Info: Venafi Trust Protection Platform 16.1.1 is released


Venafi Trust Protection Platform 16.1.1 is released due to the below bug fixes it has replaced the installer for 16.1.0

  • Framework init failure after upgrading from 15.4 to 16.1 [no database owner]
  • Support tab fails to load for users

What's New


SSL/TLS certificates

  • - Support for AWS Certificate Manager will provide an interface for requesting and retrieving certificates that are used by AWS appliance services.
  • - Key Generation and Certificate Enrollment for DevOps Automation which provides a utility for automated key generation and certificate enrollment to integrate into your DevOps architecture.
  • - Support for AWS Elastic Load Balancing (ELB) and AWS CloudFront will automatically renew and provision certificates for use by AWS resources.

 SSH Keys

  • - Custom reports in Aperture now fully support reporting on SSH keysets. Preview with filtering, column selection, reordering and sorting is available as well as generating CSV and PDF reports manually and on schedule and delivering them by email, FTP or Windows share.


  • - Custom reports in Aperture now support delivery of reports to FTP and Windows Share.

 Deprecated Drivers

  •  - Support for Cisco CSS has been removed with the 16.1 release of Trust Protection Platform due to no customer demand.
  • - GeoTrust Enterprise support has been removed as this certificate authority is no longer issuing certificates.

Enhancement Requests Included in this Release:

NOTE: Numbers starting with @ indicate the incident number issued by

   1) Added an option to search for certificates by serial number. (@10100)

   2) Added the ability to search SANs. (@10338)

   3) Object Lookup: Search by Serial Number. (@13386)

   4) Allow searching by serial number. (@13717)

   5) Search for certificates by Serial Number. (@15779)

   6) Added the ability to search for certificates by serial number. (@16386)

   7) Please provide a way to search via serial numbers from Aperture. (@17198)

   8) Aperture Inventory Filter Control will now filter on more than 30 policy folders and supports sub-containers. (@18526)

   9) Enable the selection of policy objects for Entitlement Reports. (@11613)

  10) Added the ability to set key/certificate filenames. ((@1103)

  11) You can now specify DataPower objects and file names. (@1407)

  12) Added a driver for AWS. (@10941)

  13) Added an application driver for Amazon AWS for ELB. (@12017)

  14) Created an application driver for AWS. (@12817)

  15) Enhanced the ability retrieve certificate from Symantec when there is a processing delay. (@12648)

  16) Provided an option to delete private keys after downloading. (@14509)

  17) The ability to suppress the 'Status Check is Disabled' status in Aperture is now available. (@17438)

  18) Provide Amazon certificate manager compatibility. (18417)

  19) Added a logging view to credential objects. (@18766)

  20) API Chained certificates are no longer returned in reverse order. (@18846)

  21) Re-add option to search certificates by serial number. (@8411)

  22) Created a report for recent certificate renewals. (@12703)

  23) TPP will now allow Aperture certificate list column customization. (@15813)

  24) Provided the ability to sort on columns on the certificate inventory in Aperture. (@16039)

  25) Updated Aperture reports to list all certificates. (@17420)

  26) Created a report to view all recently renewed certificates. (@17917)

  27) The Entitlement Report now allows the user to specify which object(s) to run against. (@5775)

  28) Added several reporting enhancements in SSH features. (@13654)

  29) Added the ability to export SSH key inventory view to a CSV file. (@15599)

  30) Clarified the verbiage for 'Allow SSH1' in Aperture to be more informative. (@17639)

  31) Provide a PDF version of the SSH "Authorized Users" Report. (@18462)

  32) When using Aperture to renew a certificate that uses the 'User Generated CSR' option, clicking the Renew button will now display the screen to upload a CSR. (@9465)

  33) Force CSRs to be uploaded at the beginning of renewal processing. (@11388)

  34) Stop the 'Renew Now' option if 'User Provided CSR' option is used but no CSR is loaded. (@12162)

  35) Added Removal/Disabling of Sticky Filters. (@13844)

  36) Sorting on columns for the certificate inventory has been implemented. (#22582, @16039)


 Resolved Issues in this release:


