Alright, there are basically two ways to approach this challenge. There is an API to call to request a new certificate. In this scenario one typically creates a new user for the server and the user has to become a part of the Venafi group. (There is a read group and a write group, and I'd imagine the write group is more applicable.) In the API approach you have to have something at the server, perhaps a Windows Service, watching for a certificate to expire and then hitting the API when applicable. The other approach is "built-in provisioning" and in this circumstance one configures Venafi to access the server through an account for the server which has administrative permissions and then pushes down the certificate when the time is right. You may map where a certificate goes, etc. There is a distinction between a production policy and a non-production policy in that the production policy has the extra workflow steps of taking the server down before the write of the new certificate and then bringing it back up again. This safeguard keeps the server from being accessed without its certificate intact.
No comments:
Post a Comment