All versions of Venafi Trust Protection Platform
NOTE: Slight variations may occur between versions, but the concepts remain the same.
Summary / Purpose
This article tries to sum up most of the information already available with links to documentation elsewhere, and provide advice for how to manage your licensed, and unlicensed certificates in the Venafi Trust Protection Platform.
Step 1: Understanding Licensing.
The first step is to know what you're billed for, and what is not charged.
The short version is that we charge for CERTIFICATES that are processed and/or used in any way. That is, if we check them for expiration, or provision them, or renew them, or even simply validate them, - any of those count for licensing. Keep in mind that Venafi calculates licenses by the number of certificates, times the number of associated applications tied to that certificate.
https://docs.venafi.com/Docs/current/TopNav/Content/Reporting/t-reports-set-up-licensingreport-tpp.php (look under the Information Contained in this Report)
CAUTION: Understand that to reduce your license count, you have to choose which certificates or certificate locations you wish to stop managing within Venafi. No, you don't have to delete them, but you can disable Venafi features for those certificate. This means you're unable to watch for any errors or security vulnerabilities for those certificates you chose to not manage within Venafi! More about this will be discussed in your options below.
Step 2: Understanding License Reporting
The next question we get is about the license reports, and the licensing numbers in the dashboards. For the reports, here are some KBs (including the one above):
As for the dashboards, They can be somewhat helpful, IF you're looking at the right ones:
Dashboards as seen in Venafi TPP v19.1
The first picture is from the All Certificates Dashboard, which is a common place to look. "Managed Certificates" is highly misleading, and is NOT an accurate count of your licenses. If you hover over the title on that, it will tell you clearly that what is showing here is anything you have RIGHTS TO in the console, which is very different from licensed.
The second picture comes from the System Status dashboard, and it is very accurate! In fact, it comes directly from the license report (shown overlaid and found in the Web Admin console). At the top, under License Counts, you'll see when the report was last run. This is queried directly from that. If you make changes and then need to update this dashboard, you need only re-run that report, and this dashboard will update as well.
Step 3: Managing your certificates
Once you understand what "counts" you can make good decisions on where to keep your certificates. It is absolutely NOT necessary to delete things from the console to avoid being charged. The following are much better suggestions for managing old certs or those you are simply tracking but not managing.
NOTE: Because we talk about "management" and "Managed" in this discussion, people become confused with the above screenshot showing "Managed" certificates. It's technically a different definition / word use, which you will soon be shown.
Suggestion 1: Create a Folder with an Unassigned Policy
The idea here is to create a policy folder with the management type set to Unassigned and LOCKED as seen here below:
Here, I've created a folder. On the Certificate tab, I chose Unassigned as the Management Type, and then locked it at the right. Then, all the certificates I "have" but really do nothing with I placed under it. I've discovered them for whatever reason from different devices, but they're not mine.
The effect? With this value locked, any certificate moved into this folder automatically inherits that value - Unassigned - even if prior to this it was set to provisioning or anything else.
The Results? This disables all features of Venafi for any certificate placed in this folder - other than looking at them. This includes stopping, Expiration Notifications, SSL/TLS Validation, Renewals, Revocation, and Provisioning of the certificate. Only place certificates in this folder if you are okay with those certificates not being managed, and potentially expiring without any notice or warning.
Suggestion 2: Disable the certificates
Disabled certificates are not licensed, and just like setting the management type to Unassigned, it disables all Venafi features for that certificate. The most common way to do this is to disable the cert right on the certificate. It's an option under Settings.
If you're doing this for several certs, you may consider using the policy container instead, as follows:
Notice, that I had to switch to the View tab at the top, then I could select the items I want, and as long as those items are not in the middle of processing (or in error), the "Disable" option is available.
The Results? As with moving them into a policy folder where they are unassigned, no processing will occur with these. This disables all features of Venafi for any certificate in this state. This includes, Expiration notifications, SSL/TLS Validation, Renewals, Revocation, and Provisioning of the certificate. Only disable certificates if you are okay with those certificates not being managed, and potentially expiring without any notice or warning.
Note: Unlike setting a certificate to the Unassigned Management type, setting a certificate to Disable will remove the certificate from counts on the "Certificate Dashboard" in Aperture. Remember, the certificates dashboard is not relevant to licensing!
Suggestion 3: Revocation
When you revoke a certificate in WebAdmin, there are 2 different options: Revoke or Revoke and disable. The former will continue to utilize a license because you can still renew it and use SSL/TLS Validation to confirm if the revoked cert is still on any devices it may have been installed on. The latter option (Revoke and disable) will reduce the count because it has been disabled. See the section above on what disabling a certificate does. When Revoking a certificate in Aperture, you must Revoke, and then select the action for "Retire".
Wrapping it Up
Best practice for licensing is 1) review your license reports as your base for any choices you make, as well as working with your sales rep. 2) For certificates that you have discovered and are not yet ready to manage within Venafi, set them to either "Unassigned" as a management type, or "Disabled", but please remember that doing so, increases the risk of those certificates expiring without notice or warning.