1) Filtering and reporting for self-signed certificates now correctly displays all certificates. (#24293, @17657)

2) On certificate objects, pasting a string with duplicate SAN names, e.g. SAN1, SAN2, SAN1, will be caught and not allowed. (#23650, @17138)

3) Removed a duplicate warning message and red banner on certificate objects that have validation disabled. This was causing some customers to believe that the certificate was in error. (#23592, @16971)

4) Correct an issue where users with non-admin permissions could not see the owner of the certificate. (#25494, @18965)

5) Sorting on columns for the certificate inventory has been implemented. (#

6) Corrected a workflow issue between Aperture and Webadmin where the certificate in question would not have the right status. (#12717, @17798)

7) Certificate renewals were failing for certain country codes. Aperture has been updated to allow any two letter country code. (#23322, @16820)

 Certificate Authority Drivers

NOTE: The following 2 drivers have been deprecated from Trust Protection Platform 16.1: CISCO CSS and GeoTrust Enterprise CA

 1) Corrected an encoding issue where certificates issued by Symantec MPKI and Entrust were not being displayed in Aperture but would display in WebAdmin. (#25229, @18454)

2) no longer requires manual approvals for EV certificates in response to a change implemented by Entrust. (#24669)

3) Responding to a change in the GeoTrust Reseller CA, Venafi's driver will now allow you to select a SHA256 certificate with a SHA256 root. (#25226, @18723)

4) Symantec MPKI driver can now enroll certificates from a SHA256 root, a recently added feature from Symantec. (#24568, @18051)

5) The GeoTrust TrueFlex driver will now automatically attempt a failed renewal of a certificate issued by a different CA. (#25045, @18394)

6) TPP running on a Windows 2008 R2 server will connect correctly to the GeoTrust Reseller CA only accepts TLS 1.2 connections. (#25171, @18672)

7) Renewing multiple certificates simultaneously against the Comodo CA will no longer cause some of the renewals to go into an error state. (#17400,@11687)

8) On the Microsoft CA, importing a certificate with two or more SANs will now import with all the SAN entries. (#25121, @18554)

 Certificate Manager

1) Certificate validation will now run consistently with the nightly tasks. (#25342, @18465)

2) CSR details of a certificate can no longer be changed while the certificate is paused for workflow approvals to occur. (#24202, @17647)

3) TPP will now correctly build the certificate chain for cross-signed certificates. (#24410, @14492)

4) Improved loggings so that a missing credential event will specify which credential is missing from the object. (#21933, @15296)

 Client Subsystem

   1) The log event, "ClientRest - Find Client Query Data," now contains the intended client data. (#25210, @18523)


   1) Certificate with a blank SAN will now display correctly in the WebAdmin certificate expiration dashboard. (#24469, @15627)


1) Fixed an issue where the Discovery blackout window would not display correctly for certain time zones. (#25074, @18356)

2) Aborting and restarting the same discovery job will now properly finish the discovery jobs. (#23224, @16497)

3) Corrected an Instant Discovery job that was generating an 'invalid cast' error. (#25491, @18762)

4) If the 'Manage' button is used from Discovery results or with an Instant Discovery, TPP will now identify this in the log as a Manual Placement as well as capture who pushed the 'Manage' button. (#25172, @18624)

5) If Onboard Discovery is re-executed, consumer attributes on the certificates are no longer removed. (#24531, @18044)

6) F5 Onboard Discovery will no longer perform an incorrect association with the certificate localhost.localdomain. (#24532, @18007)

7) The F5 Onboard Discovery will now honor the processing engine setting in the Platforms tree. (#24192, @17669)

 Identity Driver

1) When the Active Directory identity driver recovers connection to domain controllers and/or global catalogs, users will be able to successfully log in to WebAdmin and Aperture. (#25219, @17833)

2) A user will now successfully log in to WebAdmin when they are in an OU that has been named with the '/' character. (#24509, @18003)

 Log Server

1) The event "Certificate Manager - Key Reuse" is no longer logged twice with each occurrence. (#24908, @18014)

2) If the database service broker is not running (thus preventing Venafi from logging events) the software will now log to the Windows Event log so that the admin can correct this condition. (#24239, @17593)

