Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Issue and manage certificates using a self-hosted Venafi Trust Protection Platform (TPP) instance as an external CA, with support for airgapped environments via Infisical Gateway.

Prerequisites

  • A Venafi TPP Connection configured in your organization
  • A policy folder in your TPP instance configured with an appropriate CA template
  • Network connectivity from Infisical (or an Infisical Gateway) to the TPP server

Setting Up Venafi TPP as an External CA

1

Navigate to External Certificate Authorities

In Certificate Manager, go to Settings → Certificate Authorities and scroll to the External Certificate Authorities section.
2

Create New Venafi TPP CA

Click Create CA and configure:
  • Type: Choose Venafi TPP
  • Name: A friendly name for this CA (e.g., “Production TPP CA”)
  • Status: Set to Active to enable certificate issuance
  • Venafi TPP Connection: Select your TPP connection from the dropdown
  • Policy DN: The policy folder path in TPP where certificates will be managed (e.g., \VED\Policy\Certificates\WebServers)
The Policy DN must point to an existing policy folder in your TPP instance. The policy folder determines which CA template is used for signing, what subject fields are allowed, and other certificate constraints. Make sure the policy folder is configured to allow certificate requests from the credentials used in your TPP connection.
3

Certificate Authority Created

Your Venafi TPP CA is now ready. You can use it with certificate profiles to issue certificates.

Issuing Certificates

Once your Venafi TPP CA is set up, you can issue certificates by creating a profile, attaching it to an Application, and configuring enrollment:
1

Create a Certificate Profile

Go to Certificate Manager → Certificate Profiles and create a new profile:
  • Set the Certificate Authority to your Venafi TPP CA
  • Select a Certificate Policy
  • Configure default certificate attributes (TTL, key algorithm, etc.)
2

Create an Application and configure enrollment

Go to Certificate Manager → Applications and create an Application (or use an existing one):
  • Attach the profile you created
  • Add an enrollment method (e.g., API) for the profile
  • Assign team members who need to issue certificates
3

Issue a Certificate

In your Application, go to the Certificate Requests tab and click Request:
  • Select the profile linked to your Venafi TPP CA
  • Fill in the certificate details (common name, SANs, TTL)
  • Click Submit
The certificate request is submitted to TPP asynchronously. Infisical will authenticate with TPP, submit the CSR to the configured policy folder, and retrieve the signed certificate.
Certificate issuance is asynchronous. Infisical will poll TPP for the signed certificate for up to ~5 minutes. Ensure your TPP policy folder is configured for automatic approval.
4

Certificate Issued

Your certificate has been issued by the TPP server and is ready for use.