Focus

Next-Gen Trust Security

Next-Gen Trust Security Generated Key authentication

Table of Contents

Next-Gen Trust Security Generated Key authentication

Step 1: Enable Google APIs

Enable the Cloud Resource Manager API and the Certificate Manager API.

In the Google Cloud console, go to APIs & services for your project.
On the Library page, select Private APIs. If you don't see the API listed, that means you haven't been granted access to enable the API.
Select the API you want to enable. If you need help finding the API, use the search field.
In the page that displays information about the API, select Enable.

See Enabling an API in your Google Cloud project for more details.

Step 2: Create a Google custom role

You have the option to create a custom role via the console or gcloud CLI. Choose one of the below methods to create a custom role.

Console - See Create and manage custom roles to create a Identity and Access Management (IAM) custom role.
gcloud CLI - Alternatively, if you would like to use gcloud CLI to create a custom role, create the following YAML file with the included permissions.

 title: Next-Gen Trust Security Integration
	description: Permissions granted to Next-Gen Trust Security
	stage: GA
	includedPermissions:
	  - certificatemanager.certs.create
	  - certificatemanager.certs.get
	  - certificatemanager.certs.list
	  - certificatemanager.certs.update
	  - certificatemanager.locations.list
	  - certificatemanager.operations.get
	  - resourcemanager.projects.get

Then run the following command to create the custom role. Note that you will need to use this custom role in the next step.

gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT_ID> --file=permissions.yaml

Note: The custom role tlspcIntegrationRole is an example. You can name this role anything you like, but choose a name that reflects its purpose.

Step 3: Create a Google service account.

Use the Venafi Generated Key authentication permissions when setting up a service account.

Follow the steps to create a Google service account at Create service accounts. This page explains how to create service accounts using the Identity and Access Management (IAM) API, the Google Cloud console, and the gcloud command- line tool.
Once complete, you will be presented with your Google service account email. Make sure to copy and save this for later use.
Note: In this step you will associate the custom role created in Step 2 with your Google service account.

Step 4: Create a Cloud Provider & validate the connection

Sign in to Next-Gen Trust Security.
Click Configuration > Cloud Providers.
Click New and select Google.
Enter a Name for the new cloud provider. This name will help Next-Gen Trust Security users to identify this cloud provider.
Enter your Google Service Account Email you copied from Step 3 and click Continue.
Select the Venafi Generated Key authentication method and click Continue.
Click Create.
In the following screen you will be presented with a Public Key, copy and paste the Public Key.
You will now need to upload your public key for a service account. See Upload service account keys and follow the instructions.
From Next-Gen Trust Security, click the Validate button. You should see a "Successfully validated" message. If do not see this message, this means you were not able to successfully validate your connection. Go back and check your settings in the above steps.
Click Finish. At this point, your new provider details will be displayed in the Cloud Providers list. You will also see a message that confirms you have successfully created and validated your new provider.

Step 5: Add a Cloud Keystore

Sign in to Next-Gen Trust Security.
Click Insights > Cloud Keystores.
Click New and select Google.
Enter a Name for the new cloud keystore.
Select a GCP Cloud Provider.
Enter a Project Name.
Enter a GCM Region.
(Optional) To discover certificates on your keystore, enable Start discovery immediately and Include expired certificates. Once complete, create a schedule.
Click Save. The new cloud keystore appears in the Cloud Keystore list.

Step 6: Provision a certificate

At this point you should now have the ability to provision certificates.

Click the More actions (ellipsis) icon next to the cloud keystore you created, and then select Provision.

Tip:

From this menu, you can also delete certificates if needed.

From the dropdown, search for the certificate you want to provision, select it, and then click Provision. This creates a new certificate installation on the cloud keystore.
(Optional) You can also re-provision, replace, or delete an existing certificate.
- Select your Cloud Keystore to open the details panel.
- Click the More actions (ellipsis) icon next to the certificate.
- Select Re-provision, Replace, or Delete, and complete the steps in the user interface.

Info:

Re-provision re-installs the current certificate on the cloud keystore.
Replace substitutes the current certificate with a different one.
Delete removes the certificate from the cloud keystore.

Set up GCP Discovery Schedule

In the Next-Gen Trust Security toolbar, click Installations and select Cloud Keystores from the drop-down menu.
Select the Cloud Keystore name that you want to perform a discovery on.
From the pane that opens on the right of the screen, select Discovery configuration. Select the

toggle switches to turn on "Enable scheduled discovery" and "Include expired certificates".
Under Repeat, select your desired Daily, Weekly, or Advanced schedule. Then, choose your desired time.
Click Save.

Activate Next-Generation Trust Security