Skip to content

Venafi integration getting started🔗


  • A running Venafi instance.
  • Admin access to AQtive Guard.

Venafi setup🔗

You’ll need to create:

  • A Venafi Application Integration.
  • A Venafi API token with the certificate:discover scope.

The following steps explain how to generate these. For more information, refer to the Venafi documentation.

  1. Log in to Venafi Aperture.
  2. From the grid icon on the top-right, select Platform.
  3. From the API menu, select Integrations, then Add, and New.
  4. In the Add an API integration form on the Overview page, enter an appropriate application name (for example, AQtive Guard) and set the Client ID to cryptosense-venafi-integration.
  5. On the Base access page, set the scope to certificate:discover.
  6. Configure User or team access according to your preferences, granting access to the users that will be creating and using tokens. You can select local:Everyone for simplicity, or customize it further.
  7. Retrieve a token from the Venafi API. You can use the Swagger interface at <your venafi base url>/vedsdk, or send an API request directly using curl or a similar tool.
  8. Send a POST request to the /vedauth/authorize/oauth endpoint, with a JSON payload that resembles:

      "username": "<your username>",
      "password": "<your password>",
      "client_id": "cryptosense-venafi-integration",
      "scope": "certificate:discover"

    The user initiating the request must be authorized. (Refer to Step 5).

    Make sure the "client_id" value here matches the Client ID from the previous step.

    A complete curl command is:

    curl -X POST "<your venafi base url>/vedauth/authorize/oauth" \
        -H "accept: application/json" -H "Content-Type: application/json" \
        -d '{"username": "<your username>", "password": "<your password>", "client_id": "cryptosense-venafi-integration", "scope": "certificate:discover"}'

    The JSON response should resemble:

      "access_token": "<your access token (base64)>",
      "refresh_token": "<another base64 token you can use to renew the access token>",
      "expires_in": <integer>,
      "expires": <timestamp>,
      "token_type": "Bearer",
      "scope": "certificate:discover",
      "identity": "local:{<some UUID>}",
      "refresh_until": <another timestamp>

    The initial access_token value field is required for configuring the integration in AQtive Guard.

AQtive Guard setup🔗

  1. Log in to the AQtive Guard Web Interface as an admin.
  2. Select Integrations from the menu bar.
  3. From the integration options, select Venafi, then Configure.
  4. Enter your Venafi Instance URL and Access Token, then select Save.
  5. (Optional) Select Test Connection to verify that the link is functional.