Follow

Info: Agent Certificate Discovery Placement Logic

Info: 

This article describers how the logic to create Device, Application and Certificate objects works when dealing with Agent Certificate Discovery.

 

More Info:

Agent Device placement scenarios:

"Single folder" mode

  1. Device object with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) does NOT exist
    • New Device is created in folder defined in Device Placement work
  2. Device object with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) DOES exists and is NOT being used by an existing agent.
    • Agent is linked to existing Device object
    • Existing Device object is not moved from current location

"Separate older/advanced" mode

  1. If agent checks in and the agent record is not linked to an existing device object:
    • Device objects are created implicitly per placement rule even if existing Devices with matching hostname, IPv4, or Fully Qualified Domain Name (FQDN) exist
    • will create duplicate device objects if an agent record is deleted in tpp and the agent re-registers or there are multiple systems share the same hostname, IPV4 address, or FQDN.

 

Application object creation/placement:

  1. For each certificate the agent discovers, an application object is created under the device object that is linked to the agent
  2. Application object is named based on the keystore path and name the certificate was found in
  3. Application object settings are partially populated
  4. Application object is linked to the certificate object that was created based off certificate placement
  5. Discovered root and intermediate certificates do not get an application object created for them

 

Certificate placement scenarios:

  1. New certificate found, certificate does not exist in Venafi
    • A new Certificate object is created based off Certificate placement rules
    • Root and Intermediate Certificates will be placed in the Roots tree. There is no way to turn this behavior off today.
  2. Exiting Certificate object with same Certificate thumbprint exists in Venafi
    • No new Certificate object is created
    • Existing Certificate object is not moved
  3. Existing Certificate object with a matching Certificate DN exists but thumbprint is different
    • No new Certificate object is created
    • Existing Certificate object is not moved
    • If discovered Certificate is newer than the Certificate in the object, the discovered Certificate becomes the current one and previous Certificate is moved to the history tab
    • If discovered Certificate is older than the Certificate in the object, the discovered Certificate is placed into the History tab
Was this article helpful?
0 out of 0 found this helpful

Comments