Info: What's new in Venafi Trust Protection Platform 19.3

Venafi Trust Protection Platform version 19.3 introduces some significant enhancements across all product lines.

IMPORTANT! Before upgrading to version 19.3, carefully review Important Considerations Before Upgrading to Venafi Platform 19.3.

Venafi Next-Gen Code Signing 

  • Reports Dashboard & Statistics
    A brand new view to gain viability into your code signing operations and projects. Some examples of what the new dashboard shows: You can see things like the Total number of signing operations vs recent signing operations -- as well as how signing operations are trending. You can see how many different users are submitting code signing requests.
  • Performance Enhancements 
    Improve performance for code signing operations. In some instances, you may see gains up to 90x faster. In our own build environment, average sign times went down from 9 seconds to 0.112 seconds.
  • Request in Progress Message customization 
    Ability for code signing administrators to customize the message returned to a key user when the signing request isn’t fulfilled. 
  • Request Instance Identification 
    Allows Code Signing Administrators to determine which attributes of a signing request are used to match previous signing requests that are not yet fulfilled. 
  • Updates to the Cryptographic Security Provider (CSP) Utility
    Added ability to check current grant validity and request a new grant. Also added the ability to set Venafi Server URL values during installation from the command line. 

Venafi Platform 

  • New message formats for Syslog Notification Channel 
    The Syslog channel driver now includes two new message formats—Common Event Format (CEF) and JSON—and can now support encrypted (TLS) connections to remote syslog servers. The legacy BSD format is still available. 37674343, 36321277, 37010374
  • Support for MS SQL Server 2017 
    You can now use MS SQL Server 2017 for your database.
    Note: in 19.4 we plan to deprecate support for SQL Server 2012 and SQL Server 2014. Please begi
    n to plan your upgrade to SQL Server 2016 or higher. 
  • Azure Active Directory Domain Services and AWS managed Microsoft AD Compatibility 
    Both cloud active directory providers are considered compatible in working with the Venafi Platform Active Directory Identity Provider 37841362
  • Change Owner of Custom Reports  
    In previous versions, if the creator of a custom report was removed from the system, the custom report would break. A master admin can now view the owner of custom reports and can reassign a custom report to a new owner.
  • Adaptable Debug Option for Customer Support 
    Small enhancement to all Adaptable drivers aimed at helping Customer Support more effectively assist customers needing help troubleshooting homegrown Adaptable scripts. 

TLS Server Certificate 

  • Big improvements to Scanafi Certificate Network Discovery Utility 
    Version 2.1 of Scanafi is included. It adds support for TLS 1.3, you can specify a list of custom ports, SNI is fully supported, and the mechanism for configuring Scanafi has been updated. Note, this version of Scanafi no longer supports scanning SSL 2.0 protocol, and removes the Vulnerability Scan from the Scanafi default behavior. 3653371336331555, 37144174, 37010083
  • Zip download of PEM certificate data 
    You can now download your PEM certificate, private key, and chain certificates as separate files inside of a zip archive. 36768793, 36270625
  • Additional filter for certificate inventory
    The certificate inventory in Aperture now includes an additional filter, allowing you to filter based on CA Template. 36270601
  • Display approvers of a pending workflow 
    The system has been enhanced so that certificate owners can see which approvers are assigned to a pending approval. This allows certificate owners to know who in their organization to contact if a certificate hasn’t been approved. 
  • CyberArk Integration Enhancements 
    You can now configure Trust Protection Platform to authenticate to your SCIM server when setting up the CyberArk connector in the Venafi Configuration Console (VCC). And you can also now create the CyberArk username/password and the CyberArk password credential types from within Aperture. 
  • Command Injection for Workflow
    In previous versions, you could not have more than 1,000 characters in your command line injection. Due to improvements to how Workflow configurations are stored in the database, the is no longer a storage limit on the number of characters for command injection purposes.
  • Enhance Validation to not block provisioning on load balancers 
    Previously, when there were many applications on a device (common with load balancers), both onboard and network validation could delay certificate provisioning (installation). 
  • Save Renewal Details button text clarified 
    When changing renewal details for a certificate, previously the action button was titled “Submit.” This has been updated to “Save Renewal Details” to clarify what happens when a user clicks the button. (That is to say, the renewal is not submitted for processing.) 37083121
  • Synchronize button added to Roots Tree in WebAdmin
    Chaining is now calculated for the roots tree on the back-end to improve performance when there are many certificates present in the roots tree.  This roots chaining update happens whenever a new certificate is imported, the trust behavior of a root certificate is updated, or the Synchronize button is pressed.
  • Improved performance for importing certificates into WebAdmin 


  • Support ED25519 (OpenSSH) 
    The SSH product adds support for ED25519 (for OpenSSH) keys in addition to RSA, DSA, and the following ECDSA keys: P256, P348, P521This is for both Agent and Agentless management options. 
  • Encrypted Private Key management 
    You can now take actions on encrypted private keys including adding or changing the key’s passphrase and deleting the key from the inventory.  
  • Apply policy to SSH keysets 
    Trust Protection Platform now allows you to apply policy settings and permissions to keysets independent of the devices on which those keysets are stored. You can move a keyset into a policy folder, where those permissions will override the permissions set on the device. You can also remove a keyset from all folders, reverting to device-level permissions. 
  • Bulk Move of SSH keysets 
    You can easily move multiple keysets into a folder using the Bulk Move button on the keyset inventory, allowing you to apply a subset of SSH policy values to the keyset. 

