Info: What's New in Venafi Trust Protection Platform 18.3

Venafi Trust Protection Platform version 18.3 introduces some significant enhancements across the product line, including to Enterprise Mobility Protect, Platform Performance improvements, a new Adaptable Workflow to enable the use of PowerShell scripts in workflows, and more.

IMPORTANT! Before upgrading to version 18.3, carefully review the topic "Important Considerations before upgrading to Trust Protection Platform 18.3."

Enterprise Mobility Protect

  • Transfer user certificate to a mobile device
    The User Agent has been updated so that, if enabled, end users can easily install their user certificates from their windows/mac computer to their iOS and Android mobile devices.
  • Revamped User Portal
    The User Portal has been overhauled so that it is much easier to request and install certificates. Previously users needed to download certificates from a unique link that was emailed to them, now issued certificates are listed for the user where they can download current version of all issued certificates including historical versions of encryption certificates. The User Portal is also updated to allow for certificate download in MobileConfig format for iOS devices. @24290 User Portal documentation
  • SCEP updated to work with JAMF
    JAMF is a Mobile Device Management Platform for Apple devices. Venafi's SCEP Implementation has been updated to work with the SCEP implementation on JAMF and Apple devices. This provides yet another way for Venafi to delivery user certificates to Apple hardware. @14963, @36051

Certificate Manager

  • Bulk Provisioning
    Leveraging a new implementation of the adaptable framework, Bulk Provisioning provides the ability to provision a large number of certificates and keys to multiple devices using a new job type in Aperture, which can run manually, on a schedule, or by events. This is very helpful if you have an SSL/TLS Network Inspection device that requires access to all TLS Private keys to decrypt traffic.  @33442, @21161, @26080 Bulk Provisioning documentation
  • Adaptable Workflow
    Allows integration with external change control systems for approvals. You can write custom PowerShell scripts with any needed business logic to automate the approvals process for certificates that meet the specified criteria, meaning some approvals can be completed in seconds, when they used to require manual approvals. @29659, @38096, @10248, @9817, @26850, @28243, @37566, @30410, @25190, @11624, @10447 Adaptable Workflow documentation
  • Manage SAN via Policy
    You can now set, at the policy level, what SAN types are allowed for the certificate enrollment process. New fields for permitted SAN types are on the certificate enrollment screens, and CSRs with prohibited SAN types can't be submitted. @13612, @38863, @30438, @36652, @29311, @35017, @25458, @21925, @9082, @38966, @22672, @24313, @34310 Policy settings documentation (where SAN restrictions are set)
  • Enhanced Amazon Web Services (AWS) Integrations
    The AWS Certificate Installation driver now has the ability to replace an existing certificate stored in ACM by reusing its Amazon Resource Name (ARN).  This is helpful for cases where the application consuming the certificate is something other than ALB, ELB, or CloudFront.

    All features that interact with Amazon Web Services (CA and Application drivers, and Cloud Instance Monitoring) now support authentication using ADFS.  This functionality is provided by a new Amazon Credential that allows the choice of ADFS or the static access keys that have always been supported. @37790, @36199 Amazon credential documentation

  • Revoke Permission Inheritance Refactored
    Resolves a known issue where revoke permissions were not inherited correctly when a user belonged to multiple groups which had conflicting revoke permissions assigned. Previously, this would cause Revoke permissions to be removed from a user when the permission shouldn't have been removed. 
  • New "Jobs" framework in Aperture
    Discovery menu has been renamed to "Jobs" which now contains jobs for Network Discovery, Onboard Discovery, TrustNet Discovery, and Bulk Provisioning. The new area introduced a new wizard type interface for creating jobs to simplify the process. Creating a network discovery job documentation

SSH Product

  • Self-service keys
    In this version, Venafi introduces the concept of self-service keys, which replace external keys. Self-service keys can be created, associated with a keyset, and can also be rotated and downloaded so you can better manage keys that you can't discover. Features key creation, downloading, rotation, migration from external keys, and the ability to easily fix orphaned keys. @23692, @28671, @31032, @28504 SSH self-service documentation
  • Keyset filtering based on Policy folder
    The SSH inventory now has a new filter, allowing you to filter based on the folder that the keyset is in, allowing you to view all the keysets assigned to a specific policy in the inventory. @33623, @15601
  • Setting the SSH Contacts on a folder
    Usability has been improved for managing SSH policy on folders. @34888


