Info: Venafi Operational Certificate

Applies to:

Venafi Trust Protection Platform 14.1 and higher


To secure and protect the Venafi Trust Protection Platform web services created and used by Aperture™, Web Administration Console, the Web SDK, the log server, and the new client subsystem—Director now automatically redirects HTTP requests to HTTPS and provides a server certificate. Previously, Director installed a hard-coded certificate for the log server and web services were http only by default (SSL had to be configured manually). This method ensures that the user and agent authentication process is secure while also supporting Trust Protection Platform installations in lab or test environments.

During installation, Venafi Trust Protection Platform creates a new policy container in the Policy tree called "Venafi Operational Certificates". If you have already installed your own CA-issued certificate onto the IIS server, the Venafi Platform simply adopts that certificate and creates an object for it in the Venafi Operational Certificate policy. If a certificate is not found, Director creates a self-signed certificate. This ensures that a valid certificate is in place that secures connections with Director web and log services. The name of the certificate object is the hostname of the server.

Replacing & Updating the Certificate:

To replace the certificate with a trusted certificate:

  1. Setup a Certificate Authority template object in the policy tree
  2. On your Venafi Operational Certificate, change the Management Type to "Enrollment" and associate the certificate with the CA template
  3. Complete the SubjectDN settings with the appropriate Common Name, Subject Alternative Names, and Organization Name, etc.
  4. Renew the certificate
  5. Next time the Log Server Service restarts, IIS restarts, or application pools refresh, the new certificate will take effect.

Multiple Trust Protection Platform Servers

For each Venafi Trust Protection Platform server in a given environment, installation will create an Operational Certificate for each one under the "Venafi Operational Certificate" policy container.  To control what each server uses:

  1. Navigate to the Platform Tree
  2. Select the Director Server
  3. Navigate to the "Venafi Encryption Director" tab
  4. Select a certificate under the "Operational Certificate" section to select the certificate you want to use.  The certificate you select must have a the matching private key in order to be used by Web Services and Logging Services.

Multiple servers can use the same operational certificate, just make sure the certificate has the needed DNS Subject Alternative Names so that the certificate can validate correctly for all servers the certificate will be used on.

Upgrading to Trust Protection Platform 14.1

It is common to have the certificate that the Venafi Platform is using for IIS already configured in the policy tree and configured for provisioning.  Associating a device/application object and setting the certificate management level to provisioning is no longer necessary.  When you upgrade, the installation will pull the certificate from IIS into the Policy tree, sometimes creating a duplicate of a certificate that may already be in the policy tree.  It is recommended to confirm that the correct certificate resides in the Venafi Operational Certificate policy container and delete your existing certificate/device/application objects used to provision to IIS in previous versions.


If the Venafi Log Server is writing errors to the application log, check the Venafi Operational Certificate for:

  • Make sure the private key stored
  • Check if there is a public/private key mismatch
  • Check that Venafi Trust Protection Platform has the proper chain for the certificate if it is not self-signed.


Was this article helpful?
1 out of 1 found this helpful