Venafi Trust Protection Platform version 18.2 introduces some significant enhancements to Enterprise Mobility Protect product, Platform Performance improvements, streamlining of certificate discovery processes, and new ways to protect certificates with enhancements to the integration to TrustNet.
IMPORTANT! Before upgrading to the new version, carefully review the topic, Important Considerations before Upgrading
Enterprise Mobility Protect
- User Agent for macOS devices
The User Agent is now supported on macOS. Easily deploy user and device certificates to places where Active Directory Group Policy cannot. @23205
- User Agent for non-domain joined Windows devices
User Agent on Windows supports deployments to non-domain joined systems. This further expands the ability of Enterprise Mobility Protect to deploy certificates to systems where Active Directory Group Policy is not supported.
- Automated software updates for User Agent
The User Agent can be configured to support automatic upgrades to make it easier to support pushing out changes from release to release.
- Deployment Preparation Tool for User Agent
A deployment Preparation Tool is available to make Windows User Agent deployments easier in customizing the MSI file for domain or non-domain joined devices.
- User Agent Experience Customization
You can now customize the User Agent end user experience so you can better control which features and controls they can see and use.
- SQL Server 2016
SQL Server 2016 is now fully supported. It was previously listed as “compatible”. @35098
- Master Admin Permissions
Master Admins can no longer have permissions revoked at certain parts of the product tree.
- Usage Analytics Options
Usage Analytics choices can be made in the new Venafi Configuration Console.
- License Key
License keys for BETA features or special support features can be added in the new Venafi Configuration Console.
- Venafi Platform Daily Tasks
Each day the system performs daily tasks for things like checking for certificate expiration, rotating ssh keys, or performing validation on certificates. In 18.2 the system managing the daily tasks was updated so that on average daily tasks now completes 50%-100% faster depending upon amount of certificates and keys in environment, features in use, and number of Venafi Platform servers in the environment.
- Workflow Approvals
Certificate Approvals can now scale to much higher numbers without impacting the usability of the system. In previous versions, after you had about 1000 pending approval workflows system usability would be impacted.
- 40% Performance Improvement for Aperture, WebAdmin, Reporting
Improvements to queries and database structure has had a big impact on performance and usability of the User Interfaces and Reporting. Master Admins of the product should see, on average a 30% performance improvement. Normal users and Custom Reports will see, on average a 40% performance improvement Aperture and WebAdmin.
- Onboard Discovery in Aperture
Onboard Discovery now available in Aperture and their corresponding status is available from the Discovery Jobs list. @29566
- Scheduled Onboard Discovery
To bring them in line with other supported discovery methods, Onboard Discovery jobs can now be scheduled @26729; @26552; @23699; @22195; @21718; @19899; @33915; @16981; @16269
- Discovery Job Sorting
The Aperture discovery jobs list now support sorting for select columns. This makes it easier to manage deployments that have a high number of jobs. @36022
- Discovery Jobs additional columns
Discovery “Last Run”, description, type, and priority is now an available columns in the jobs list. This saves time because you don't have to drill into each job to capture high level information. @25274
- Device only Placement Rules
Placement Rules were updated so that you can have rules that only impact the placement of the device. This allows for being able to have rules for device placement independent of the certificate placement and sometimes leads to needing to define 80% less rules for the same results. @32847
- VCert Central Key Generation and CSR File Enrollment
VCert has been updated to support key/CSR generation that occurs inside of the Venafi Platform and to support enrollment using CSR files of any origin. @33747; @33748; @21389; @30412
- VCert support for Renewal and Revocation
VCert is now able to make renewal and revocation requests from the Venafi Platform using the certificate's ID (object DN) or thumbprint.
Certificate Authority Drivers
- End Date support for Microsoft Active Directory Certificate Services
The Microsoft CA driver has been updated so that administrators can allow end users to request certificates that expire on a specific day instead of a fixed validity period. This allows customers to avoid having certificates expire during freeze windows or other undesirable parts of the calendar year. @33421; @25379
- Region support for Amazon Certificate Manager
The Venafi Platform can now submit certificate requests for Amazon issued certificates from any AWS geographic region. @28639
- Private Dedicated SSL for Entrust Certificate Services
The 'Private Dedicated SSL' certificate product is now supported by the Entrust.Net CA driver. This allows Entrust customers who have purchased this special type of certificate product to automate their lifecycle using the Venafi Platform.
