Skip to content

Create a CA template in TLS protect Datacenter

In this step, you will create a new CA template in TLS Protect Datacenter, which will be used to sign the subordinate CA certificate for Firefly. In this example, Microsoft Active Directory Certificate Services (ADCS) is used, but any CA capable of issuing subordinate CA certificates that meets the following requirements will also work.

Requirements for the subordinate CA certificate

The Certificate Authority (CA) must be configured with a template to issue the subordinate CA certificate, following the requirements below:

Basic Constraints Extension:

  • The subject must be a certification authority (CA).

  • It must not issue certificates to other CAs (pathLenConstraint set to 0).

  • This is a critical extension.

Key Usage Extension:

  • Signature requirements:

    • Digital signature

    • Certificate signing

  • This is a critical extension.

The Certificate Authority should be configured to allow clients to specify the end date of the required certificates. This will enable Firefly to request subordinate CA certificates with validity specified by the PKI administrator responsible for configuring Firefly.

  1. In the TLS Protect Datacenter policy tree, right-click on the policy folder where you want to create the CA template, and select Add > CA Template > Microsoft.

  2. Enter the relevant information for your CA in the following fields the fields according to your CA (the values below are for illustration purposes only), then click Save:

    • Name: ADCS SubCA

    • Hostname: adcs.example.com

    • Service Name: Example-CA

    • Credential: \VED\Policy\Administration\Credentials\adcs

    • Template: Subordinate Certification Authority

    • Allow Users to Specify End Date: Selected

To learn more about ADCS, see Microsoft Active Directory Certificate Services.

Prerequisites

To create a new Zero Touch PKI certificate authority (CA) template in TLS Protect Datacenter, ensure that you have the following:

  • A valid Zero Touch PKI account. If you do not have one, contact your administrator to set up an account with permissions to create a new Zero Touch PKI CA.
  • The Zero Touch PKI CA URL, API key ID, and API key.
  • The adaptable CA script for Zero Touch PKI installed in your TLS Protect Datacenter environment. Download the script and installation guide from the CyberArk Marketplace.
  • Custom fields created in TLS Protect Datacenter to support certificate validity settings. Refer to the Zero Touch PKI installation instructions for more details.

Steps

  1. Store credentials:

    1. In TLS Protect Datacenter, navigate to Credentials.
    2. Create and save a username credential for the Zero Touch PKI account.

  2. Add a new CA template:

    1. In the TLS Protect Datacenter Policies tree, right-click the folder where you want to create the new CA template.
    2. Select Add > CA Template > Adaptable.

  3. Configure the CA template:

    Complete the CA template configuration using the following fields (replace with actual values for your environment):

    • Name: ZTPKI SubCA
    • Username credential: Select the credential created in step 1.
    • Service address: Enter the URL for your Zero Touch PKI region.
    • Profile string: Enter the Policy ID from your Zero Touch PKI tenant.
    • PowerShell script: Select the adaptable script used for Zero Touch PKI integration.

  4. Test and save:

    1. Click Test to validate the configuration.
    2. If the test is successful, click Save to create the CA template.

What's next?