Skip to main content

Migrating from Another Certificate Authority

If you are already using a CA Adapter with TruU for another Certificate Authority (e.g. an Active Directory CA), when you enable the CyberArk ZTPKI CA Adapter, the transition will work as follows:
  • Previously issued certificates from the original CA will continue to be used. When certificate expiration is approaching and a renewal is required, the new certificate will be issued from CyberArk Zero Touch PKI.
  • New enrollments will be issued from CyberArk ZTPKI.

Creating a CyberArk ZTPKI CA Adapter

  1. Log into your TruU Admin Console
  2. Navigate to Integrations > Adapters
  3. Click on the “+” button to add a new adapter
  4. Select “Certificate Authority”
  5. Select “CyberArk ZTPKI” as the specific adapter type
  6. Enter the required fields based on your CyberArk tenant
FieldNotes
Name* This is the name of the TruU adapter and does not need to be tied specifically to your CyberArk tenant
ZTPKI URL- This is the URL for the ZTPKI APIs
  • Most customers can leave this as the default value ( https://ztpki.venafi.com ) | | Policy Name | * Enter the name of the policy that should be used when issuing smartcard logon certificates for TruU desktop authenticators
  • Contact your CyberArk representative or technical support to enable the appropriate policies in your ZTPKI environment, which will add support for desktop login to Windows Authenticators, and/or Shared Workstations (see the Policy Requirements below) | | API Key ID | - Enter the API key ID that TruU will use for authentication with CyberArk APIs
  • You can get this value from your CyberArk tenant | | API Key Secret | * Enter the API key secret that TruU will use for authentication with CyberArk APIs
  • You can get this value from your CyberArk tenant |
  1. Click “Create”
  2. Optionally add specific administrator roles for managing this adapter
  3. Click “Apply” to create the adapter
Within a few minutes, your TruU identity servers will start reporting the health of the CyberArk integration. See the Health status on the Identity Servers page in your TruU Admin Console. A green health indicator means that the API credentials are valid and the TruU integration is ready for use.

CyberArk ZTPKI Certificate Policy Requirements

The certificate policy should include the following: DN Components:
  • CN (Common Name) - Required
  • DC (Domain Component) - Must include all components of your Active Directory domain (e.g. DC=corp, DC=company, DC=com)
Subject Alternative Names (SAN):
  • UPN (User Principal Name) - Required
Custom Extensions (Microsoft-specific):
  • OID 1.3.6.1.4.1.311.21.7 - Microsoft Certificate Template Information (Required)
  • OID 1.3.6.1.4.1.311.21.10 - Microsoft Application Policies (Required)
  • OID 1.3.6.1.4.1.311.25.2 - Microsoft NTDS CA Security Extension
Certificate Validity:
  • Standard Users - We recommend 365 days or whatever your organization uses for desktop authentication.
  • Shared Workstations - We recommend 24 hours or less.
Enable FIDO2 security key sign-in for Windows Importing CyberArk ZTPKI certificates into Active Directory