Skip to content

CAP Venafi integration manual

Setup

Prerequisites

  • A running Venafi instance
  • At least admin level permissions on CAP

Venafi setup steps

You will need to create:

  • A Venafi Application Integration
  • A Venafi API token with scope certificate:discover

Follow these steps to generate these. For more information consult the Venafi documentation.

  1. Log in to Venafi. Click on the Configuration drop-down menu, select API Application Integrations and click to create a new application integration.
  2. Select "Custom Solution" as the application type, enter a suitable application name, set vendor to Cryptosense, assign permissions Certificates: Read, Manage and Discover, insert cryptosense-venafi-integration in the Application ID box and then click Save.
  3. Use the Venafi API to obtain a token. (The easiest way may be to use the "Swagger" interface, but you can also send an API request directly using curl or similar.) You need to send a POST request to the /vedauth/authorize endpoint, with a JSON payload that looks like:

    {
      "username": "<your username>",
      "password": "<your password>",
      "client_id": "cryptosense-venafi-integration",
      "scope": "certificate:discover"
    }
    

    It's important that the value for "client_id" here is the same as the Application ID in the previous step.

    Here's a full curl line:

    curl -X POST "<your venafi base url>/vedauth/authorize" \
        -H "accept: application/json" -H "Content-Type: application/json" \
        -d '{"username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover"}'
    

    The JSON response should look like this:

    {
      "access_token": "<your access token (base64)>",
      "expires": <timestamp>,
      "identity": "local:{<some UUID>}",
      "refresh_token": "<another base64 token you can use to renew the access token>",
      "refresh_until": <another timestamp>,
      "scope": "certificate:discover",
      "token_type": "Bearer"
    }
    

    The value of the first "access_token" field is the one you will need to set up the integration within CAP.

CAP setup steps

  1. In CAP, go to the Integrations tab at the organization level.
  2. Click on Venafi.
  3. Enter the base URL of your Venafi instance and your Venafi API token in the form, and click "Save".

Usage

Check certificates in a report

  1. In any report, go to the Certificates tab.
  2. Click the Populate Venafi GUIDs button. This will insert values in the Venafi GUID column for any certificates already known to Venafi. Any certificates for which that field remains empty are unknown to your Venafi instance.

View details of a certificate in Venafi

The Venafi GUID field is a link that will take you directly that certificate's entry in your Venafi instance.

Upload a certificate to Venafi

If a certificate is not yet known to Venafi, you can add it:

  1. Click on the ID link for that certificate to view its details page in CAP.
  2. Scroll down (or minimise the parsed certificate JSON widget) to see the Venafi Details box.
  3. Click the Upload to Venafi button.

Known issues

Some CA certificates known to Venafi cannot be located by the "Populate Venafi GUIDs" step, but if you try to upload them, you will get an HTTP 400 "Bad request" error because Venafi sees it as a duplicate certificate.