Configure Venafi TPP

This step may need to be performed by a Venafi TPP Administrator.

  • In the API Integrations page, create a new API Integration.
  • Set the name to anything you like (e.g jetstack-cert-manager-app)
  • For the permissions, select read, manage, revoke certificates
  • IMPORTANT - Set the application id to cert-manager.io
  • In the Access Limits, select Configure and set the Grant Expiration to number of days you want the refresh token to be valid (For e.g 730 days)
  • Select the Token Refresh to enabled
  • Set the Token expiration to a shorter period to number of days you want (for e.g. 1 day).
  • After Saving, authorize the Venafi TPP user(s) who will have access to the cert-manager.io application by clicking Edit Access and adding the user.

The above step ensures that the user who is authorized to access cert-manager.io application has the ability to request an access token. This is a one time step that needs to be completed by the Venafi Administrator.

⚠️ If the Application ID is different to the default: cert-manager.io, you MUST also configure venafi-oauth-helper to use that Application ID using the --client-id command line option.

ℹ️ If cert-manager is already in use and if there is an Issuer configured to use Venafi TPP with access-token credentials, there will already be an application integration with the ID cert-manager. You may use that application integration as long as you enable Refresh Token and update the Grant and Token expiration periods.

ℹ️ In future versions of TPP, the application integration may be pre-defined, in which case you can use that.

🔰 Read about Creating API application integrations in the TPP documentation.

🔰 Read about Setting up token authentication in the TPP documentation.

Next Steps

On this page