vsatctl Install
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Networks Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Networks Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from DigiCert
- Importing Certificates from EJBCA
- Importing Certificates from GlobalSign Atlas
- Importing Certificates from GlobalSign MSSL
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account On or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
vsatctl Install
vsatctl install [flags]
Install a single node Venafi VSatellite cluster.
Note:This command must be run with root privileges because it installs system-wide executables and configuration files in /etc and /usr/local/bin. It requires root privileges to start the VSatellite systemd service. It connects to the VSatellite cluster using credentials from a file that is only accessible to root users.
Important:When using --install-dir, carefully review the related hard disk requirements.
Examples
sudo vsatctl install --pairing-code=cf216fbc-f429-41f1-a64b-f06bb9b4e1be
Options
--accept-license-agreement Accept the Venafi End User License Agreement. (https://venafi.com/end-user-license-agreement) --api-url string Specify the Venafi Cloud API URL. (Default: https://api.venafi.cloud) -h, --help Show help for the install command. --install-dir string Specify the directory for all VSatellite installation artifacts. --loglevel string Set the file logging level. Options: "INFO," "ERROR," "WARN," "DEBUG." (Default: "DEBUG") --pairing-code string Provide the pairing code to register with Venafi as a Service. --silent Perform a silent Kubernetes installation without showing events or progress. (Deprecated) --timeout-seconds int Set the maximum timeout in seconds for each VSatellite service installation. (Default: 180)
HSM-Protected DEK Options
When installing a VSatellite with HSM-protected DEK, the following options are required unless otherwise noted:
| Option | Required | Description |
|---|---|---|
| --partition-label | Yes | HSM partition label |
| --partition-serial-number | No | Required only if multiple partitions share the same label |
| --hsm-client-path | Yes | Path to the HSM client installation |
| --hsm-lib-path | Yes | Path to the PKCS#11 library |
| --hsm-config | Yes | Path to the HSM client configuration file |
Note: During installation, you are prompted to enter the PIN for the HSM partition. Ensure that the PIN is available before starting the installation.
For an explanation of each HSM-related parameter and example values, see
Using HSM-protected DEK with VSatellites.
Note: HSM connectivity and credentials are not fully validated during installation. In some cases, installation may succeed but the VSatellite enters an Unhealthy state. For details about HSM validation behavior and Unhealthy states, seeUsing HSM-protected DEK with VSatellites.