> ## Documentation Index > Fetch the complete documentation index at: https://docs.truu.ai/llms.txt > Use this file to discover all available pages before exploring further. # CyberArk Zero Touch PKI > CyberArk Zero Touch PKI (fka Venafi Zero Touch PKI) can be used for certificate-based authentication for Desktop Authenticators and Shared Workstations. This Adapter does not require software installation, as it is built into the TruU Identity Cloud. Like all CA adapters, the CyberArk adapter supports all certificate lifecycle events: issuance, renewal and revocation. # Migrating from Another Certificate Authority If you are already using a CA Adapter with TruU for another Certificate Authority (e.g. an Active Directory CA), when you enable the CyberArk ZTPKI CA Adapter, the transition will work as follows: * Previously issued certificates from the original CA will continue to be used. When certificate expiration is approaching and a renewal is required, the new certificate will be issued from CyberArk Zero Touch PKI. * New enrollments will be issued from CyberArk ZTPKI. # Creating a CyberArk ZTPKI CA Adapter 1. Log into your TruU Admin Console 2. Navigate to Integrations > Adapters 3. Click on the “+” button to add a new adapter 4. Select “Certificate Authority” 5. Select “CyberArk ZTPKI” as the specific adapter type 6. Enter the required fields based on your CyberArk tenant | **Field** | **Notes** | | --------- | --------------------------------------------------------------------------------------------------------- | | Name | \* This is the name of the TruU adapter and does not need to be tied specifically to your CyberArk tenant | | ZTPKI URL | - This is the URL for the ZTPKI APIs | * Most customers can leave this as the default value ( [https://ztpki.venafi.com](https://ztpki.venafi.com) ) | \| Policy Name | \* Enter the name of the policy that should be used when issuing smartcard logon certificates for TruU desktop authenticators - Contact your CyberArk representative or technical support to enable the appropriate policies in your ZTPKI environment, which will add support for desktop login to Windows Authenticators, and/or Shared Workstations (see the Policy Requirements below) | \| API Key ID | - Enter the API key ID that TruU will use for authentication with CyberArk APIs * You can get this value from your CyberArk tenant | \| API Key Secret | \* Enter the API key secret that TruU will use for authentication with CyberArk APIs - You can get this value from your CyberArk tenant | 7. Click “Create” 8. Optionally add specific administrator roles for managing this adapter 9. Click “Apply” to create the adapter Within a few minutes, your TruU identity servers will start reporting the health of the CyberArk integration. See the Health status on the Identity Servers page in your TruU Admin Console. A green health indicator means that the API credentials are valid and the TruU integration is ready for use. # CyberArk ZTPKI Certificate Policy Requirements The certificate policy should include the following: **DN Components:** * CN (Common Name) - Required * DC (Domain Component) - Must include all components of your Active Directory domain (e.g. DC=corp, DC=company, DC=com) **Subject Alternative Names (SAN):** * UPN (User Principal Name) - Required **Custom Extensions (Microsoft-specific):** * OID 1.3.6.1.4.1.311.21.7 - Microsoft Certificate Template Information (Required) * OID 1.3.6.1.4.1.311.21.10 - Microsoft Application Policies (Required) * OID 1.3.6.1.4.1.311.25.2 - Microsoft NTDS CA Security Extension **Certificate Validity:** * Standard Users - We recommend 365 days or whatever your organization uses for desktop authentication. * Shared Workstations - We recommend 24 hours or less. *** [Enable FIDO2 security key sign-in for Windows](/docs/enable-fido2-security-key-sign-in-for-windows) [Importing CyberArk ZTPKI certificates into Active Directory](/docs/importing-cyberark-ztpki-certificates-into-active-directory)