How to: Apply a Venafi Patch


Applies To:

TPP Versions prior to 20.4

TPP Versions after 20.4 use the following procedure:

Installing Updates

Venafi will occasionally release patches during a product’s lifecycle to address defects and/or security vulnerabilities. For critical patches, Venafi Customer Support will provide notifications to customers of an available update/patch.

These updates are not to be confused with product upgrades, which often introduce new features in addition to bug fixes. Product upgrades require additional processes and are typically documented with the installation files. An overview of a typical upgrade process is also included in this document.


In order to successfully apply a patch you need:

- Local Administrator privileges on the Venafi Server

- A Venafi Local Master Admin account

- If using Windows Authentication against the database, Read / Write permissions against the Venafi database for the current logged-on user

Downloading Update Packages

To download the Venafi software packages and updates, please use with the Venafi account login credentials. Customer Support ( can provide assistance with login credentials if needed.  Updates are distributed as "VUPKG" or (more commonly as) "ZIP files" and are typically found within the specific product version on the download site.

Venafi will only keep the latest patch for each supported version, all our patches are cumulative.

If you cannot see your version, and the version is still under support, check the Current for current release, and Previous folder for previous releases.  Venafi patches can contain an Agent Upgrade package, and/or a Trust Protection Platform upgrade package. The upgrade package may also contain one or more SQL scripts that must be run prior to installing the TPP patch.  Because all Venafi Patches are roll-up or stand-alone patches, you never need to install any intermediate patches when upgrading to the latest version.


For example, if you were on 17.2.3, and were planning to upgrade to 17.3, you would install the base 17.3 release, then download and install the 17.3.5 (currently latest) patch.  This patch contains SQL scripts last released with the 17.3.2 patch and is thus named with that version. 


Patches that contain SQL scripts will also have a KB article released with them at the same time to give specific details on how to execute the SQL scripts.  Another example is that the latest 18.2 patch is 18.2.2 which contains an Agent Upgrade package as well as a TPP upgrade package.  Agent Upgrade packages also contain instructions for how to properly install them.

Another example, the latest patch for Trust Protection Platform 18.3 is available at:

\Trust Protection Platform\Previous\18.3.x\ where x is the latest version



Once the update package (zip) file is downloaded and unzipped, the .vupkg file must be moved to the [Venafi Install Location]\Packages directory on the server to be able to be installed with the VenafiUpdater tool.


Backing up your Venafi Database

It is suggested that before apply any patch in production, that you ensure that you have a recent backup of your database.  In worse case scenarios, this backup can be used to fall back from a failed upgrade.

Performing Update

NOTE: Only update one Venafi Trust Protection Platform (TPP) server at a time.  Attempting to apply an update to more than one TPP simultaneously may cause an update to fail.  Most updates require that the Venafi services are stopped before performing the update.

Some Venafi patches contain an update for the Venafi Updater that needs to be installed prior to applying the patch. If the patch contains a nested zip named "Updater <version>.zip", extract it and install the MSI package to upgrade the Venafi Updater before proceeding with applying the patch. 



To perform the update, launch VenafiUpdater.exe with Administrative privileges. (i.e. Right-Click and Run As Administrator)


Venafi Updater will show the list of patches from the Venafi\Packages folder which are available for install. Release notes are displayed in the bottom window.


Highlight the desired package, and click "Install".


Since 17.1, all Venafi TPP patches have required that you enter your Venafi local master admin account details, and click "Ok".  This is required because the patch will add a new attribute to the database indicating the version installed.


Successful installation of the patch will remove the patch from the list.


This process needs to be repeated on each Venafi Platform server.

After installation, you can check what patches are installed, and when they were installed.  The default view in VenafiUpdater is the 'Available' patches view shown earlier, but you can also select the 'Installed' patches view, which will show all currently installed patches, and the log file from when it was installed.



If you get an Error

It is common to get an error such as: 

"The process cannot access the file {File Specified} because it is being used by another process.Error encountered during installation; rolling back install actions"

If you get this error, please stop IIS and make sure that the Windows Administration Console is closed down for all users logged onto the machine.  Make sure to restart IIS after the patch successfully installs


Applying Patch from Command Line

 Patches can also be applied using a command line.  For example, here is how a 19.3.2 patch could be applied to a 19.3.0 system if your username was bob.smith and your password was "ExamplePassword"

The package needs to refer to the filename of the package that is residing the Venafi\Packages folder.

cmd /c VenafiUpdaterConsole.exe -install -package="Patch" -username=bob.smith -password=ExamplePassword

Related Articles

How To: Check Current Director Version And Installed Patches

How To: Uninstall Venafi Patch

How To: Reapply a patch for Trust Protection Platform

Info: Trust Protection Platform Patches Are Now Signed

Was this article helpful?
2 out of 3 found this helpful