1.0 Introduction
This article helps you to get started with the Venafi vendor application integration in Fortanix Key Insight.
It also describes:
How to sign up and log in to Fortanix Key Insight.
How to set up the Venafi vendor application to scan certificates.
How to manage the vendor applications on Fortanix Key Insight.
2.0 Terminology References
Refer to Venafi Connection Concepts for the Venafi connection concepts and supported features.
3.0 Log In and Create an Account
Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.
3.1 Sign Up and Log In to Fortanix Armor Platform - New Users
If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.
For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.
3.2 Log In to Fortanix Armor Platform - Existing Users
You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.
For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.
4.0 Configure a Venafi Connection
After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a Venafi connection to scan your cryptographic materials.
NOTE
After onboarding the Venafi connection,
You can switch the region at any time using the region switcher drop down located in the top navigation bar of the connection user interface (UI). When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.
4.1 Prerequisites
The following are the prerequisites to configure a Venafi connection on Fortanix Key Insight:
4.1.1 Set Up Venafi Access and Credentials
Before onboarding a Venafi connection, ensure that the Venafi platform is properly configured and you have the required credentials (Venafi URL, username, password, and client identifier).
NOTE
Contact your Venafi administrators for assistance with configuring the Venafi platform and obtaining the required credentials.
Using these credentials, Fortanix Key Insight makes an API call to Venafi to obtain an access token with the required scopes (
certificate:discover,manage;configuration:manage). These scopes authorize Fortanix Key Insight to scan and analyze certificates managed by Venafi.
4.1.2 IP Whitelisting Requirements
To enable secure and reliable communication between Fortanix Key Insight and your Venafi environment, certain network connections may need to be allowed.
If your Venafi deployment enforces IP-based access controls, you may need to whitelist the following Fortanix Key Insight IP addresses:
149.14.69.36/32149.14.123.28/32184.104.204.100/32
NOTE
IP whitelisting is not mandatory. It is required only if your Venafi environment restricts inbound API access based on source IP addresses.
4.2 Venafi Authentication Methods
Venafi supports the following authentication mechanisms to control how users and applications authenticate and obtain access to Venafi resources:
Secret-based authentication: An authentication method in which an application securely stores Venafi connection secrets (Venafi URL, username, password, and client identifier) and uses them to authenticate with Venafi and obtain an access token. This access token is then used to authorize subsequent Venafi API requests.
4.3 Select Connection Type
Perform the following steps to select the Venafi connection type:
After you create and select the Fortanix Armor account, you are redirected to the Fortanix Armor Available Solutions page.
Ensure that the appropriate Region is selected. The selected region determines where your data is processed and ensures that all subsequent steps, such as configuring connections and viewing scanned data in the user interface (UI), are displayed correctly for that region.
For more information on configuring regions, refer to Fortanix Armor – Solutions.
Click GO TO KEY INSIGHT.
Figure 1: Access Fortanix Key Insight Solution
On the Let's Set Up Your New Connection page, select the Vendor Applications option. The Venafi vendor application is selected by default.
Click NEXT.
Figure 2: Access Venafi Connections
4.4 Set Up Authentication
Venafi supports secret-based authentication to control how users and applications obtain credentials to access Venafi certificates.
For definitions of the Venafi authentication methods, refer to Section 4.2: Venafi Authentication Methods.
4.4.1 Secret-Based Authentication
Perform the following steps to add secret-based Venafi authentication:
In the Setup Authentication form,
Enter the Venafi URL.
Enter the Username.
Enter the Password.
Enter the Client ID.
NOTE
To obtain the Venafi credentials (Venafi URL, username, password, and client ID), contact your Venafi (CyberArk) administrator.
Click NEXT.
Figure 3: Configure Secret-based Authentication
4.5 Set Up Connection
In the Setup Connection form, enter the following details:
Enter a Venafi Connection Name. For example, Venafi connection.
