Info: What's New With Venafi Trust Protection Platform 18.1

Venafi Trust Protection Platform version 18.1 introduces significant improvements in stability and performance, as well as several key enhancements.

IMPORTANT! Before upgrading to the new version, carefully review the topic, Important Considerations before Upgrading

Venafi Advanced Key Protect   (available for purchase)

Venafi Advanced Key Protect is a new product add-on module (priced separately) designed to provide remote and centralized HSM key generation.

  • Remote HSM Key Generation 
    Prior to this release, Venafi Platform could do HSM remote key generation on Gemalto SafeNet HSM only.  New in 18.1, Venafi Advanced Key Protect add-on module can perform remote generation of private keys for Thales nShield Connect HSMs for Apache, CAPI (IIS), and JKS. @6522
  • Central HSM Key Generation
    For improved entropy and audit compliance, private keys for certificates and SSH keys can be centrally generated on Gemalto SafeNet and Thales nShield Connect HSMs. Centrally generated private keys are exported from an HSM and stored as ciphertext in the Venafi database.


  • Venafi Configuration Console
    Use the all-new Venafi Configuration Console to install, upgrade, and administer the Venafi Platform and installed products. @9122, @16697
  • Silent Installation Support 
    Venafi Platform can be installed and upgraded from a command line interface (CLI) using a secure XML answer file. @22109, @26096, @13381, @20273
  • Create Hardware Key on an HSM 
    When using an HSM to protect the Venafi database, the creation of the Hardware Key can now be done directly in the new Venafi Configuration Console. Previous versions required the use of an HSM support tools. @30711
  • MSSQL Mixed Authentication Mode 
    Venafi servers can be configured to use either SQL Authentication or Windows Integrated Authentication on a server-by-server basis. In previous versions, a Venafi cluster needed to have the same mode for all servers. @27068, @28106, @23787
  • HSM enabled Venafi servers no longer need a software key
    In previous versions of Venafi Platform, even if an HSM was used, a DPAPI key was still required.  In 18.1, DPAPI key is now known as a Software key and is no longer required on new installations (new database) that leverage an HSM to encrypt the Venafi database.

Certificate Manager

  • Turnkey discovery and rotation of IIS certificates via Onboard Discovery 
    When given a list of devices with corresponding WinRM credentials, Venafi can interrogate the target system to get a list of certificates with IIS bindings.  Those certificates are configured so that they can be renewed and installed without any additional configuration. @15703, @18782
  • Adaptable Onboard Discovery
    Customers and vendors can write their own PowerShell script to integrate into other appliances, applications, and web platforms to automatically discover and import certificates and to configure them for immediate rotation.
  • SHA1 Thumbprint Certificate Filter 
    Aperture now has a SHA1 thumbprint certificate filter on the inventory list to find certificates based on their thumbprint. @25596, @26293
  • GlobalSign Multi-Domain Support 
    The GlobalSign CA Driver has been updated so that the Domain ID is no longer required during configuration allowing a single Venafi CA Template to be used for any Domain ID that is valid within a GlobalSign account. @34484, @33429, @24733
  • EV Support for GlobalSign Driver  
    The GlobalSign CA Driver now supports the Extended Validation (EV) product. @30072, @33429 
  • Validation Failure Log Updated 
    When TLS validation fails with a certificate mismatch, the raw certificate is now stored in the event so that customers can leverage Adaptable Log solutions to then import the certificate to be managed if desired. @758


  • Reputation Score
    The reputation score from TrustNet is available as a new column on the certificate inventory list and custom certificate reports.
  • Dynamic TrustNet Dashboard 
    A new dashboard introduced into the Aperture console allows you to see all Trustnet related summary information in one place. With TrustNet, your Venafi system can be updated to be informed about new vulnerabilities that TrustNet has detected without waiting for a new quarterly release or patch. @32427


  • Improved discovery of authorized keys 
    Both agentless and Server Agent methods for SSH system support improved support for sshd_config files to determine where to find authorized keys. @30874 
  • SSHD_Config Visibility
    Able to view the sshd_config files for agentless managed systems within Aperture.


  • Certificate Delete 
    What could only be accomplished before 18.1 using a series of error prone low level API calls, certificates can now be deleted with a single call that also cleans up associated records like Workflow and Secret Store. (DELETE Certificates/{guid}) @32470, @3889
  • Retry Certificates in a Processing Error 
    Retries the last failed processing stage for certificates and associated applications.  Previously this could only be accomplished with multiple Config API calls per certificate and associated application to set attributes. (POST Certificates/Retry) @28347 
  • Revised Behavior for Certificate Renewals
    The behavior of POST Certificates/Request and POST Certificates/Renew for certificate renewals has been revised to more closely align with other areas of Trust Protection Platform. As of 18.1, the previous certificate won't be archived until the renewed certificate has been successfully retrieved from the CA. @27489

Server Agent

  • CAPI Provisioning Support 
    The Server Agent now supports installing certificates into Windows CAPI, the operating system's native key store. @28391, @21984, @29551, @23171, @20351
  • SuSE12 Supported 
    Server Agent now supports the SuSE 12 operating system. @32232
  • Mount Point Scanning Support *nix
    In previous versions of the Server Agent, NFS and CIFS mount points on *NIX operating systems were never scanned, even when configured to do so. NFS4 type mount points were always scanned, even when configured not to. In Trust Protection Platform 18.1, all three types now properly honor the agent certificate discovery work configuration as to whether to scan mount points or not. 
Was this article helpful?
0 out of 0 found this helpful