Prerequisites

On-premise deployments using AppViewX PKIaaS Native CA
  1. Ensure these plugins are available:
    • avx_pkiaas_ca_server
    • avx_pkiaas_cert_ocsp_server
    • avx_pkiaas_cert_ocsp_generator
    • avx_platform_gateway_external
    • avx_vendor_cert_scep_agent
  2. Ensure these plugins are enabled and are up and running.
  3. OCSP HTTP Response Verification
    • Use the following command to verify the presence of the required service port:
      bash kubectl get svc -A | grep "avx-platform-gateway-scep"
    • Ensure that the 30022 port is listed. This port is critical for serving OCSP HTTP responses, which are used to check certificate statuses.
  4. Configure SMTP server, which is tested successfully, to send test emails to the custodian email ID addresses.
  5. Provide a CA name for reference and activate by going to (Menu) icon > CERT+ > Administration > Certificate Authority.
  6. Onboard at least two custodians before creating CA hierarchy. You can complete the addition of custodians by going to (Menu) icon PKI+ > Custodian Management with the following privileges under RBAC roles and resources.
    1. Roles automation > service request full
    2. PKI > view all (optional)
    3. Resources > workflow studio, workflow request > PKI+, approval_request
    Note: No CA action is possible until at least two active custodians are in the system.
  7. Network Prerequisites
    • All infrastructure network devices must be able to connect to the AppViewX nodes on 31443 ( for Web, API calls, CRL).
    • All infrastructure devices must be able to connect to the AppViewX nodes on 30022 (for OCSP and SCEP).
    • AppViewX must be able to connect to the SMTP server to send test emails to the custodian email ID addresses.
  8. (Optional) Loadbalancer configuration for OCSP and CRL:
    • To publish CRL for users/devices that do not have external (internet) access in SaaS deployment:
      • Edit the certificate issuance template to include a custom CRLDP with the LB URL.
      • The LB URL must act as a load balancing point for the number of CC URLs.
      • URL to be configured in templates: https://[LB Host]:[httpsport]/avxapi/download-crl/[CA_Name]/ crl.crl
      • LB to be balanced: https://[CC1 Host]:30020/avxapi/download-crl/[CA_Name]/crl.crl , https://[CC2 Host]:30020/avxapi/download-crl/[CA_Name]/crl.crl
    • To publish the OCSP URL for the users/devices that do not have access to the SaaS tenant:
      • Create a certificate issuance template for those endpoints to enroll certificates from, and include the custom OCSP URL as the LB URL.
      • The LB URL can be load balanced between cloud connectors.
      • URL to be configured in templates: https://[LB Host]:[httpsport]/ocsp
      • LB to be balanced: http://[CC1 Host]:30022/ocsp, http://[CC2 Host]:30022/ocsp