Venafi Trust Protection Platform version 19.3 introduces some significant enhancements across all product lines.
IMPORTANT! Before upgrading to version 19.3, carefully review Important Considerations Before Upgrading to Venafi Platform 19.3.
Venafi Next-Gen Code Signing
- Reports Dashboard & Statistics
A brand new view to gain viability into your code signing operations and projects. Some examples of what the new dashboard shows: You can see things like the Total number of signing operations vs recent signing operations -- as well as how signing operations are trending. You can see how many different users are submitting code signing requests.
- Performance Enhancements
Improve performance for code signing operations. In some instances, you may see gains up to 90x faster. In our own build environment, average sign times went down from 9 seconds to 0.112 seconds.
- “Request in Progress” Message customization
Ability for code signing administrators to customize the message returned to a key user when the signing request isn’t fulfilled.
- Request Instance Identification
Allows Code Signing Administrators to determine which attributes of a signing request are used to match previous signing requests that are not yet fulfilled.
- Updates to the Cryptographic Security Provider (CSP) Utility
Added ability to check current grant validity and request a new grant. Also added the ability to set Venafi Server URL values during installation from the command line.
- New message formats for Syslog Notification Channel
The Syslog channel driver now includes two new message formats—Common Event Format (CEF) and JSON—and can now support encrypted (TLS) connections to remote syslog servers. The legacy BSD format is still available. 37674343, 36321277, 37010374
- Support for MS SQL Server 2017
You can now use MS SQL Server 2017 for your database.
Note: in 19.4 we plan to deprecate support for SQL Server 2012 and SQL Server 2014. Please begin to plan your upgrade to SQL Server 2016 or higher.
- Azure Active Directory Domain Services and AWS managed Microsoft AD Compatibility
Both cloud active directory providers are considered compatible in working with the Venafi Platform Active Directory Identity Provider 37841362
- Change Owner of Custom Reports
In previous versions, if the creator of a custom report was removed from the system, the custom report would break. A master admin can now view the owner of custom reports and can reassign a custom report to a new owner.
- Adaptable Debug Option for Customer Support
Small enhancement to all Adaptable drivers aimed at helping Customer Support more effectively assist customers needing help troubleshooting homegrown Adaptable scripts.
TLS Server Certificate
- Big improvements to Scanafi Certificate Network Discovery Utility
Version 2.1 of Scanafi is included. It adds support for TLS 1.3, you can specify a list of custom ports, SNI is fully supported, and the mechanism for configuring Scanafi has been updated. Note, this version of Scanafi no longer supports scanning SSL 2.0 protocol, and removes the Vulnerability Scan from the Scanafi default behavior. 36533713, 36331555, 37144174, 37010083
- Zip download of PEM certificate data
You can now download your PEM certificate, private key, and chain certificates as separate files inside of a zip archive. 36768793, 36270625
- Additional filter for certificate inventory
The certificate inventory in Aperture now includes an additional filter, allowing you to filter based on CA Template. 36270601
- Display approvers of a pending workflow
The system has been enhanced so that certificate owners can see which approvers are assigned to a pending approval. This allows certificate owners to know who in their organization to contact if a certificate hasn’t been approved.
- CyberArk Integration Enhancements
You can now configure Trust Protection Platform to authenticate to your SCIM server when setting up the CyberArk connector in the Venafi Configuration Console (VCC). And you can also now create the CyberArk username/password and the CyberArk password credential types from within Aperture.
- Command Injection for Workflow
In previous versions, you could not have more than 1,000 characters in your command line injection. Due to improvements to how Workflow configurations are stored in the database, the is no longer a storage limit on the number of characters for command injection purposes.
- Enhance Validation to not block provisioning on load balancers
Previously, when there were many applications on a device (common with load balancers), both onboard and network validation could delay certificate provisioning (installation).
- Save Renewal Details button text clarified
When changing renewal details for a certificate, previously the action button was titled “Submit.” This has been updated to “Save Renewal Details” to clarify what happens when a user clicks the button. (That is to say, the renewal is not submitted for processing.) 37083121
- Synchronize button added to Roots Tree in WebAdmin
Chaining is now calculated for the roots tree on the back-end to improve performance when there are many certificates present in the roots tree. This roots chaining update happens whenever a new certificate is imported, the trust behavior of a root certificate is updated, or the Synchronize button is pressed.
- Improved performance for importing certificates into WebAdmin
- Support ED25519 (OpenSSH)
The SSH product adds support for ED25519 (for OpenSSH) keys in addition to RSA, DSA, and the following ECDSA keys: P256, P348, P521. This is for both Agent and Agentless management options.
