Deploying VSatellites
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Deploying VSatellites
After you've carefully reviewed and completed all prerequisite steps, you're ready to deploy a VSatellite to your target computer.
Important:
When deploying your first VSatellite, you must choose how the Data Encryption Key (DEK) is protected:
- Software-based DEK (default)
- HSM-protected DEK
This is a tenant-level setting. After a VSatellite is deployed, the DEK protection mode cannot be changed unless all VSatellites are deleted.
For details about deploying with HSM-protected DEK, see Using HSM-protected DEK with VSatellites.
Deploying a VSatellite involves 3 simple steps:
- Download the VSatellite installer (vsatctl) onto your target computer.
- Run sudo ./vsatctl preflight to verify that you've met all prerequisites.
- Run sudo ./vsatctl install to deploy your new VSatellite.
Why are root privileges required?"
The vsatctl install command installs k3s in /usr/local/bin, which is owned by the root user.
If you are installing VSatellite on RHEL, Oracle, or Rocky Linux, the vsatctl install command will install the k3s-selinux RPM package.
Installing RPM packages requires root privileges.
Other vsatctl subcommands connect to the VSatellite cluster, requiring access to credentials stored in /etc/rancher/k3s/k3s.yaml.
This file is only accessible to the root user.
If you are already logged in as the root user, you can omit the sudo command.
Tip:
It's helpful to have both the VSatellites page open in Certificate Manager - SaaS (Settings > VSatellites) and a command line utility connected to your target computer before you begin. You'll be using both.
About the generated installation command
When you deploy a VSatellite using the installation wizard, Certificate Manager - SaaS generates an installation command that includes placeholders for required values.
For HSM-protected DEK deployments, these placeholders reference components of your HSM client installation (such as client paths, PKCS#11 libraries, and configuration files). The wizard does not validate these values.
For an explanation of each HSM-related parameter and example values, see Using HSM-protected DEK with VSatellites.
To deploy a new VSatellite
- In Next-Gen Trust Security, click Configuration > VSatellite.
- On the VSatellites page, click New, and then follow the on-screen instructions.