3) When using an SNMPv2 log channel, multiple Windows application log events "Object reference not set to an instance of an object" will no longer be generated. (#24910)

4) The log server will send all email notifications during processing of daily tasks correcting a condition where some notifications were not sent. (#21779, @14517)

5) Fixed a problem where Aperture would not log the user that had clicked the 'Run Now', 'Pause', or 'Cancel' actions on Discovery Jobs. (#25529, @18985)


1) The macro for the customer field 'Date' now returns the requested date. (#24818, @18237)

2 The macro that returns the date will now display correctly for UK formatting. (#23990, @16912)

 Platform Driver

1) Fixed the Connect:Direct driver so the 'Node Security' option is not changed when provisioning starts. (#25387, @18882)

2) Corrected a timeout error with the F5 Config Sync process. (#25347, @18696)

3) The F5 Driver will no longer error out when the option to delete the previous certificate and key is selected and the certificate is in use. (#25655, @19129)

4) After a bulk certificate push to an F5, network validation no longer runs multiple times before finishing. (#23992, @17288)

5) The NetScaler validation operation will successfully close all the SSH connections used during the operation. (#23596, @16767)

6) The F5 LTM Advanced driver no longer adds additional ClientSSL profiles to the existing profile list. (#23354, @16717)

7) F5 Onboard discovery will no longer perform an incorrect association with the certificate localhost.localdomain. (#24532, @18007)

8) With the DataPower driver, basic provisioning no longer requires the key field to be populated if the 'certificate only' option is selected. (#24153)

9) Fixed an issue where provisioning certificates to a NetScaler device would fail. (#22367, @15748)

10) Certificate provisioning to a JKS Trust Store will succeed when the certificate already exists in the trust store. (#24339, @17075)

11) An F5 v10.2.X is now correctly displaying the correct version of iControl. (#24711, @18353)

12) When provisioning to an F5 v10.2.X, the designated filename is now correct. (#24708, @18351)

13) The Comodo CCM SOAP timeout can now be configured with the desired timeout value. (#25092, @17754)

14) The F5 driver will no longer try to delete a nonexistent key at stage 835. (#24368, @17768)

15) Improved performance when pushing many certificates to an F5 device so that the F5 hardware is not overwhelmed. (#24783, @17890)

16) Onboard validation to an F5 device is no longer attempted if the "Certificate Name" attribute is not present (which would generate an error). (#24868, @18465)


1) Report scheduling will now set the run time correctly for certain time zones. (#25290, @18356)

2) The Entitlement report now shows both local and AD users in the AdminUsers section. (#25193, @18730)

3) Expiration reports that specify the 'Discovery' option now shows the discovered certifications in the Expiration report.(#24549, @18002)

 Server Platform

  1) Fixed as issue for vedscep service would stop working requiring a restart of IIS. (#24379, @17002)


1) During an upgrade, SSH work items in the ssh_queue_item are removed which allows the upgrade to finish. (#24907)

2) Agentless scans now discover keys if the path contains leading whitespace. (#24815, @18049)

3) "Unknown Client" violation is now removed from authorized key once the external key has been added to same keyset. (#24069)

Agentless SSH

  1) Updated the Maverick SSH libraries used by TPP which allows proper communication with SSH-2.0-Sun_SSH_1.1.4. (#23839, @17048)


1) The Updater now shows the date a patch was installed when selecting View|Installed. (#24893, @10288)

 User Portal

   1) The User Portal Upgrade no longer clears previous configuration values used by the User Portal. (#24442, @17895)

 Web Administration Console

1) Install now includes a missing locale file that allows the Javascript to interpret additional language locales and provide proper date formats. (#24593, @18151)

2) When the 'Validate Now' button on an Application Object is pressed, the event is logged. (#24809, @18320)

3) If a certificate without an OU is enrolled in TPP, the summary no longer displays the OU of the Certificate Authority. (#23798, @16671)

4) In the View tab, the "Common Name" column now displays the certificate instead of the application object. (#23780, @17309)

5) Fix the export feature so that the Application view data can exported even when bad certificate data is encountered. (#23603, @16316)

