Venafi Agent 15.3 - Current
This article will provide some useful information when troubleshooting agent provisioning issues.
- Is the Agent version 15.3 or higher?
Only Agents that are 15.3 or higher support Certificate Provisioning.
- Is the TPP version 15.3 or higher?
Only TPP 15.3 or higher supports certificate provisioning.
- Is the keystore you are attempting to provision PEM or JKS?
In TPP 15.3 through 16.2 – we only support PEM and JKS keystores for provisioning in production (we hope to add new keystores in 16.3).
- Is the agent registered with TPP and trusted?
You should be able to see it in Aperture under Agents => Agents menu and trust level should be something like “Specific Credential”. It should NOT be missing or show up as “untrusted”.
- Has the Agent checked in recently?
You should be able to see it in Aperture under Agents =>Agents menu and the “Last seen” timestamp should be within the expected time frame (if scheduled to check-in daily, it is a red flag if the last time stamp is from two weeks ago).
- Does the agent belong to an Agent Group?
You should have an agent group created that the agent belongs to. Look up your group and make sure the agent shows up as a member.
- Does this group have “Device Placement” enabled and configured?
In order for Agents to do certificate discovery and installation, TPP must automatically create the device object, or link to an existing device object. Go to the agent details, in the pop-up window it will show you the full Policy path of the device it is linked to. If you don’t see this, or you see it linked to a device you don’t expect, there is an issue.
- In Web Admin or Aperture, is the “Installation/Provisioning Mode” set to “Agent”?
If TPP automatically creates the device through Device Placement, the Installation mode will be set to “Agent” – but if TPP automatically links to a device that already existed, you’ll have to set the mode to “Agent” either through policy or explicitly on the device.
- Is the PEM or JKS Application object enabled?
Certificate Installation will not take place on Application objects (Installations) that are disabled.
- Are there any required fields missing?
When creating applications/installations automatically through discovery, required fields can be missing. Ensure that all required fields are present.
- Is the associated certificate management mode set to “Provisioning”?
In order to use Agent or Agentless installation of a certificate, the management type of the certificate must be set to “Provisioning”. Any other value will not work.
- Did you click the “install” or “push” button on the JKS/PEM Application to start the installation process?
Provisioning certificates may provision automatically after they renew. Outside of renewal, the installation would need to started manually by clicking “install” in the Aperture console or “Push” in the Web Administration console.
- Is there an approval workflow configured for stage 800 that hasn’t been approved yet?
TPP 15.3 through 16.2; the Agent does not support custom command injection during provisioning, but does support workflow approval at stage 800. Is there an approval workflow configured? If so, the designated approver will need to review and approve the workflow ticket in Web Admin or Aperture before TPP will assign the certificate installation work to the agent.
- Did Provisioning fail with an error?
Typically if certificate installation fails with an error, you can see the details of the failure in an updated status message in both Web Admin and Aperture. Do you see an error? If so, please review the error message for details as to why it wasn’t successful (Example, folder for installing the certificate on the target system did not exist)