This article covers the steps required to bulk import Certificates into Venafi Trust Protection Platform (TPP). This process leverages the Venafi Server Agent’s ability to discover and upload certificates into the TPP database. This process also properly prevents any attempt to import ‘duplicate’ certificates into the database.
The import process expects that all certificates to be imported exist as individual certificate files within a single folder. It will also support importing a single text file that contains multiple Base64-encoded certificates.
For instructions on how to import bulk certificates on versions prior to 17.2 click here.
Overview
The bulk import process follows these high-level steps. Details for each step are documented below.
- Configure Agent Registration
- Create ‘Work’ objects
- Create the Group
- Associate 'Work' to the Group
- Install the Agent on the Trust Protection Platform server
- Copy the certificates into the specified folder, and ‘restart’ the Agent service to initiate discovery and import
Configure Agent Registration
Launch Aperture select “Agent Registration” within the Groups & Work menu:
Select Agent Registration and then click “Create New” to create a new registration password:
Select a folder to store the credential object, and provide a Credential Name, and Password:
Before saving, make a note of the TPP Server Certificate Thumbprint. This will be used during the Server Agent install and configuration in a later step.
Create Work Objects
Under Groups & Work click on Work, then select Add Work.
In the Add Work dialog box enter the Name and select Certificate Discovery from the drop down box. Select “Create to enable Certificate Discovery. In the Type drop down box you will also be able to create work for device placement.
Set scan interval to “On Receipt” and set the scan path to the folder where you’ll place certificates for import on your server (i.e. c:\CertImports):
Add .txt extension to the PEM category so the Agent will pick up multiple certificates in one file:
Select a policy folder in which to place the imported certificates. More complex placement rules may be specified here if desired:
Create Groups
In Aperture, click on Groups & Work and select Groups:
Select Add a group:
Enter a Name for the Group and select Discover and Manage Server Certificates and SSH key Using Agents.
Adjust the Membership Criteria for this group to target only the TPP server (or server where the Agent will be installed):
Associate 'Work' to the Group
Once the Group is created click on the Name of the group.
Click on Assigned work.
Click the Assign Work button and select the work object in the drop down that you create earlier. Click Add to associate the work to the group.
Now that the group and work are defined for the Certificate Discovery you will also have to create a group and work for Device Placement for the import of certificates to work.
Under Groups & Work click on Work, then select Add Work.
In the Add Work dialog box enter the Name and select Device Placement from the drop down box. Select “Create to create the work.
Select the Yes radio button and use the drop down to select the folder where you want the devices to be placed.
Create Groups
In Aperture, click on Groups & Work and select Groups:
Select Add a group:
Enter a Name for the Group and select Discover and Manage Server Certificates and SSH key Using Agents and click Add a Group.
Associate 'Work' to the Group
From the Placement Device window click Assigned Work and then click the Assign Work button.
From the drop down in the Assign Work dialog box select the work that you created for the device placement and click Add.
NOTE: Agent Group assignments and work are cached within IIS to ensure adequate performance for several thousands of agents checking in. It's suggested to 'Recycle the Application Pool' for the VEDClient web application, or simply perform an iisreset on the TPP server before continuing!
Install the Agent on the Trust Protection Platform server
Initiate the Agent installation by running the venafi-agent-xx.x.x-windows-x64.msi installation package. The agent version should match your TPP version and is distributed within the TPP installation zip file which can be downloaded from https://ftp.venafi.com.
Choose the appropriate options for your environment, and complete the installation. When the installation is completed, click Finish. Do not start the Agent service until it has been configured:
In an Administrator command prompt, change directories to where the Agent was installed (typically “C:\Program Files\Venafi\Platform"):
Set server URL to be the fully-qualified hostname of the TPP server using the following command:
vagent.exe -m server_url=https://{hostname.company.com}/vedclient
Next, set the server thumbprint (captured from the Agent Registration step in Aperture) using the following command:
vagent.exe -m server_thumbprint={thumbprint from Agent Registration}
Finally, set the registration password using following command:
vagent -m registration_password={registration password created}
The current settings can be confirmed using the command:
vagent -l all
Note: Check that the settings from previous steps are present. Password and thumbprint will disappear once Agent has registered.
Copy the certificates into the specified folder
Ensure that the folder previously specified within the Certificate Discovery configuration exists:
Copy the certificates to be imported into the folder:
Restart the Venafi Agent service to initiate an immediate discovery and import:
The progress of the certificate discovery and import can be monitored in Windows’ Application Event Log. Once the discovery operation is complete, the certificates should be populated within the policy folder specified on the Certificate Discovery configuration.
Comments