6) Fixed an issue where clearing filters in the grid views was not working correctly. (#23472)

7) The "Severity" filter now works consistently when using with very large database (15+ million log entries). (#22404, @15487)

8) Fixed an issue where users with limited permissions to a policy would get a cryptic error when trying to delete certificate objects. (#22088, @15386)

9) Changed the Log Expiration option in the Default SQL Channel so that it only accepts a number so that misconfiguration issues can be avoided. (#11481, @6454)

10) Based on customer feedback, added a 'Log' tab to credential objects. (#14586, @9695)

11) Certificates with an empty subject will now display correctly in the certificate summary tab. (#24470, @15627)

12) Creating master admins from Active Directory users in WebAdmin now grants all the necessary master admin permissions for the new admin. (#12717)

13) Users without permissions to the 'Roots' tree can now see the full certificate chain for the certificates they have permissions to administer. (#25514, @18235)


1) Fixed an unhandled exception in the Authorize/CheckValid call which resulted in a reset of the IIS Application Pool. (#24938, @18532)

2) Retrieving a certificate using the PKCS#8 format using the WebSDK will now succeed. (#25007, @18501)

3) If the Certificate Authority DN is empty in a certificate request, it will now successfully use the suggested Policy value for the Certificate Authority field. (#24241, @17504)


VIII. Known Issues

NOTE: Numbers starting with @ indicate the incident number issued by

NOTE: This release has a support tool called 'Venafi Support Tools' that has been released as Beta. Please report known issues via email and Venafi will address them in a future release.

NOTE: Security related changes have been made that now prevent users from altering a certificate request after it has progressed beyond the start of the renewal process.  As such, any certificates that are waiting for a new CSR to be uploaded prior to upgrading to 16.1 will need to be reset and restarted using the Web Administration console after successfully upgrading TPP in order to complete the certificate renewal.

Aperture known issues

1) If a new agent registration password is added to the registration passwords list, you must click 'Save' on the page for it to be added. (#15383)

2) A MAC address client rule for agent requires either ':' or '-' e.g. 00-11-22-33-44-55-66. (#15078)

3) If a Discovery job is created using invalid characters, you will receive a message, "Failed renaming discovery job." Try a simple name without invalid characters, e.g. < />. (#15183)

4) Search does not filter correctly on a CN search for '.' or '..'. It will return some other items that don't have a '.' (period) in the CN but do have the '.' elsewhere in the certificate. (#14488)

5) Aperture will load only 100 folder objects. Use the search or filters to find the folders in question. (#18348)

6) Installing Aperture on a different server that WebAdmin results in product documentation not being available for Aperture. Install Aperture on the same server as WebAdmin. (#12485)

7) Global searches will not find SSH key names. Use the key lists and filters to find your SSH keys. (#17096)

8) In Aperture, a user is unable to remove a policy folder. The only way to do this is through WebAdmin. (#19278)

9) There are multiple attributes and controls in Aperture that do not have a way to be cleared (the controls are radio buttons in Aperture). Use WebAdmin to clear these values. (#21718)

10) The Revoke button in enabled but nonfunctional on a disabled certificate object. (#22215, @15002)

11) We do not paginate with large numbers of agents on the agent list. (#11509, @12659)

12) The certificate SAN field is still visible after providing a CSR that contains a SAN. (#24133)

13) There is currently no way to disable validation at the time a new certificate is created using Aperture. (#17053)

14) A limited permissions user with only View and Read rights to the folder and View, Read and Write rights to TrustNet is unable to select policies in the appropriate fields on the TrustNet configuration page. (#16421)

15) A user with limited permissions to Agent Group but not Agent Work that deletes an agent group will leave orphaned objects. Make sure your user has adequate permissions. (#25495)

16) On the Compliance tab, key length displays as 2048 when the certificate is actually 2047. (#23453, @16921)

17) In some instances with Aperture using Single Sign On (SSO), the 'Download Latest' button does not work. The log file shows the event, "Invalid web data: HttpRequestValidationException occurred at <timestamp> in WebApp." The cause is being investigated. (#24277, @16880)

18) Aperture does not log the creation of a Discovery object. (#25530)

