The procedures below describe how to configure Venafi as an external certificate authority (CA) to generate certificates for TLS communication between services on a cluster protected by Panoptica.

The procedure involves generating an intermediate certificate on Venafi for the Panoptica integration, which is used to generate individual server certificates for services deployed on the Panoptica cluster.

On Panoptica, it involves configuring Venafi as an external CA, and configuring individual clusters on Panoptica to use this external CA.

Configure Venafi

The configuration on Venafi is done on the Trust Protection Platform. A CA Policy is created there for Panoptica
An access token for Panoptica to access Venafi programmatically is created using the Venafi CLI, following instructions here.

1. On the Venafi TPP, select the Policy in the drop-down selection at the upper left.

2. Create a new Policy for Panoptica.
3. Select the Certificate tab for the Policy, and select a CA Template that enables creation of certificates.

4. Copy the URL for the TPP instance.
5. Run the following command on the Venafi vcert CLI to create a token:

vcert getcred -u <url> -username  <username> -password <password> --client-id <application that will be using the token> --scope "certificate:approve,delete,discover,manage,revoke;codesign:delete,manage;configuration:delete,manage;security:delete,manage;ssh:approve,delete,discover,manage"

Note : the token should have these permissions: approve, delete, discover, manage, revoke; codesign:delete, manage; configuration:delete, manage; security:delete, manage; ssh:approve, delete, discover, manage

Configure Panoptica

1. Navigate to the Integrations tab in the System page, and scroll down to the EXTERNAL CA section.
2. Click New Integration.

3. Enter a name for the integration (for example, Venafi).
4. Enter the URL for Venafi (from above).
5. Enter the Venafi Policy name, created on Venafi. This should be the full path to the policy (including all folders and subfolders).
6. Enter the Access Token copied from Venafi.
7. Select the Panoptica clusters which will use certificates from this integration. Only clusters listed here will be able to use the external CA.
   Notes:
   • You must also configure each individual cluster to use an external CA (see Deploy on a Kubernetes Cluster.
   • If you add a deployed cluster to an external CA, the Panoptica controller must be downloaded again and re-installed on the cluster (it is not sufficient to run the previously downloaded script again, as the download script is modified with details for the CA).
8. Click Test Credentials to test the integration.
9. Optionally, select Persistent CA keypair. By default, Panoptica stores the private
   TLS key in a K8s secret. When this option is selected, the private TLS key is stored only in CA's memory.
10. Click FINISH.

Modify an external CA integration on Panoptica

You can change the details for an external CA integration. Specifically, you can add (or remove) clusters to the integration.

1. Navigate to the Integrations tab in the System page, and scroll down to the EXTERNAL CA section.
2. Select Edit in the action menu on the right of the integration to be modified.
3. Click FINISH.
4. Make the changes to the integration, as necessary.