Certificate Driver and DevOps Integrations  

  • Updated Symantec Driver
    You can enroll private SSL certificates (which allow non-fully-qualified hostnames) without syncing the CA template, or without ensuring all of the domains in the certificate are in the list of domains vetted by the CA. 36819535
  • Provision ECC to JKS backed by HSM 
    You can now use HSM when provisioning elliptic curve cryptography (ECC) keys to java keystore (JKS)(Requires Venafi Advanced Key Protect product.) 
  • Venafi Lambda functions enforce enterprise security policy for a AWS Private CA 
    Before sending an enrollment request to a private Amazon CA, Venafi Lambda enforces Trust Protection policy settings. Lambda can retrieve certificate policy settings from Trust Protection Platform or Venafi CloudSee 
  • Venfafi Salt generates certificates via vCert 
    Venafi Salt now uses vCert to generate certificates in accordance with policy settings. See 

Server Agent 

  • IIS Binding discovery and provisioning 
    Server Agent can now set and discover IIS bindings. This feature introduces dependency on .NET. This dependency exists even on systems without IIS. 37709905
  • Spectre mitigated agents for Windows and Linux 
    Security improvements 
  • Backup file permissions/ownership 
    During certificate provisioning Server Agent now sets the owner and permissions of the backup file under unix/linux when setting owner and permissions to the key store for easier recovery if needed.
  • Support ED25519 (OpenSSH) 
    Support for the new SSH product capabilities via Server Agent. 

Enterprise Mobility Protect 

  • Support for Microsoft Intune 
    Customers using Microsoft Intune for management of endpoints (like workstations and mobile devices) can now use Venafi Trust Protection Platform to manage all issued certificates in a single place. Microsoft Intune can configure endpoints to request certificates from Trust Protection Platform for different purposes like VPN, Wi-Fi, email, and other. Endpoints are requesting certificates via Simple Certificate Enrollment Protocol (SCEP). For each request, Trust Protection Platform performs additional request validation by Microsoft Intune. 
  • Report for certificate with identical attributes A new report to easily find miss-issued certificates with identical attributes is not available. Having more than one user or device certificate for the same purpose can create a threat vulnerability when left unmanaged. User and device certificates having identical certificate attributes (CN, SAN Email, SAN UPN, etc.) can now be identified with this new report. Administrators can configure which certificates to be included for comparison and apply comparison logic to match the customer’s needs. The report can be scheduled or ran manually and delivered in CSV or PDF format. 
  • Simple Certificate Enrollment Protocol (SCEP) improvements Trust Protection Platform can now use AES encryption algorithm to secure the payload when communicates with endpoints via Simple Certificate Enrollment Protocol (SCEP). In addition, HTTP POST method is now supported when receiving certificate requests. For compatibility reasons, communication via HTTP GET and Triple DES encryption algorithm are still supported. 

Web SDK 

  • Custom Fields on a Certificates/Request 
    If a policy requires Custom Fields, a Certificates/Request must include the Custom Field value. See Certificates/Request. 36746239
  • Discovery/Import JSON input file 
    Instead of command line flags for Discovery/Import, you use a JSON input file and the Scanafi provider or standalone mode. 
  • Protocol filter 
    To find certificates that use SSL2, SSL3, TLS, TLS11, and TLS12 communication protocols, you can use GET and HEAD Certificates and the SslTlsProtocol filter. 
  • TLS and Chain Validation filters 
    To filter certificates by TLS and chain validation results, you can use GET and HEAD Certificates and the TlsValidationFailure andChainValidationFailure filters. 
  • Swagger Log and Workflow modules 
    The Log and Workflow Swagger modules allow you to try the Web SDK Log and Workflow interfaces in your test environment.
  • Move keysets to a policy folder 
    SSH/MoveKeysetsToPolicy can assign keysets to a policy folder. After the move, SSH policy settings, which are independent of device policy, apply to the keysets. See SSH/MoveKeysetsToPolicy.htm. 
  • Change a private key passphrase 
    To change a keyset passphrase, you can use SSH/ChangePrivateKeyPassphrase. 
Was this article helpful?
0 out of 0 found this helpful