19) The Device inventory field label is incorrectly labeled "Hostname/IP." It should be the Friendly name/Object name. (#22141)

20) After moving a certificate in error from one policy which allows a longer validity period than the new policy, renewing the certificate will fail with 'Validity period is not valid' for the selected CA template object. Use WebAdmin to save the object and then the renewal will succeed. (#22268, @15456)

21) Using the Agents|Network filter with invalid values is returning all agents. This will be fixed in a future release. (#25802)

Certificate Authority Driver known issues

 1) Several Certificate Authority and Application drivers cannot renew a certificate if the renewal hash algorithm is SHA-2 but the device's API supports SHA-1. The CA's and drivers that do not allow this are: Apache, Brocade, Cisco ACE, Data Power, F5, GSK, iPlanet, JKS, NetScaler, Palo Alto Networks, and PEM.  (#18845, #19741)

2) Symantec LHK settings cannot be set at the policy level. These settings are dynamic and Venafi is evaluating solutions for dynamic settings. (#19214)

3) The Entrust CA occasionally reports a failure at stage 500 but still creates the certificate on the Entrust site. Download the certificate and import it to TPP. (#19248, @13013)

4) The timeout is too short for the Comodo CCM CA. Venafi is implementing a solution to this issue. (#24866, @18160)

5) The MSCA has an encoding issue with UPN SANs when using user provided CSRs. Extra character(s) are added to the email address. Delete the extra character(s). (#23683, @17181)

6) When doing a mass enrollment of some certificates to the Symantec CA, some of them receive the error, "Retrieve Certificate Failed with error: The request was aborted: Could not create SSL/TLS secure channel." The certificate is retrieved but the error is not cleared. (#24310, @17584)

7) GeoTrust TrueFlex no longer supports SHA-1, the UI default. Select SHA-256 when creating the CA template. (#25120)

8) With a VeriSign or Entrust.NET certificate object, after a specific End Date is entered, cannot be erased. If a new end date is needed, for example, a new object will need to be created.  (#13541)

Certificate Manager known issues

1) The revocation reason in not captured in the database for a revocation event. (#23840, @11738)

2) Adding root certificates in a different order will produce a different chain. Venafi is determining a resolution for the issue. (#10001, @6376)

3) Certificate revocation process may run for an excessive amount of time. (#21445, @14849)

4) The F5 application driver can get out of sync with the device on a network with latency to the device. (#20078, @13836)

5) Revocation checking can be slow. Venafi is determining a resolution for this issue. (#21445, @14849)

Core known issues

1) Certificates that don't have an issuer field populated can cause errors in the logs. (#21613)

2) Exception thrown when logging is configured to look at an invalid database. (#18514)

3)  If Venafi Control Center detects that the database service broker is down, it will warn the user but not stop the install. Resolve the service broker issue and rerun the install. (#25612)

Dashboard known issues

 1) If you point the trend widgets to a subfolder (e.g. "\VED\Reports\Folder\..."), then you won't be able to add trend widgets to the dashboard regardless of your permissions. (#15482)

Discovery known issues

1) Aperture discovery jobs that use a DNS name with CIDR notation, e.g., will not work. Instead, use the IP address, e.g. to discover certificates and keys on that network. (#14982)

2) Discovery Jobs may stay in a pending execution state in some circumstances. Delete and recreate the job. (#18743)

3) The 'Place Now' button in a discovery is enabled even if there are no certificates to be placed. (#14369)

4) Some search filtering on SANs in Discovery results does not display results. (#12116)

5) The Managed DN shows incorrectly when a limited rights user is used for managing discovery results. (#16959)

6)  After a certificate discovery of JKS keystores, the agent reports too many certificates because each root and intermediate certificate is being counted for each certificate using those root/intermediate certificates. (#22124)

7)  Discovered/Imported application objects are always created with SSL profile types set to 'Client.' Administrators should change those profile types that are server profiles to 'Server.' Venafi is working on a solution. (#24816)

8) F5 Onboard discovery jobs do not properly handle certificates if the certificates have the same Common Name (CN) but different Subject Name (SN) or Thumbprint. (#24476)

