ContextQMD
Back to Infisical

Venafi TPP

docs/documentation/platform/pki/ca/venafi-tpp.mdx

0.160.13.3 KB
Original Source

Issue and manage certificates using a self-hosted Venafi Trust Protection Platform (TPP) instance as an external CA, with support for airgapped environments via Infisical Gateway.

Prerequisites

  • A Venafi TPP Connection configured in your organization
  • A policy folder in your TPP instance configured with an appropriate CA template
  • Network connectivity from Infisical (or an Infisical Gateway) to the TPP server

Setting Up Venafi TPP as an External CA

<Steps> <Step title="Navigate to External Certificate Authorities"> In **Certificate Manager**, go to **Settings → Certificate Authorities** and scroll to the **External Certificate Authorities** section. </Step> <Step title="Create New Venafi TPP CA"> Click **Create CA** and configure: 
- **Type**: Choose **Venafi TPP**
- **Name**: A friendly name for this CA (e.g., "Production TPP CA")
- **Status**: Set to **Active** to enable certificate issuance
- **Venafi TPP Connection**: Select your TPP connection from the dropdown
- **Policy DN**: The policy folder path in TPP where certificates will be managed (e.g., `\VED\Policy\Certificates\WebServers`)

<Note>
  The Policy DN must point to an existing policy folder in your TPP instance. The policy folder
  determines which CA template is used for signing, what subject fields are allowed, and other
  certificate constraints. Make sure the policy folder is configured to allow certificate requests
  from the credentials used in your TPP connection.
</Note>
</Step> <Step title="Certificate Authority Created"> Your Venafi TPP CA is now ready. You can use it with certificate profiles to issue certificates. </Step> </Steps>

Issuing Certificates

Once your Venafi TPP CA is set up, you can issue certificates by creating a profile, attaching it to an Application, and configuring enrollment:

<Steps> <Step title="Create a Certificate Profile"> Go to **Certificate Manager → Certificate Profiles** and create a new profile: 
- Set the **Certificate Authority** to your Venafi TPP CA
- Select a **Certificate Policy** 
- Configure default certificate attributes (TTL, key algorithm, etc.)
</Step> <Step title="Create an Application and configure enrollment"> Go to **Certificate Manager → Applications** and create an Application (or use an existing one): 
- Attach the profile you created
- Add an enrollment method (e.g., API) for the profile
- Assign team members who need to issue certificates
</Step> <Step title="Issue a Certificate"> In your Application, go to the **Certificate Requests** tab and click **Request**: 
- Select the profile linked to your Venafi TPP CA
- Fill in the certificate details (common name, SANs, TTL)
- Click **Submit**

The certificate request is submitted to TPP asynchronously. Infisical will authenticate with TPP, submit the CSR to the configured policy folder, and retrieve the signed certificate.

<Note>
  Certificate issuance is asynchronous. Infisical will poll TPP for the signed certificate for
  up to ~5 minutes. Ensure your TPP policy folder is configured for automatic approval.
</Note>
</Step> <Step title="Certificate Issued"> Your certificate has been issued by the TPP server and is ready for use. </Step> </Steps>