Skip to content

CAP Venafi integration manual



  • A running Venafi instance
  • At least admin level permissions on CAP

Venafi setup steps

You will need to create:

  • A Venafi Application Integration
  • A Venafi API token with scope certificate:discover

Follow these steps to generate these. For more information consult the Venafi documentation.

  1. Log in to Venafi Aperture. Click on the little grid thingy in the top-right corner and select Platform. From the API menu, select Integrations and then click Add and select New.
  2. In the Overview page of the Add an API integration form, enter a suitable application name, e.g. Cryptosense, and set Client ID to cryptosense-venafi-integration.
  3. In the Base access page, set the scope to certificate:discover.
  4. In User or team access, configure this as desired, allowing access to whatever users will be creating and using tokens. Simplest would be just to select local:Everyone, but you may prefer to lock it down more than that.
  5. Use the Venafi API to obtain a token. One way is to use the "Swagger" interface at <your venafi base url>/vedsdk, but you can also send an API request directly using curl or similar. You need to send a POST request to the /vedauth/authorize/oauth endpoint, with a JSON payload that looks like:

      "username": "<your username>",
      "password": "<your password>",
      "client_id": "cryptosense-venafi-integration",
      "scope": "certificate:discover"

    The user sending the request needs to have been authorised in Step 4.

    It's important that the value for "client_id" here is the same as the Client ID in the previous step.

    Here's a full curl line:

    curl -X POST "<your venafi base url>/vedauth/authorize/oauth" \
        -H "accept: application/json" -H "Content-Type: application/json" \
        -d '{"username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover"}'

    The JSON response should look like this:

      "access_token": "<your access token (base64)>",
      "refresh_token": "<another base64 token you can use to renew the access token>",
      "expires_in": <integer>,
      "expires": <timestamp>,
      "token_type": "Bearer",
      "scope": "certificate:discover",
      "identity": "local:{<some UUID>}",
      "refresh_until": <another timestamp>

    The value of the first "access_token" field is the one you will need for setting up the integration within CAP.

CAP setup steps

  1. In CAP, go to the Integrations tab at the organization level.
  2. Click on Venafi.
  3. Enter the base URL of your Venafi instance and your Venafi API token in the form, and click Save.
  4. Optionally click Test Connection to verify that the link is working.


Check certificates in a report

  1. In any report, go to the Certificates tab.
  2. Click the Populate Venafi GUIDs button. This will insert values in the Venafi GUID column for any certificates already known to Venafi. Any certificates for which that field remains empty are unknown to your Venafi instance.

View details of a certificate in Venafi

The Venafi GUID field is a link that will take you directly that certificate's entry in your Venafi instance.

Upload a certificate to Venafi

If a certificate is not yet known to Venafi, you can add it:

  1. Click on the ID link for that certificate to view its details page in CAP.
  2. Scroll down (or minimise the parsed certificate JSON widget) to see the Venafi Details box.
  3. Click the Upload to Venafi button.

Known issues

Some CA certificates known to Venafi cannot be located by the "Populate Venafi GUIDs" step, but if you try to upload them, you will get an HTTP 400 "Bad request" error because Venafi sees it as a duplicate certificate.