9) F5 Onboard discovery is not logging objects if they were previously discovered but not deleted. (#23682)

Installation known issues

1) VCC can't create an operational certificate if default policy target has been changed and you are adding another server to an existing TPP server environment. (#13682)

2) If VCC is unable to connect to the database during the "configure products" portion of the VCC wizard, you will be prompted to enter the DPAPI key. Fix the database connection and rerun the VCC wizard. (#18029)

3) Venafi Control Console configuration fails if the database name contains a “.” (period). (#19470)

Log Server known issues


1) Unable to page through logging with more than a couple of hundred pages. Use filtering to reduce the number of pages to page through. (#18759)

2) Some Validation Log events have references to objects which may be unclear to the user. (#17914)

Notifications known issues

 1) Combining AND & OR in a notification only uses the last defined condition. It is possible to get the desired result by dividing up each OR condition and then duplicating the desired AND condition for each OR condition, e.g. if [condition 1] matches [value 1] AND <my desired condition> OR [condition 1] matches [value 2] AND <my desired condition>. (#18798)

Platform Driver known issues

 1) Several Certificate Authority and Application drivers cannot renew a certificate if the renewal hash algorithm is SHA-2 but the devices API supports SHA-1. The CA's and drivers that do not allow this are: Apache, Brocade, Cisco ACE, Data Power, F5, GSK, iPlanet, JKS, NetScaler, Palo Alto Networks, and PEM.  (#18845)

2) Unable to provision to Apache on Linux when 'sudo' is required. You need to use a user account with access to the specific areas needed to install the certificate. (#7424, @8190)

3) If there are GSK objects which have a DN larger than 100 characters, the upgrade script to 16.1 may fail. Truncate the GSK objects to less than 100 characters. (#21021)

4)  When provisioning a PEM private key with the Agent, the directory for the private key file must be in the directory as the certificate file. (#24387)

5)  With the F5 driver, if the certificate and chain filename are the same, the deploy to the F5 will fail. Use different names for the certificate and chain filenames. (#25001)

6)  When using the F5 LTM Advanced driver on a v12 F5, a certificate push after new fails if the same certificate is associated with more than one application for all but the first application in the list. (#24357)

7)  Disabled application objects keep the last certificate processing status even if it changes when the certificate finishes processing. (#23845)

8)  F5 Basic mode does not work with a FIPS enabled server. This issue is under investigation. (#23819, #23697, @12789)

9)  The GSK driver is unable to validate or provision using GSK v.7 and v.8. The driver will be updated in a future release to support these versions. (#24833, #24835)

10) In the UI if certificate and key filenames have leading and/or trailing spaces the provisioning to an F5 device will fail. (#24181)

11) The Citrix driver is unable to push a certificate when Generate Key/CSR on Application is set to "Yes." The root cause is under investigation. (#24435)

12) Provisioning will fail when a workflow is set at stage 801 on a GSK application. (#24240)

13) The Validate Now feature is not working for an F5 Authentication bundle. (#23699)

14) Provisioning a certificate to a P12 application will result in the object GUID being inserted into the Common Name field on the keystone after the second push. The certificate is provisioned but the name is wrong. This is a C# library issue and Venafi is working with Microsoft to get this resolved. (#24341, @17054)

15) When F5 app object encounters an error, the "in error" attribute doesn't get written. Use the Application View tab and sort on 'Status' to see the error. (#24911)

Reporting known issues

1) If a job is waiting in memory and the Venafi services are restarted, the report is lost/does not run. Restart the job. (#19685, @13455)

2) If two policies are identically named except for a suffix, e.g. MyPolicy and MyPolicy-Test, reports that point to 'MyPolicy' will only get certificates from the first instance of 'MyPolicy.' A second report will be necessary. (#22216, @15354)

3) Users with implicit 'write' permissions granted via a policy (such as setting the "Manage Policy" permission) are not able to save a previously created report. You will have to explicitly grant rights to that user. (#25858)

4) The Save button on the Custom Report delivery page doesn’t work when the email address field is focused. (#21334)

5) Values for scheduling are not reflected in the logs when saving a report. The values show as "0". (#14156)

