CAP Venafi integration manual
Setup
Prerequisites
- A running Venafi instance
- At least
admin
level permissions on CAP
Venafi setup steps
You will need to create:
- A Venafi Application Integration
- A Venafi API token with scope
certificate:discover
Follow these steps to generate these. For more information consult the Venafi documentation.
- Log in to Venafi Aperture. Click on the little grid thingy in the top-right corner and select Platform. From the API menu, select Integrations and then click Add and select New.
- In the Overview page of the Add an API integration form, enter a suitable application
name, e.g. Cryptosense, and set Client ID to
cryptosense-venafi-integration
. - In the Base access page, set the scope to
certificate:discover
. - In User or team access, configure this as desired, allowing access to whatever users
will be creating and using tokens. Simplest would be just to select
local:Everyone
, but you may prefer to lock it down more than that. -
Use the Venafi API to obtain a token. One way is to use the "Swagger" interface at
<your venafi base url>/vedsdk
, but you can also send an API request directly usingcurl
or similar. You need to send aPOST
request to the/vedauth/authorize/oauth
endpoint, with a JSON payload that looks like:{ "username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover" }
The user sending the request needs to have been authorised in Step 4.
It's important that the value for
"client_id"
here is the same as the Client ID in the previous step.Here's a full
curl
line:curl -X POST "<your venafi base url>/vedauth/authorize/oauth" \ -H "accept: application/json" -H "Content-Type: application/json" \ -d '{"username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover"}'
The JSON response should look like this:
{ "access_token": "<your access token (base64)>", "refresh_token": "<another base64 token you can use to renew the access token>", "expires_in": <integer>, "expires": <timestamp>, "token_type": "Bearer", "scope": "certificate:discover", "identity": "local:{<some UUID>}", "refresh_until": <another timestamp> }
The value of the first
"access_token"
field is the one you will need for setting up the integration within CAP.
CAP setup steps
- In CAP, go to the Integrations tab at the organization level.
- Click on Venafi.
- Enter the base URL of your Venafi instance and your Venafi API token in the form, and click Save.
- Optionally click Test Connection to verify that the link is working.
Usage
Check certificates in a report
- In any report, go to the Certificates tab.
- Click the Populate Venafi GUIDs button. This will insert values in the Venafi GUID column for any certificates already known to Venafi. Any certificates for which that field remains empty are unknown to your Venafi instance.
View details of a certificate in Venafi
The Venafi GUID field is a link that will take you directly that certificate's entry in your Venafi instance.
Upload a certificate to Venafi
If a certificate is not yet known to Venafi, you can add it:
- Click on the ID link for that certificate to view its details page in CAP.
- Scroll down (or minimise the parsed certificate JSON widget) to see the Venafi Details box.
- Click the Upload to Venafi button.
Known issues
Some CA certificates known to Venafi cannot be located by the "Populate Venafi GUIDs" step, but if you try to upload them, you will get an HTTP 400 "Bad request" error because Venafi sees it as a duplicate certificate.