Issue and approve certificates with Venafi Control Plane

Learn how to configure Venafi Control Plane, cert-manager, approver-policy-enterprise, and venafi-enhanced-issuer so that application teams can help themselves to SSL certificates which comply with enterprise PKI policy.

Conclusion

You have learned how to configure your platform to allow application developers to create and renew their own SSL certificates.

The application developers do not require knowledge of Venafi TLS Protect, nor do they require credentials to connect to the Venafi API. They can create SSL certificates using cert-manager's declarative API (Certificate or CertificateRequest), which follows familiar Kubernetes API conventions.

You have seen that a platform team can use approver-policy to ensure that application teams can only create policy compliant SSL certificates. You have seen how approver-policy enforces that each application team can only create Certificate resources that reference that team's dedicated issuer (VenafiClusterIssuer).

You have learned how to configure a VenafiClusterIssuer which connects to Venafi TLS Protect, and you have learned how venafi-enhanced-issuer can be configured to load credentials for Venafi TLS Protect from a secret store, such as HashiCorp Vault. This allows you to consolidate all your credentials to a secret store, rather than having to have some credentials in Kubernetes Secret resources.

You have learned how this platform configuration allows the Security Team to gain better visibility of the SSL certificates that are used inside Kubernetes clusters, whilst avoiding having to share private key material between teams and keeping the private key in the one place where it is needed; close to the workload that consumes it. In addition to better visibility, the Security Team also have a clear audit trail showing which certificates belong to which teams.

Clean Up

If you used Kind or Minikube to create a test cluster for this tutorial you can simply delete it. In Venafi TPP, you will also need to delete the policy folder, user account, and optionally the Application Integration.

Next Steps

• Read Installing venafi-enhanced-issuer to learn about the different ways to install the software in your cluster.
• Read Reference Documentation for venafi-enhanced-issuer to learn about different configuration use-cases and to read the full API documentation and CLI documentation.