6) Reports are pulling in data from two policy folders that have nearly identical names where the only different is a suffix on one of the policy names. Putting a different character in the middle of the second policy name will prevent this. (#22216, #23981, @15354)

SSH known issues

1) The 'Last Rotated' time shown on a keynote is displaying the time the rotation was initiated rather than when the actual file operation occurred. (#17262)

2) With Public key instances, clicking edit and saving without making changes will start provisioning. Click cancel or don't save to avoid this unnecessary provisioning. (#13347)

3) OpenSSH known host key comments are not restored in case they were manually edited on the host working under TrustForce security level. (#19793)

4) Test Connection button in Aperture will fail for devices with OS Type set to systems unsupported by agentless (such as Windows or HP-UX). (#19891)

5) Manual change of file owner of a key file on a system that is tracked under Remediate will create duplicate key records in TPP database. (#19210)

6) "Key Older than Allowed" violation is incorrectly erased by automatic revival of key that was manually edited on the host working under TrustForce security level.  (#17437)

7) If policy settings do not allow creating both openSSH and Tectia keys and a Tectia keyset is created, the error message reads, "Failed to create keyset. Would you like to try again?" You need to change the policy settings to correct this condition. (#19957)

8) The forced command for an authorized key is not displayed correctly when it contains “command” string. (#24068)

9) Due to space considerations the 'Notes' field has been removed from a keyset details view for keys marked as needing action. An improved method for displaying notes is being investigated. (#25058, @18505)

10) Remediation interval not honored when using a shared authorized key to a root IT account. (#19805)

11) Known host keys are duplicated if hostname is changed while in Remediate. (#19791)

12) On Windows hosts, you will get a 'Keys older than allowed' violation for Tectia host keys that have not been rotated for more than configured on policy but will not have the error on a Linux host. This issue is being investigated. (#25727)

13) Unless you have Delete permissions on a policy folder, you cannot cancel the Add New Instance operation. (#18506)

14) Adding additional private key requires user to have the View permission in addition to the Private Key Read permission. (#18504)

15) A single Trust Protection Platform server can support a maximum of 1,000 agents doing SSH work.

16) When the SSH 'OK' and 'Out of Compliance' filters are used together, the filter also picks up unscanned devices in addition to the devices that should be displayed. Using these filters separately will generate the expected result in each case. (#24146)

17) If the error, "FailedToConsumeAgentResponse" is encountered repeatedly, please contact Customer Support. Your server and agent logs will be needed. (#25689)

18) Some scheduled rotations may not complete on large databases (300K and more keys). In that case, restart agents with hanging operations and the rotations should complete. Then contact Customer Service, supplying your agent and TPP logs. (#24372)

19) In Aperture SSH work, if %u is used in include path, "no subdirectories" selector will not have any value. (#22305)

20) With Agentless SSH key discovery, the 'Exclude paths' is not excluding the directory specified. (#22194)

21) SSH keys on device will be re-discovered and duplicated if connection interface is changed from Agentless to Agent. To remove the 'Agentless' discovered keys, delete the device object created by Agentless discovery using WebAdmin or WebSDK.

User Portal known issues

1) User Portal will not load with Lithuanian language settings in the browser. (#25652)

2) Accessing the User Portal after installing version 15.1 displays an exception. (#19355)

3) Some Macro Templates are not working correctly with User Portal. (#25196)

4) If the User Portal 'Friendly Name' is blank, the user will see no work in the User Portal. Make sure to fill in the 'Friendly Name.' (#25197)

5) Logging out of the User Portal may throw an exception. Venafi engineering is isolating the cause. (#18410, @13123)

Web Administration Console known issues

1) It appears you are unable to reset a certificate that has 2000 applications associated with it. It actually does reset but it takes a while to complete. (#12551, @7961)

2) With certain browser locales, using the Date selector control will display the selected date order in US format (MM/DD/YYYY) instead of the locale's format (YYYY/MM/DD). After 'Save' is selected, the date will display in the correct format. (#17441)

3) For some certificates e.g. VeriSign or Entrust.NET, once the specific end date has been entered it cannot be erased. Recreate the object to work around the issue. (#13541)

