AppViewX PKIaaS Native CA

Prerequisites

Before configuring an AppViewX PKIaaS Native CA account, ensure the following information is available:

• Base URL of the AppViewX PKIaaS Native instance. (When CA Type is External)
• Valid credentials to access the AppViewX PKIaaS Native instance. (When CA Type is External)
• A properly configured data center (CA agent) in the AppViewX CLM instance. (When CA Type is External)
• Administrator access to the AppViewX CLM instance.

Configuring an AppViewX PKIaaS Native CA Account

To configure an AppViewX PKIaaS Native CA:

1. Go to Menu > CLM > ADMINISTRATION > Certificate Authority.

   The Certificate Authority page appears.

2. On the Certificate Authority page, select AppViewX PKI from the CA list on the left.

   The Certificate Authority page for AppViewX PKI appears.

3. Click the AppViewX PKIaaS Native tab.
4. To onboard your first AppViewX PKIaaS Native CA account in AppViewX, click Configure Now.

   The page is updated to display the fields for onboarding an AppViewX PKIaaS Native CA account.

5. Enter or select the General Information for the CA account.

   Table 1. General Information Field Description

   Field	Description
   *CA Type	Specifies whether the AppViewX PKIaaS Certificate Authority is internal or external to the current AppViewX environment. Select one of the following options: Internal: Choose Internal when the PKI Certificate Authority is provisioned and operated within the same AppViewX infrastructure. This option is used when AppViewX PKIaaS is deployed and managed in the same tenant or environment as CLM. Internal CAs are typically used for issuing certificates to internal systems, services, and users within the organization's own PKI infrastructure. External: Choose External to connect to an AppViewX PKIaaS Native Certificate Authority that is deployed and managed in a separate tenant or environment. This option allows CLM to communicate with a remote AppViewX PKIaaS instance, enabling cross-environment or multi-tenant PKI integrations where the CA operates independently from the current AppViewX deployment.
   *CA Account Name	A unique identifier for the CA account configuration. Special characters other than period (.), hyphen (-), and underscore (_) are not allowed. The name must not begin with a special character.
   Note: The following fields are displayed only when CA Type is set to External.
   *Data Center	Select the data center through which the CA communication needs to happen.
   Proxy Required	Enable this option if the CA communication must be routed through a configured proxy server. When enabled, the proxy details configured in the General Settings of AppViewX are applied for all CA communications. Note: To manage proxy settings, refer to Managing Proxy Settings.
   *: Mandatory fields

6. Enter or select the CA Configuration details.

   Table 2. CA Configuration Field Description

   Field	Description
   *Base URL	The base URL of the AppViewX PKIaaS Native instance. This is the endpoint used to connect to the CA. For example: https://pkica.appviewx.com:443
   *Authentication Type	Specifies how API requests to the CA are authenticated. Choose Basic Authentication to use a username and password, or Client Credentials to use OAuth 2.0 with a Client ID and Client Secret to get an access token for secure communication.
   *Username	Note: This field is displayed when Authentication Type is set to Basic Authentication. The username credentials used for Basic Authentication to the AppViewX PKIaaS Native CA instance. Note: To manage users, refer to the user management documentation.
   *Password	Note: This field is displayed when Authentication Type is set to Basic Authentication. The password associated with the specified username for authenticating to the AppViewX PKIaaS Native CA instance.
   *Client ID	Note: This field is displayed when Authentication Type is set to Client Credentials. A unique ID assigned to your application or service. It is used together with the Client Secret to obtain an access token. Note: To manage service accounts, refer to the service account documentation.
   *Client Secret	Note: This field is displayed when Authentication Type is set to Client Credentials. A private key linked to the Client ID. It is used with the Client ID to obtain an access token. Keep this value secure and do not share it.
   *: Mandatory fields

7. Configure the Advanced Settings for the CA account.

   Table 3. Advanced Settings Field Description

   Field	Description
   Retry Required	Enable this toggle to allow AppViewX to automatically retry failed CA communication requests. When enabled, the system retries the connection in the event of a transient failure or timeout. Note: Enabling this option displays the Retry Count and Retry Frequency fields. This setting is disabled by default.
   *Retry Count	Specifies the maximum number of times AppViewX will attempt to retry a failed CA communication request. Note: This field is displayed only when the Retry Required toggle is enabled. Enter a numeric value to define the retry limit. Default value: 1.
   *Retry Frequency	Specifies the time interval (in seconds) between consecutive retry attempts for a failed CA communication request. Note: This field is displayed only when the Retry Required toggle is enabled. Enter a numeric value to define the interval between retries. Default value: 1.
   Select Certificate Authorities	Note: This field is displayed only when you are updating an existing CA configuration. Select the Certificate Authorities from the dropdown. Certificates issued by the selected CAs appear as Managed in the CLM inventory. Certificates issued by CAs that are not selected appear as Monitored. Certificates issued by selected certificate authorities will be maintained in Managed status. Certificates from unselected certificate authorities will be maintained in Monitored status in the CLM inventory. Additionally, settings configured within CLM will take precedence over PKI.
   *: Mandatory fields

8. Click Activate.
   Note: If the connection fails, you can manually verify the connection status by clicking the Check button in the Connection Status field.

Validating the AppViewX PKIaaS Native CA Connection Status

To manually verify the connection status of a configured AppViewX PKIaaS Native CA account:

1. Go to Menu > CLM > ADMINISTRATION > Certificate Authority.

   The Certificate Authority page appears.

2. Select AppViewX PKI from the CA list on the left.

   The Certificate Authority page for AppViewX PKI appears.

3. Click the AppViewX PKIaaS Native tab.
4. In the Connection Status field, click Check.
   Note: The system connects to the PKI tenant, retrieves the available CAs and templates, and validates the CA communication.

   The system validates the CA communication and displays a success or failure message along with the timestamp of the last validation.

   Note: While the connection status check is in progress, if any changes are made to the form, the Check button is disabled. After you click Update, the Check button is enabled again.
   Important: If the connection check fails repeatedly, verify that the Base URL is reachable from the configured data center and that the credentials provided are valid. Ensure that no firewall rules are blocking communication between the AppViewX CA agent and the PKIaaS Native endpoint.
   Important: If the connection check fails, the system retains the last successful CA account configuration.

Understanding the Connection Status

The Connection Status field in the CA account inventory provides real-time information about the health of CA communication. The following table describes the possible status values: