Info:
This article describers how the logic to create Device, Application and Certificate objects works when dealing with Agent Certificate Discovery.
More Info:
Agent Device placement scenarios:
"Single folder" mode
- Device object with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) does NOT exist
- New Device is created in folder defined in Device Placement work
- Device object with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) DOES exists and is NOT being used by an existing agent.
- Agent is linked to existing Device object
- Existing Device object is not moved from current location
"Separate older/advanced" mode
- If agent checks in and the agent record is not linked to an existing device object:
- Device objects are created implicitly per placement rule even if existing Devices with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) exist
- will create duplicate device objects if an agent record is deleted in tpp and the agent re-registers or there are multiple systems share the same hostname, IPV4 address, or FQDN.
Application object creation/placement:
- For each certificate the agent discovers, an application object is created under the device object that is linked to the agent
- Application object is named based on the keystore path and name the certificate was found in
- Application object settings are partially populated
- Application object is linked to the certificate object that was created based off certificate placement
- Discovered root and intermediate certificates do not get an application object created for them
Certificate placement scenarios:
- New certificate found, certificate does not exist in Venafi
- A new Certificate object is created based off Certificate placement rules
- Root and Intermediate Certificates will be placed in the Roots tree. There is no way to turn this behavior off today.
- Exiting Certificate object with same Certificate thumbprint exists in Venafi
- No new Certificate object is created
- Existing Certificate object is not moved
- Existing Certificate object with a matching Certificate DN exists but thumbprint is different
- No new Certificate object is created
- Existing Certificate object is not moved
- If discovered Certificate is newer than the Certificate in the object, the discovered Certificate becomes the current one and previous Certificate is moved to the history tab
- If discovered Certificate is older than the Certificate in the object, the discovered Certificate is placed into the History tab
Comments