4) If a certificate is placed into a policy that has locked the management type to 'Unassigned' or 'Monitoring,' that certificate can no longer be minted by SCEP. Either the locked policy value will need to be changed to suggested or the certificate will need to be moved to a new policy that allows 'enrollment' or 'provisioning' management types. (#14356)

5) WebSDK rights cannot be assigned to LDAP users via the Web Administration console. You must use WinAdmin. (#8769)

6) If you blacklist a certificate the intermediate certificates will not chain up to the correct root in the Tree View. This is a cosmetic issue. It is chained to the correct (not blacklisted) certificate. (#18717, @12657)

7) Deleting a certificate from the policy tree doesn't delete the associated application objects. The associated application objects must be deleted manually. (#19398)

8) You may get a 'HandshakeFailure' error when performing onboard validation to Layer7 gateways. This is caused by setting the Layer7 to require SSL. The driver needs to be updated to support this setting. (#25125, @18582)

9) We have had reports of the Venafi Operational Certificate being randomly replaced. Please contact Venafi if you experience this issue. (#22260)

10) Status "Queued for Retry" does not get changed when rejecting workflow. This is under investigation. (#24038, @17537)

11) Chaining is still connected to a blacklisted certificate even though there is a valid non-blacklisted chain. (#21995)

12) WebAdmin is unable to filter on serial number on the View|Certificates tab. (#23703, @17196)

13) The log file does not detail the user that generated an event. This feature request has been forwarded to product management. (#23618, @4451)

14) Last Validation times are wrong in WebAdmin from the view tab. The time displayed is UTC time. (#24151)

15) PEM application objects are displaying the connection method as 'SSH' when it is connecting with an agent. The field implies the connection method used if in agentless mode (SSH or WinRM). (#25602, @18996)

WebSDK known issues

1) POST SSH/KeyUsage documentation - The POST SSH/KeyUsage API is not visible in the online versions of the Developer's Guide Table of Contents. You can only discover it by searching for it. You can also refer to the PDF version of the Developer's Guide, which does include the POST SSH/KeyUsage API in the table of contents.

2) User GUID instead of name is displayed for the events “Private key generated” and “User-added private key.” (#24201)

3) WebSDK POST authorize is returning "400 bad request" when username or password were incorrect. The response should be a 401 error. This has been reported to the development team. (#25570, @18806)

WinAdmin known issues (for Custom Engagement information purposes only)

1) WinAdmin does not support 'Unassigned' certificates. Use the Web Administration console or Aperture. (#14351)

Workflow known issues

   1) Non-admin users can view all approved and rejected workflow tickets. This will be address in an upcoming release. (#6638, @9273)

2) Getting "Unknown Error Occurred" when accessing approved workflow tickets. (#19319, @13104)

3) You will get an error when issuing workflow tickets if one of Specified approvers does not resolve to a user. You can delete that approver or select 'Approver assigned to object' to workaround this issue. (#23464, @16935)


  1. Features Deprecated in Future Releases


This section describes those features that will not be supported in the next release of Venafi Trust Protection Platform.


 - Enhancements have been made to Aperture that make it incompatible with Internet Explorer 8.

 - Windows Administration Console features will continue to be moved to other administration tools (Web Administration Console and Aperture).

 - The GeoTrust Enterprise driver is no longer supported. The CA stopped issuing certificates at the end of 2015.

 - Cisco CSS is a legacy driver with no known customer usage. It is no longer supported.

 - Microsoft has ended support for .NET 4.5.1 and will not be issuing patches for it. Starting with version 16.3, Trust Protection Platform will require .NET 4.6.1 or later to be installed on your Windows servers. Upgrade .NET on your Windows servers to avoid outages.

 - In 16.3 we will remove support for Hewlett Packard Unix Precision Architecture Systems (HP-UX PA-RISC). Hewlett Packard ended support for this operating system in early 2005. Note: This does NOT impact the support for Hewlett Packard Unix for Itanium processor (HPIA).

 - The Certificate License widget and License Filter have been removed from Trust Protection Platform.

Please see attached Readme for further details.

Was this article helpful?
0 out of 0 found this helpful