Important Considerations before Upgrading to Trust Protection Platform 16.1.0 or 16.1.1

Applies to:

Venafi Trust Protection Platform 16.1.0


The release of Venafi Trust Protection Platform 16.1.0 is considered a maintenance release. Although it contains some new new functionality like enhanced certificate API and the ability to install client device certificates through the Enterprise Mobility product, the primary focus is on fixing issues and refactoring areas of the product to improve stability and performance.  Please carefully read through this Knowledgebase Article prior to upgrading. For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 16.1.0.

Please carefully read through the entire list of considerations before upgrading your production environment of Venafi Trust Protection Platform to version 16.1.0

More Information on Venafi Trust Protection Platform 16.1.0 Life Cycle:

More Info:

Supported Upgrade Path

To upgrade to Venafi Trust Protection Platform 16.1.0, your current installation must be on at least Trust Protection Platform 14.2.2 or greater.  

The following table shows the supported upgrade paths. It outlines which versions of Venafi can upgrade directly to Venafi Trust Protection Platform 16.1.0, and which versions need to be updated to an intermediate version prior to the final upgrade.

Warning: It may be possible to successfully upgrade directly to Venafi Trust Protection Platform 16.1.0 on versions not outlined on the table below, but those upgrade paths have not been fully tested.  

Current Version

Final Version

Trust Protection
Platform 14.2.x
Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 14.3.x

Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 14.4.x

Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 15.1.x

Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 15.2.x

Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 15.3.x

Venafi Trust Protection
Platform 16.1.0

Trust Protection
Platform 15.4.x

Venafi Trust Protection
Platform 16.1.0


Supported Browsers

Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1.0.  Core Libraries of Aperture have been updated for security fixes and performance enhancements that have made Aperture incompatible with Internet Explorer 8.  In 16.1.0, Aperture will not load on IE8.  Make plans now in your organization to make sure end users have a modern browser available to them.

Also our in 16.1, our Supported Browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 38. The latest version of Google Chrome is still categorized as a compatible browser.

See Article: Why we deprecated Internet Explorer 8 

Deprecated: Aperture License Dashboard Widget and Filter

The License Dashboard Widget and Certificate list License Filter has been removed from the product.  If this filter was used in a saved Custom Report, the report should be updated to remove this filter.  Licensing information should be retrieved using the canned licensing report found in the Web Administration Console.

Certificate Settings Read-only during Enrollment Processing or while In Error

In Trust Protection Platform 15.4.0, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or in Error.  In order to make changes to the certificate (ex: change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console in order to be able to make any required changes.

Further security related changes have been made in 16.1 that now prevent users from altering a certificate request after it has progressed beyond the start of the renewal process, such as uploading a CSR.  As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using WebAdmin after successfully upgrading Trust Protection Platform in order to complete the certificate renewal.

Password Complexity Requirement on by default

In Trust Protection Platform 15.4.0, there was a new password complexity requirement for downloading certificates that contain private keys from the Web Administration Console or Aperture.  This requirement can be turned off by administrators via policy, but it is on by default and will probably be a change for most end users.

Change in Requirements for Database Service Account Permissions

Enhancements made in 15.1.0 and 15.3.0 have changed the permissions required by the service account used to connect to the database. Due to changes to permissions calculations and log delivery, the database service account that the Venafi Platform uses now requires "Execute" permissions to specific stored procedures in addition to "Receive" permissions to specific messages queues.  This is in addition to DataReader and DataWriter that have traditionally been required.  Please see the following example scripts for assigning the correct permissions to the database service account.

Approving Certificate Installation (Provisioning) Workflows in Aperture

In Trust Protection Platform 15.3.0 added the ability to approve installation workflows in Aperture.  If you're using a custom SMTP Notification Channel to send approvers emails - those custom channels will need to be updated so that users are navigated to the correct URL in Aperture to approve Enrollment or Certificate Installation workflows.

Click here for detailed steps on updating your custom notifications.

Important Note for SSH Customers

Due to re-architecting of the SSH product between 14.4 and 15.1, direct or automatic upgrades are not supported from 14.x.x to 16.1.0.  For customers using the SSH Product in production environments, please contact Venafi Professional Services (see for assistance with upgrades.  If you are using the SSH product in a sandbox or development environment, we recommend that you not upgrade but instead install with a clean/new database. SSH Customers using 15.1.x, 15.2.x, or 15.3.x can follow normal upgrade steps to upgrade to 16.1.0.

Agent Certificate Discovery

Due to changes in version 15.2.0 in the configuration of work that the Venafi Server Agent does during certificate discovery, agents will stop performing certificate discovery until your Device Placement work has been configured and assigned to all applicable agents.  Certificate Discovery work also needs to be updated to have certificate placement rules applied. Agents will not start or continue certificate discovery until these two configuration items have been completed in Aperture.

Click here for more information about changes to Server Agent in 15.2:

Change in Hardware Requirements

Version 15.1.0 of the Venafi Platform brings large architecture changes in both the core platform and the User Interfaces for increased performance and scalability.  As of 15.1.0, the product is able to support 1,000,000 certificates and 1,000,000 keys.  Increasing the amount of keys and certificates the platform and user interfaces support required a change in hardware requirements not only for the Venafi Platform servers, but also for the database servers as well.  This is because processing was optimized so that more calculations are done on the database level. Please carefully review the new Venafi Server and Database Server requirements before upgrading to 16.1.0.

16.1.0 System Requirements:

End User Portal now configured in Aperture (not WebAdmin)

There are two basic steps to configuring User Portal:

  1. In ApertureTM, create one or more Agent Groups and define membership criteria by setting Client Types to User Portal.

  2. Configure user certificate work for the new Agent Groups.

  3. For detailed steps, see online docs or "Certificate Management Guide" pdf starting on starting on page 349

Required Version of Oracle Server and Oracle Client

Oracle 10g is no longer supported as an Oracle Server version.  The minimum required Oracle Server Version is Oracle 11g Release 2 (  The minimum required Oracle Client is ODAC 12c Release 3 (

16.1.0 System Requirements:

IIS5 Deprecation

IIS5 has been deprecated in Venafi Trust Protection Platform 14.3.  Any IIS5 Application objects will be converted to "Basic" Application objects.  If your organization has Windows 2000 servers hosting web sites on IIS5, it is urgently suggested that you upgrade to a secure version of the Windows Server operating system that is supported by both Microsoft and Venafi.
Note: Microsoft Windows Server 2000 extended support ended on July 13, 2010 (end of life).

Server Agent deprecating support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC) in 16.3

In 16.3, the Venafi Trust Protection Platform will no longer ship with an agent installer for HP-UX PA-RISC.  This does not affect our support for HP-UX on Itanium Processors (HP-UX IP).  Hewlett Packard stopped supping HP-UX PA-RISC in early 2005.  We are deprecating support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.

More information on deprecation of PA-RISC:


Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request