Info: Venafi Docker Key & Certificate Management Container

Summary Info: Using Venafi Cloud integrations for DevOps

Docker -


UPDATED Documentation and features:


The Venafi Docker Key & Certificate Management Container allows Docker users to seamlessly request and deploy certificates to Docker containers using a centralized, easy to use container that interfaces with Venafi REST APIs for certificate management operations..



The Venafi Docker Key & Certificate Management Container is a lightweight, dedicated purpose Docker container that generates key material and requests certificates from Venafi REST APIs. The certificates are securely exposed to other containers running on the same Docker host as the Venafi container. The following diagram outlines the solution.


Installing the Venafi Docker Key & Certificate Management Container

The Venafi Docker Key & Certificate Management Container is published via Venafi’s Docker Hub account. The image must be deployed on your target Docker host.

sudo docker loginsudo docker pull venaficloud/venafi-docker-key-management


Using the Venafi Docker Key & Certificate Management Container

NOTE: The Venafi Docker Key & Certificate Management container currently does not support encrypting private key material stored in the local docker volume. Ensure that the docker host is properly configured to restrict unauthorized access to the system.

Create an account with Venafi

The Venafi Docker Key and Certificate Management Container provides a function to allow users to register with the Venafi Cloud service to obtain test certificates. For production certificates, a Venafi Cloud administrator will need to configure your organization’s Venafi Cloud account accordingly.

To register for an account with Venafi, run

docker run -ti --rm venaficloud/venafi-docker-key-management:production venafi register 

and provide an email address when prompted.

Setup and running the service

Create a certificates volume using the following command:

docker volume create --name certificates


Start the service in the Venafi Docker Key & Certificate Management Container using:

docker run -ti --name venprod --rm -v certificates:/certificates venaficloud/venafi-docker-key-management:production venafi service -v --api-key XXX


if you do not want to give your api-key on the command line you can create a venafi.yaml file and mount that into the container using:

docker run -ti --name vendev --rm -v certificates:/certificates -v $(pwd)/venafi.yaml:/root/.venafi.yaml venaficloud/venafi-docker-key-management venafi service -v


This command will create and run the container using the name ‘vendev’ which is referenced in subsequent commands. Any name that is appropriate for your environment can be used instead.

The yaml file should have the following structure:


  api-key: XXXXX

Once the container is up and running, you can view the available commands supported by the container using the following:

sudo docker exec venprod venafi -h

A longer description that spans multiple lines and likely contains

examples and usage of using your application. For example:


Cobra is a CLI library for Go that empowers applications.

This application is a tool to generate the needed files

to quickly create a Cobra application.



  venafi [command]


Available Commands:

  generate    Generate a new certificate, private key and certificate chain

  help        Help about any command

  register    Provide an existing API token or an email address and an API token will be mailed to you

  service     Start the Venafi service

  setup       Helper script to configure your docker environment



      --api-key string      Your api key for the Venafi cloud service

      --conf string         Location of the config file

  -f, --log-format string   Logging format to use. Available options (uicolor|text|json|none) (default "uicolor")

  -v, --verbose             Turn on verbose logging


Use "venafi [command] --help" for more information about a command.

Requesting a Certificate

Certificates are requested by invoking the ‘generate’ command on the Venafi container using docker exec. When this command is executed, the Venafi container will create a unique directory for the keypair and certificate. It will then submit a certificate request to the Venafi REST API. When the certificate is issued, the certificate will be stored in the directory.

This directory is output on the host when the enrollment process is complete. The directory is then specified as a volume when another container that uses the certificate is created.

NOTE: The Venafi Cloud service by default issues certificates intended for test and development purposes. In the default configuration, certificates that are issued will be valid only for the following test domains:








Where [subdomain] is the subdomain of the registered Venafi Cloud user’s email address. For example, if the user registers with email address, certificate requests submitted to the Venafi Cloud service must match one of the following patterns:








Contact Venafi at if support for certificates for use in production environments is required.

Generate a Certificate & Key

The ‘generate’ command accepts several parameters as input:



 --chain (string)

Placement of root certificate within the chain root-first|root-last|ignore (default "root-last")

  -c, --common-name (string)

Certificate Common Name field

    --key-size (int)

Size of generated private key (default 2048)

      --key-type (string)

Key type rsa|ecdsa (default "rsa")

      --san-dns (string)

Specify one of more DNS SANs

      --san-email (string)

Specify one of more Email SANs

      --san-ip (string)

Specify one of more IP SANs

  -z, --zone (string)

Zone which will process the certificate request.


Flag to indicate verbose output should be displayed.


An example run of the command is shown below:

sudo docker exec venprod venafi generate -c testcert2.vfidev.invalid --san-dns --key-size 2048 -v -z Default DEBU[2017-03-20T19:34:11Z] Making RPC connection                         status=completeDEBU[2017-03-20T19:34:23Z] Making Enroll Call                            pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb status=completeDEBU[2017-03-20T19:34:33Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=1s status=pendingDEBU[2017-03-20T19:34:45Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=2s status=pendingDEBU[2017-03-20T19:34:57Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=4s status=pendingDEBU[2017-03-20T19:35:12Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=8s status=pendingDEBU[2017-03-20T19:35:31Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=16s status=pendingDEBU[2017-03-20T19:35:57Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=32s status=pendingDEBU[2017-03-20T19:36:40Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=1m4s status=pendingDEBU[2017-03-20T19:37:55Z] Fetching certificate data                     pickup_id=3260ece0-0da4-11e7-9be2-891dab33d0eb retry_in=2m8s status=pendingINFO[2017-03-20T19:40:03Z] Fetching certificate data                     completed_in=5m51.808547667s location="/certificates/1db895d6-b597-4266-a76e-0d9e223c24da" status=complete


Was this article helpful?
0 out of 0 found this helpful