Connect Infisical to a self-hosted Venafi Trust Protection Platform (TPP) instance to use it as an external CA for certificate issuance and management.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
- A self-hosted Venafi Trust Protection Platform instance (on-premises or private cloud)
- An API Integration registered in your TPP instance with OAuth enabled
- A TPP user account with
certificate:manage,discover,revokeandconfigurationscope privileges - Network connectivity from Infisical to the TPP server (or an Infisical Gateway for airgapped environments)
To register an API Integration in Venafi TPP, navigate to API > API Integrations in the TPP web console
and create a new integration with a Client ID. This Client ID is required when setting up the connection in Infisical.
Connection Setup
Configure Connection Details
Configure the following fields:
- Name: A friendly name for this connection (e.g., “Production TPP”)
- Method: The authentication method. Currently only OAuth is supported.
- Gateway (optional): Select an Infisical Gateway if your TPP instance is in an airgapped network without direct internet access.
- TPP URL: The HTTPS URL of your Venafi TPP instance (e.g.,
https://tpp.example.com). Must use HTTPS. - Client ID: The OAuth Client ID from your TPP API Integration.
- Username: The TPP user account. Supports formats:
DOMAIN\username,username@domain.com, or local usernames. - Password: The password for the TPP user account.
Infisical validates the credentials by authenticating with the TPP OAuth endpoint during connection creation.
If validation fails, verify that:
- The TPP URL is correct and reachable
- The Client ID matches an API Integration registered in TPP
- The username and password are correct
- The API Integration has the required scopes enabled