Click NEXT.
Figure 4: Configure a Venafi Connection
4.6 Add Fortanix Key Insight Policy
The Fortanix Key Insight System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.
Additionally, you can:
Click ADD POLICY to add a new user-defined policy to the policy center.
Click
.png?sv=2022-11-02&spr=https&st=2026-01-20T20%3A53%3A03Z&se=2026-01-20T21%3A10%3A03Z&sr=c&sp=r&sig=oBMLM39E%2BJJnq0GYx1v9jkJxk8vvng7WlGjKf05Wl8c%3D)
to copy and modify a system-defined policy, converting it into a user-defined policy.
For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.
Figure 5: Fortanix Key Insight Policy
Click FINISH to complete the Venafi connection onboarding. After the connection is onboarded, you can access its Overview page and view the discovered certificates.
For more information about the Venafi connection overview and related UI elements, refer to the Venafi Connection-User Interface Components guide.
5.0 Manage Vendor Applications
The Connections page allows you to manage cloud, on-premises, external key source, and vendor application connections added to Fortanix Key Insight.
The VENDOR APPLICATIONS tab on the Connections page shows all the vendor application connections configured for the selected Fortanix Key Insight account.
Figure 6: Manage vendor application connections
You can perform the following on the Connections page:
Use the Search field to find a specific connection by entering its Name.
Click a connection to navigate to its corresponding Overview page.
View the VENDOR TYPE for each connection.
Click ADD VENDOR APPLICATION to add a new vendor application connection. For more information on adding a new Venafi connection, refer to Section 4.0: Configure a Venafi Connection.
NOTE
When adding or editing a vendor application,
On the Key Insight Policy page,
You can select any policy you have configured in the Policy Center instead of the default policy.
You can add a new user defined policy using ADD POLICY.
You can copy and modify any policy using
.
You can edit the user defined policy using
.
For more information on managing (add, duplicate and modify, edit, and delete) the cryptographic policies, refer to Cryptographic Policy Management.
If you change or update the policy while adding or editing a cloud connection, you must rescan the cloud connection to apply the new policy.
For each vendor application connection, you can perform the following:
Edit
Delete
Rescan
NOTE
Only users with the Account Administrator and Group Administrator roles can perform add, edit, delete, and rescan operations.
5.1 Edit the Vendor Application
Use this feature to update the vendor application connection details when required.
Perform the following steps to edit the vendor application connection:
Click
.png?sv=2022-11-02&spr=https&st=2026-01-20T20%3A53%3A03Z&se=2026-01-20T21%3A10%3A03Z&sr=c&sp=r&sig=oBMLM39E%2BJJnq0GYx1v9jkJxk8vvng7WlGjKf05Wl8c%3D)
on the required connection.Select Edit.
On the Vendor Application Connections page, update the required details in each step, if required.
Click SAVE to update the details.
5.2 Delete the Vendor Application
Use this feature to remove a vendor application connection and its associated information.
Perform the following steps to delete the vendor application connection:
Click
on the required connection.Select Delete.
In the Delete dialog box, read the details and enter the scanner name in the text box.
Click CONFIRM.
Warning
Deleting the vendor application connection is irreversible.
After deletion, the vendor application will no longer appear in the list on the Connections page.
5.3 Rescan the Vendor Application
Use this feature to retrieve the latest resources available for the vendor application.
Perform the following steps to rescan a vendor application connection:
Click
on the required connection.Select Rescan.
Click START SCANNING to restart the scan. If the scan is successful, it will update the LAST SCANNED column with the latest scan date and time.
6.0 Delete Fortanix Key Insight Account
Deleting a Fortanix Key Insight (KI) account is the same as deleting a Fortanix Armor account, since Fortanix Key Insight is part of the Fortanix Armor platform.
For more information on deleting the Fortanix Key Insight (Fortanix Armor) account, refer to Fortanix Armor - Getting Started.