github.com/Venafi/vcert/v5@v5.10.2/examples/playbook/sample.cert-auth.yaml (about) 1 config: 2 connection: 3 platform: tpp 4 url: https://my.tpp.instance.company.com 5 credentials: 6 accessToken: 7 # if the access_token is invalid, the refresh token / certificate will be used to refresh it (in that order) 8 # A valid accessToken (or refreshToken) can be provided when the pkcs12 certificate does not exist yet (think one time token?) to fetch a certificate 9 # to be used in the future 10 refreshToken: 11 # If the refresh token is invalid or missing, the cert will be used to get a new accessToken 12 clientId: vcert-playbook # API application with "Domain Computers" added as valid user 13 p12Task: apiP12 14 scope: certificate:manage 15 certificateTasks: 16 - name: apiP12 # Ref to pkcs12 authentication! 17 renewBefore: 5% 18 request: 19 csr: local 20 subject: 21 # An AD computer account can use a certificate to get Access/Refresh tokens from TPP 22 # - Use either HOSTNAME$ (the sAMAccountName) or HOSTNAME@example.com in either the 23 # CN or UPN (depending on your TPP config). AD doesn't set UPNs on computer accounts 24 # by default, so either add it to the computer account, or use the sAMAccountName. 25 # - Computer accounts can't be granted access to API applications by default. However, 26 # a group can be setup (or leverage "Domain Computers" for all computer accounts) 27 commonName: '{{ Hostname | ToLower -}}$' # Example of using the sAMAccountName 28 sanUpn: 29 - '{{ Hostname | ToLower -}}@lab.securafi.net' 30 zone: Certificates\ClientAuth # Grant permissions in this folder to "Domain Computers" 31 installations: 32 - format: PKCS12 33 file: '{{ Env "HOME" }}/.vcert/vcertAuth.p12'