Bulk Import Certificates to TPP (Prior to 17.2)

This article covers the steps required to bulk import Certificates into Venafi Trust Protection Platform (TPP). This process leverages the Venafi Server Agent’s ability to discover and upload certificates into the TPP database.  This process also properly prevents any attempt to import ‘duplicate’ certificates into the database.

The import process expects that all certificates to be imported exist as individual certificate files within a single folder. It will also support importing a single text file that contains multiple Base64-encoded certificates.

For instructions on how to import bulk certificates on versions after 17.2 click here.


The bulk import process follows these high-level steps. Details for each step are documented below.

  1. Configure Agent Registration
  2. Configure an Agent Group and Certificate Discovery Work
  3. Install the Agent on the Trust Protection Platform server
  4. Copy the certificates into the specified folder, and ‘restart’ the Agent service to initiate discovery and import

Configure Agent Registration

Launch Aperture select “Agent Registration” within the Configuration menu:

Select Agent Registration and then click “Create New” to create a new registration password:

Select a folder to store the credential object, and provide a Credential Name, and Password:

Before saving, make a note of the TPP Server Certificate Thumbprint. This will be used during the Server Agent install and configuration in a later step.

Configure an Agent Group and Certificate Discovery Work

In Aperture, click on Agents and select Groups:

Name and add a new group:

Adjust the Membership Criteria for this group to target only the TPP server (or server where the Agent will be installed):

Click on Work, then select Certificate Discovery. Select “Yes” to enable Certificate Discovery. Set scan interval to “On Receipt” and set the scan path to the folder where you’ll place certificates for import on your server (i.e. c:\CertImports):

Add .txt extension to the PEM category so the Agent will pick up multiple certificates in one file:

Select a policy that will store the imported certificates:

Select a policy folder in which to place the imported certificates. More complex placement rules may be specified here if desired:

Finally, select Device Placement and click “Yes” to enable ‘Place newly-discovered devices’. Select “From single folder” and choose a folder to place the device object that will be created:

NOTE: Agent Group assignments and work are cached within IIS to ensure adequate performance for several thousands of agents checking in. It may be necessary to 'Recycle the Application Pool' for the VEDClient web application, or simply perform an iisreset on the TPP server before continuing!

Install the Agent on the Trust Protection Platform server

Initiate the Agent installation by running the venafi-agent-xx.x.x-windows-x64.msi installation package. The agent version should match your TPP version and is distributed within the TPP installation zip file which can be downloaded from

Choose the appropriate options for your environment, and complete the installation. When the installation is completed, click Finish. Do not start the Agent service until it has been configured:

In an Administrator command prompt, change directories to where the Agent was installed (typically “C:\Program Files\Venafi\Platform"):

Set server URL to be the fully-qualified hostname of the TPP server using the following command:
vagent.exe -m server_url=https://{}/vedclient

Next, set the server thumbprint (captured from the Agent Registration step in Aperture) using the following command:

vagent.exe -m server_thumbprint={thumbprint from Agent Registration}

Finally, set the registration password using following command:

vagent -m registration_password={registration password created}

The current settings can be confirmed using the command:

vagent -l all

Note: Check that the settings from previous steps are present. Password and thumbprint will disappear once Agent has registered.

Copy the certificates into the specified folder

Ensure that the folder previously specified within the Certificate Discovery configuration exists:

Copy the certificates to be imported into the folder:

Restart the Venafi Agent service to initiate an immediate discovery and import:

The progress of the certificate discovery and import can be monitored in Windows’ Application Event Log. Once the discovery operation is complete, the certificates should be populated within the policy folder specified on the Certificate Discovery configuration.




Was this article helpful?
0 out of 0 found this helpful