In your CertCentral account, you can revoke the API Keys that you create for yourself through your user Profile Settings.

In your CertCentral account, in top right corner, in the “User Name” drop-down list, select My Profile.
On the Profile Settings page, click API Keys.
On the API Keys page, to the right of the API key that you need to revoke, click Revoke.

CAUTION: In the Revoke API Key window, do not click Revoke, unless you are sure that you want to permanently revoke the API key. Revoking an API key permanently disables access for anyone who is using it.
In the Revoke API Key window, under the “Are you sure you want to permanently revoke the API key 'API key Name' for 'User Name'?” message, click Revoke.

Add the CertCentral API Key to Your Venafi as a Service Account

Use these instructions to set up DigiCert as a certificate provider, to enter the API key from your CertCentral account, and to establish which certificates can be ordered from/issued to your Venafi as a Service DevOps account. You can set up multiple Certificate Providers in your Venafi as a Service DevOps account in order to provision multiple DigiCert product types.

Repeat this instruction as needed for each type of digital certificate (SSL Plus, Multi-Domain SSL, etc.) that can be issued from your Venafi as a Service for DevOps account.

How to Add DigiCert as a Certificate Provider in Your Venafi as a Service Account

Add DigiCert as a Certificate Provider

Log in to your Venafi as a Service DevOps account.
On the Health Maps dashboard, in the top menu, click Admin > Certificate Providers.
On the Certificate Providers page, click + to add a new Certificate Provider and assign DigiCert as the CA type.
In the Add a Certificate Provider window, to the following tasks:
1. In the Name box, enter a name to identify the certificate provider and certificate that can be ordered (e.g., DigiCert External SSL).
  
  Note: This name will be used when editing the Certificate Provider Use policy later in this instruction.
2. In the Certificate Authority drop-down list, select DigiCert.
3. In the API Key box, enter the API key you created in your DigiCert CertCentral account.
  
  Note: It make take a few minutes to validate your API key.
4. In the Product Option drop-down list, select they type of certificate you want to incorporate into your VVenafi as a Service DevOps environment (e.g., ssl_plus).
5. In Validity Period drop-down list, set the validity period for the certificate.
6. In the Signature Hash drop-down list, select a signature hash (e.g., SHA256).
7. If you want the certificate to be automatically renewed, check Allow Auto-Renew.
8. When you are finished, click Add Provider.
  
  Congratulation! You have now added DigiCert as a Certificate Provider for your Venafi as a Service account. Now, you need configure your certificate provider policy and add your CertCentral API key to your Venafi as a Service account.

Configure Certificate Provider Policy

On the Certificate Provider page, verify that DigiCert has been added as a Certificate Provider and then, in the top menu, click Configuration > Policy.
On the Policy page, locate the Start Certificate Use policy and click Edit (pencil icon).
On the Edit Policy page, in the Certificate Provider drop-down list, select the name you provided for the certificate provider (e.g., DigiCert External SSL).
When you are finished, click Save.
Congratulations! You should now be able to issue your DigiCert Private SSL Certificates in your Venafi as a Service DevOps environment.