- Encrypted Private Key management
You can now take actions on encrypted private keys including adding or changing the key’s passphrase and deleting the key from the inventory.
- Apply policy to SSH keysets
Trust Protection Platform now allows you to apply policy settings and permissions to keysets independent of the devices on which those keysets are stored. You can move a keyset into a policy folder, where those permissions will override the permissions set on the device. You can also remove a keyset from all folders, reverting to device-level permissions.
- Bulk Move of SSH keysets
You can easily move multiple keysets into a folder using the Bulk Move button on the keyset inventory, allowing you to apply a subset of SSH policy values to the keyset.
Certificate Driver and DevOps Integrations
- Updated Symantec Driver
You can enroll private SSL certificates (which allow non-fully-qualified hostnames) without syncing the CA template, or without ensuring all of the domains in the certificate are in the list of domains vetted by the CA. 36819535
- Provision ECC to JKS backed by HSM
You can now use HSM when provisioning elliptic curve cryptography (ECC) keys to a java keystore (JKS). (Requires Venafi Advanced Key Protect product.)
- Venafi Lambda functions enforce enterprise security policy for a AWS Private CA
Before sending an enrollment request to a private Amazon CA, Venafi Lambda enforces Trust Protection policy settings. Lambda can retrieve certificate policy settings from Trust Protection Platform or Venafi Cloud. See https://github.com/Venafi/aws-private-ca-policy-venafi.
- Venfafi Salt generates certificates via vCert
Venafi Salt now uses vCert to generate certificates in accordance with policy settings. See https://github.com/Venafi/salt.
- IIS Binding discovery and provisioning
Server Agent can now set and discover IIS bindings. This feature introduces dependency on .NET. This dependency exists even on systems without IIS. 37709905
- Spectre mitigated agents for Windows and Linux
- Backup file permissions/ownership
During certificate provisioning Server Agent now sets the owner and permissions of the backup file under unix/linux when setting owner and permissions to the key store for easier recovery if needed. 36491536
- Support ED25519 (OpenSSH)
Support for the new SSH product capabilities via Server Agent.
Enterprise Mobility Protect
- Support for Microsoft Intune
Customers using Microsoft Intune for management of endpoints (like workstations and mobile devices) can now use Venafi Trust Protection Platform to manage all issued certificates in a single place. Microsoft Intune can configure endpoints to request certificates from Trust Protection Platform for different purposes like VPN, Wi-Fi, email, and other. Endpoints are requesting certificates via Simple Certificate Enrollment Protocol (SCEP). For each request, Trust Protection Platform performs additional request validation by Microsoft Intune.
- Report for certificate with identical attributes A new report to easily find miss-issued certificates with identical attributes is not available. Having more than one user or device certificate for the same purpose can create a threat vulnerability when left unmanaged. User and device certificates having identical certificate attributes (CN, SAN Email, SAN UPN, etc.) can now be identified with this new report. Administrators can configure which certificates to be included for comparison and apply comparison logic to match the customer’s needs. The report can be scheduled or ran manually and delivered in CSV or PDF format.
- Simple Certificate Enrollment Protocol (SCEP) improvements Trust Protection Platform can now use AES encryption algorithm to secure the payload when communicates with endpoints via Simple Certificate Enrollment Protocol (SCEP). In addition, HTTP POST method is now supported when receiving certificate requests. For compatibility reasons, communication via HTTP GET and Triple DES encryption algorithm are still supported.
- Custom Fields on a Certificates/Request
If a policy requires Custom Fields, a Certificates/Request must include the Custom Field value. See Certificates/Request. 36746239
- Discovery/Import JSON input file
Instead of command line flags for Discovery/Import, you use a JSON input file and the Scanafi provider or standalone mode.
- Protocol filter
To find certificates that use SSL2, SSL3, TLS, TLS11, and TLS12 communication protocols, you can use GET and HEAD Certificates and the SslTlsProtocol filter.
- TLS and Chain Validation filters
To filter certificates by TLS and chain validation results, you can use GET and HEAD Certificates and the TlsValidationFailure and, ChainValidationFailure filters.
- Swagger Log and Workflow modules
The Log and Workflow Swagger modules allow you to try the Web SDK Log and Workflow interfaces in your test environment.
- Move keysets to a policy folder
SSH/MoveKeysetsToPolicy can assign keysets to a policy folder. After the move, SSH policy settings, which are independent of device policy, apply to the keysets. See SSH/MoveKeysetsToPolicy.htm.
- Change a private key passphrase
To change a keyset passphrase, you can use SSH/ChangePrivateKeyPassphrase.