  • Master Admin Groups
    Trust Protection Platform now integrates better with enterprise privilege account control systems by allowing those systems to control who is a master administrator, based on membership in an external identity group. @22105, @21717, @38200, @26708 Master Admin role documentation
  • Delete and Rename in Large Environments Now 5x-10x Faster
    When inventory assets are moved or deleted, all references to them need to be updated. In this version the storage model of how references between inventory assets (objects) was refactored to make maintenance significantly faster.
  • 40%-50% improvements for reading and writing large vaults to storage
    The Venafi Platform has a storage system called the "Secret Store" where certificates, private keys, credentials, reports, and other files are stored as "vaults." In this release the storage was updated to improve performance for reading and writing of larger vaults.  Design protections were also added to improve data integrity and synchronization standards.
  • Improved documentation home page
    The home page for the web-based documentation has been redesigned providing quick access to featured topics, as well as the most commonly used topics. New documentation homepage

Server Agent

  • Dynamic Provisioning
    The Venafi Platform now has the ability to issue and provision customized certificates to a large number of trusted machines based on the properties of the target machine within a short period of the Server Agent installation and startup with minimal required configuration. @15614 Dynamic Provisioning documentation
  • Key Usage Log Listener Performance Improvement by 35x
    The Venafi Sever Agent has been updated to handle much higher values of SSH Key usage log messages to be processed and sent to the Venafi Server. The system has been improved with the ability to ingest and deliver system log messages up to 30,000 per minute. @38940
  • Upgraded 3rd party dependencies
    This release upgrades several third-party dependencies on Windows, Linux, and HPUX, including SQLite, PCRD, apr-util, Curl, zlib, and openssl. 


  • TrustNet Certificate Discovery
    Within the new "Jobs" area of Aperture, user can now create TrustNet Certificate Discovery jobs that leverage scanning from the cloud. Specify your IPv4 ranges, and TrustNet can perform scheduled or on-demand scans. Scans are more thorough and check more standard ports that regular TrustNet scans of the internet. TrustNet discovery documentation
  • Suspected Phishing Domain Widget
    New to the TrustNet dashboard is the suspected phishing domain widget that highlights certificates for domains that are similar to those of your organization that may be used for phishing purposes against your employees and customers. Note: Because of the dynamic TrustNet dashboard introduced in 18.1 - this widget is already available on all 18.1 and 18.2 versions. TrustNet dashboard widgets documentation


  • GET Certificates
    The return for the endpoint has been updated so that it now returns the common name, All SANS, the serial number, the SHA1 Thumbprint, the valid from timestamp, and the valid to timestamp. GET Certificates documentation
  • GET SystemStatus/Version
    A new endpoint to get the version of the Venafi Server. Any authenticated WebSDK user can use this endpoint. @37160 GET SystemStatus/Version documentation
  • PUT Certificates/{GUID}
    New endpoint that allows user to set any number of certificate values in a single call. API call is policy sensitive meaning that attribute values that are set on a certificate that exactly match suggested or locked policy are not written to the certificate object. Endpoint has also been updated so that uploaded values conflicts with locked policies, a warning is returned. PUT Certificates/{guid} documentation
  • POST Certificates/Associate
    New "PushToNew" parameter available to when creating associations between certificate and application objects so that the certificate installation/provisioning can be queued in the same call that the association was created. POST Certificates/Associate documentation
  • POST Config/Write
    This endpoint has been updated so that multiple attributes can be written in a single call. @26843 POST Config/Write documentation
  • POST Config/IsValid
    This endpoint has been updated to return the configID to help translate between DN, GUID, and ConfigID as unique identifiers within the Venafi Platform. POST Config/IsValid documentation
  • POST Config/IDInfo
    This endpoint has been updated to return information on a config object based on the config ID. It returns the GUID and DN. POST Config/IDInfo documentation

Advanced Key Protect

  • Thales Operator Card Set Support for Apache Private Key Generation
    The Apache certificate installation drivers are enhanced to support Operator Card Sets (OCS). Private Keys can be generated remotely on Thales HSM that only require a single card to make a quorum.


Was this article helpful?
0 out of 0 found this helpful