- Override Organization in CSR for Entrust Certificate Services
The Entrust.Net CA driver now provides an option to ignore the Organization name in the CSR and always use the primary Organization for the Entrust account. This prevents users from having to regenerate CSRs that have an incorrect Organization because Entrust will automatically correct their mistake. @32144
Certificate Provisioning/Installation Drivers
- Provision certificates to Amazon Certificate Manager
Certificates are now provisioned to the ACM certificate store by default. Provisioning to the IAM certificate store is still available to support Amazon applications that are not ACM aware. @30211
- Amazon Web Services Application Load Balancer
Certificates can now be provisioned to AWS Application Load Balancers @33743
- Create Listeners on Amazon Web Services Load Balancers
When provisioning a certificate to a new AWS load balancer (ALB or ELB), the Venafi Platform can now create the listener that requires a certificate making it significantly easier to provision the initial certificate for load balancers. @20891; @32559
- Stay informed with dynamic changes
As TrustNet finds certificates that are of a security concern to your organization, or publishes new features to your dynamic TrustNet dashboard, you can be informed of these changes in two ways. First, you can configure email notifications to have TrustNet email you directly based on the severity of the event. Second, TrustNet events feed into the Venafi Platform logging system and can be processed by the different logging channels available.
- Streamlined Review Process
As TrustNet discovers certificates on the internet concerning your organization, updated widgets on the Aperture Dashboard and a new "TrustNet Review" action on certificates walk end users through the review process so that direct and immediate action can be taken when certificates are found.
- Visibility into Trusted vs Untrusted CAs
Updated tools to specify if the issuers of discovered certificates are from trusted sources or not. Helps ensure that certificates for your organization are only coming from approved and trusted certificate authorities.
- ECDSA Key Support
It is important to include SSH ECDSA keys in your inventory to ensure visibility of all access and potential vulnerabilities. The Venafi Platform is now able to discover and report on existing ECDSA keys, as well as provide management functionality such as key rotation.
- Enhanced SSH Report
SSH Keyset Inventory List and Custom Reports now include the ability to add the MD5 Thumbprint and the SHA256 Thumbprint of the keyset. This makes it easier to cross reference information from Venafi with external systems.
Note: Fingerprints may not be available immediately on upgrade. A new background task must complete that is calculating and storing all key fingerprints. @35894
- Inventory List shows Total
Now when using the inventory list to manage your SSH keys, the total number of keysets is displayed so that you have an accurate total of how many keysets apply to your current filter. @21500
REST API (Web SDK)
- POST Certificates/Associate
Simplifies the process for associating an existing certificate with existing applications. Multi-step and mistake prone config calls are no longer needed. @29110
- POST Certificates/Dissociate
Simplifies the process for removing associations between a certificate and applications with an option to remove orphaned application and device objects. Multi-step and mistake prone config calls are no longer needed.
- POST Certificates/CheckPolicy
Method was updated so that results show if the CSR is compliance with “Private Key Reuse” policy. This allows you to find out if the CSR will be able to be successfully be enrolled before submitting and starting processing. @34894
- POST Certificate/Import
New “Reconcile” parameter added to method. During import, it looks for other versions of the certificate already present in the Venafi Platform and, if found, either makes it the active certificate of the matching certificate object or adds it to history depending on the value of “Valid From”. @32484
- POST Certificate/Import
Method was updated to classify the certificate as a client device, server, or user certificate so that the certificate type is accurate at the time of import.
- GET Certificates & HEAD Certificates
Both endpoints have been updated in 18.2 so that you can query for SHA1 Thumbprint of the active certificate. Use the new Thumbprint attribute as a query parameter. @26223
- Onboard Validation
Support Onboard/Installation Validation of certificates for Windows CAPI Keystore, PEM, PKCS12, Java Key Store, IBM CMS Keystore. This allows Agent managed certificates to have daily monitoring to ensure that the certificates are installed properly. @37335; @9338; @32584; @19240
- Windows Mount Points
Enhanced certificate discovery to be able to optionally exclude windows mount points during scans.