All versions of Venafi Trust Protection Platform
NOTE: Slight variations may occur between versions, but the concepts remain the same.
Summary / Purpose
This article tries to sum up most of the information already available with links to documentation elsewhere, and provide advice for how to manage your licensed, and unlicensed certificates in the Venafi Trust Protection Platform.
Step 1: Understanding Licensing.
The first step is to know what you're billed for, and what is not charged.
The short version is that we charge for TLS TrustAuthority and TrustForce CERTIFICATES that are managed in any way. That is, if the TLS Certificate product check TLS certificates for expiration, or installs them, or renew them, or even simply validate them, - any of those consume a licensing entitlement. Keep in mind that Venafi calculates licenses on a per Server Certificate instance basis. For example:
- (a) One (1) Server Certificate controlled by Venafi TrustAuthority on ten (10) devices counts as 10 Server Certificate instances; and
- (b) Ten (10) Server Certificates controlled by Venafi TrustAuthority on one device counts as 10 Server Certificate instances.
https://docs.venafi.com/Docs/current/TopNav/Content/Reporting/t-reports-set-up-licensingreport-tpp.php (look under the Information Contained in this Report)
CAUTION: Understand that to reduce your license count, you have to choose which TLS certificates or certificate locations you wish to stop managing within Venafi. No, you don't have to delete them, but you can disable Venafi features for those TLS certificates. This means you're unable to watch for any errors or security vulnerabilities for those TLS certificates you chose to not manage within Venafi. More about this will be discussed in your options below.
Step 2: Understanding License Reporting
The next question we get is about the license reports, and the licensing numbers in the dashboards. For the reports, here are some KBs (including the one above):
As for the dashboards, They can be somewhat helpful, IF you're looking at the right ones:
Dashboards as seen in Venafi TPP v19.1
The first picture is from the All Certificates Dashboard, which is a common place to look. "Managed Certificates" is highly misleading, and is NOT an accurate count of your licenses. If you hover over the title on that, it will tell you clearly that what is showing here is anything you have RIGHTS TO in the console, which is very different from TLS certificates license entitlements.
The second picture comes from the System Status dashboard, and it is very accurate! In fact, it comes directly from the license report (shown overlaid and found in the Web Admin console). At the top, under License Counts, you'll see when the report was last run. This is queried directly from that. If you make changes and then need to update this dashboard, you need only re-run that report, and this dashboard will update as well.
Step 3: Managing your TLS Certificates
Once you understand what "counts" you can make good decisions on where to keep your TLS certificates. It is absolutely NOT necessary to delete TLS Certificates from the TLS product to avoid being charged. The following are much better suggestions for managing old certs or those you are simply tracking but not managing.
NOTE: Because we talk about "management" and "Managed" in this discussion, people become confused with the above screenshot showing "Managed" certificates. It's technically a different definition / word use, which you will soon be shown.
Suggestion 1: Create a Folder with an Unassigned Policy
The idea here is to create a policy folder with the management type set to Unassigned and LOCKED as seen here below:
Here, I've created a folder. On the Certificate tab, I chose Unassigned as the Management Type, and then locked it at the right. Then, all the TLS certificates I "have" but really do nothing with I placed under it. I've discovered them for whatever reason from different devices, but they're not mine.
The effect? With this value locked, any certificate moved into this folder automatically inherits that value - Unassigned - even if prior to this it was set to provisioning or anything else.
The Results? This disables all features of Venafi for any TLS certificate placed in this folder - other than looking at them. This includes stopping, Expiration Notifications, SSL/TLS Validation, Renewals, Revocation, and Provisioning of the certificate. Only place TLS certificates in this folder if you are okay with those certificates not being managed, and potentially expiring without any notice or warning.
Suggestion 2: Disable the certificates
Disabled certificates are not licensed, and just like setting the management type to Unassigned, it disables all Venafi features for that TLS certificate. The most common way to do this is to disable the TLS certificate right on the TLS certificate. It's an option under Settings.
If you're doing this for several TLS certificates, you may consider using the policy container instead, as follows:
Notice, that I had to switch to the View tab at the top, then I could select the items I want, and as long as those items are not in the middle of processing (or in error), the "Disable" option is available.
The Results? As with moving them into a policy folder where they are unassigned, no processing will occur with these. This disables all features of Venafi for any TLS certificate in this state. This includes, Expiration notifications, SSL/TLS Validation, Renewals, Revocation, and Provisioning of the certificate. Only disable TLS certificates if you are okay with those certificates not being managed, and potentially expiring without any notice or warning.
Note: Unlike setting a TLS certificate to the Unassigned Management type, setting a certificate to Disable will remove the certificate from counts on the "Certificate Dashboard" in Aperture. Remember, the "Certificates Dashboard" in Aperture is not relevant to licensing entitlements.
Suggestion 3: Revocation
When you revoke a TLS certificate in WebAdmin, there are 2 different options: Revoke or Revoke and disable. The former will continue to manage and utilize a TLS license because you can still renew it and use SSL/TLS Validation to confirm if the revoked cert is still on any devices it may have been installed on. The latter option (Revoke and disable) will reduce the count because it has been disabled. See the section above on what disabling a certificate does. When Revoking a certificate in Aperture, you must Revoke, and then select the action for "Retire".
Wrapping it Up
Best practice for licensing is 1) review your license reports as your base for any choices you make, as well as working with your sales rep. 2) For certificates that you have discovered and are not yet ready to manage within Venafi, set them to either "Unassigned" as a management type, or "Disabled", but please remember that doing so, increases the risk of those certificates expiring without notice or warning.