Venafi Trust Protection Platform version 18.1 introduces significant improvements in stability and performance, as well as several key enhancements.
IMPORTANT! Before upgrading to the new version, carefully review the topic, Important Considerations before Upgrading
Venafi Advanced Key Protect (available for purchase)
Venafi Advanced Key Protect is a new product add-on module (priced separately) designed to provide remote and centralized HSM key generation.
- Remote HSM Key Generation
Prior to this release, Venafi Platform could do HSM remote key generation on Gemalto SafeNet HSM only. New in 18.1, Venafi Advanced Key Protect add-on module can perform remote generation of private keys for Thales nShield Connect HSMs for Apache,CAPI (IIS), and JKS. @6522 - Central HSM Key Generation
For improved entropy and audit compliance, private keys for certificates and SSH keys can be centrally generated on Gemalto SafeNet and Thales nShield Connect HSMs. Centrally generated private keys are exported from an HSM and stored as ciphertext in the Venafi database.
Platform
- Venafi Configuration Console
Use the all-new Venafi Configuration Console to install, upgrade, and administer the Venafi Platform and installed products. @9122, @16697 - Silent Installation Support
Venafi Platform can be installed and upgraded from a command line interface (CLI) using a secure XML answer file. @22109, @26096, @13381, @20273 - Create Hardware Key on an HSM
When using an HSM to protect the Venafi database, the creation of the Hardware Key can now be done directly in the new Venafi Configuration Console. Previous versions required the use of an HSM support tools. @30711 - MSSQL Mixed Authentication Mode
Venafi servers can be configured to use either SQL Authentication or Windows Integrated Authentication on a server-by-server basis. In previous versions, a Venafi cluster needed to have the same mode for all servers. @27068, @28106, @23787 - HSM enabled Venafi servers no longer need a software key
In previous versions of Venafi Platform, even if an HSM was used, a DPAPI key was still required. In 18.1, DPAPI key is now known as a Software key and is no longer required on new installations (new database) that leverage an HSM to encrypt the Venafi database.
Certificate Manager
- Turnkey discovery and rotation of IIS certificates via Onboard Discovery
When given a list of devices with corresponding WinRM credentials, Venafi can interrogate the target system to get a list of certificates with IIS bindings. Those certificates are configured so that they can be renewed and installed without any additional configuration. @15703, @18782 - Adaptable Onboard Discovery
Customers and vendors can write their own PowerShell script to integrate into other appliances, applications, and web platforms to automatically discover and import certificates and to configure them for immediate rotation. - SHA1 Thumbprint Certificate Filter
Aperture now has a SHA1 thumbprint certificate filter on the inventory list to find certificates based on their thumbprint. @25596, @26293 - GlobalSign Multi-Domain Support
The GlobalSign CA Driver has been updated so that the Domain ID is no longer required during configuration allowing a single Venafi CA Template to be used for any Domain ID that is valid within a GlobalSign account. @34484, @33429, @24733 - EV Support for GlobalSign Driver
The GlobalSign CA Driver now supports the Extended Validation (EV) product. @30072, @33429 - Validation Failure Log Updated
When TLS validation fails with a certificate mismatch, the raw certificate is now stored in the event so that customers can leverage Adaptable Log solutions to then import the certificate to be managed if desired. @758
Trustnet
- Reputation Score
The reputation score from TrustNet is available as a new column on the certificate inventory list and custom certificate reports. - Dynamic TrustNet Dashboard
A new dashboard introduced into the Aperture console allows you to see all Trustnet related summary information in one place. With TrustNet, your Venafi system can be updated to be informed about new vulnerabilities that TrustNet has detected without waiting for a new quarterly release or patch. @32427
SSH
- Improved discovery of authorized keys
Both agentless and Server Agent methods for SSH system support improved support for sshd_config files to determine where to find authorized keys. @30874 - SSHD_Config Visibility
Able to view the sshd_config files for agentless managed systems within Aperture.
REST API (Web SDK)
- Certificate Delete
What could only be accomplished before 18.1 using a series of error prone low level API calls, certificates can now be deleted with a single call that also cleans up associated records like Workflow and Secret Store. (DELETE Certificates/{guid}) @32470, @3889 - Retry Certificates in a Processing Error
Retries the last failed processing stage for certificates and associated applications. Previously this could only be accomplished with multiple Config API calls per certificate and associated application to set attributes. (POST Certificates/Retry) @28347 - Revised Behavior for Certificate Renewals
The behavior of POST Certificates/Request and POST Certificates/Renew for certificate renewals has been revised to more closely align with other areas of Trust Protection Platform. As of 18.1, the previous certificate won't be archived until the renewed certificate has been successfully retrieved from the CA. @27489
Server Agent
- CAPI Provisioning Support
The Server Agent now supports installing certificates into Windows CAPI, the operating system's native key store. @28391, @21984, @29551, @23171, @20351 - SuSE12 Supported
Server Agent now supports the SuSE 12 operating system. @32232 - Mount Point Scanning Support *nix
In previous versions of the Server Agent, NFS and CIFS mount points on *NIX operating systems were never scanned, even when configured to do so. NFS4 type mount points were always scanned, even when configured not to. In Trust Protection Platform 18.1, all three types now properly honor the agent certificate discovery work configuration as to whether to scan mount points or not.
Comments