Info: Venafi Trust Protection Platform 19.4 Is Released

Venafi Trust Protection Platform version 19.4 introduces some significant enhancements across all product lines. In the list below, features related to ideas posted and voted on in the Ideas Portal ( are marked with a double carrot: ^^ followed by the idea number.

IMPORTANT!   Before upgrading to version 19.4, carefully review Important Considerations Before Upgrading.

Venafi Next-Gen Code Signing

  • PKCS#11 support for Linux, macOS, and Windows
    In addition to the CSP/KSP support for Windows, Trust Protection Platform 19.4 now includes PKCS#11 support on Windows, Linux, and macOS platforms. This allows a wide variety of code signing applications, such as Jarsigner, OSSLSigncode, and OpenSSL, to use code signing keys protected by Trust Protection Platform. ^^37873111
  • Importing keys and certificates
    Environment templates can now use existing keys for code signing. The new user interface and backend code enables you to browse existing keys on an HSM and link or import certificates for use in code signing. In addition, PKCS#12/PFX certificates and keys can be imported. ^^38606362
  • Environment Template visibility control
    Code Signing Administrators now have the ability to restrict which environment templates are available to project owners. This provides Code Signing Administrators the flexibility to determine which Project Owners get to see which environment templates, and it provides increased ability to protect the most sensitive keys.
  • Entrust Certificate Services
    Entrust Certificate Services has been added as a Supported CA for Code Signing.  ^^36324118
  • SAN E-mail field support on code signing certificates
    Project Owners can now use the Code Signing interface in Aperture to specify the SAN Email that should be used when requesting a new code signing certificate.
  • Entitlement Report enhanced for Next-Gen Code Signing
    Roles associated with the product are now included in the Entitlement Report.

Venafi Platform

  • Dynamic Active Directory Integration
    ou no longer need to manually select controllers or global catalogs. Instead, Trust Protection platform updates this information for you dynamically. This means that if a domain controller, for example, is taken offline and replaced with a different domain controller, Trust Protection Platform automatically sees the change and begins using the new connection without any intervention on your part. ^^36324265 Learn more.
  • Local Group Management in Aperture
    You can now allow LDAP groups to see local users and groups in Aperture. Previously, you were only able to see users and groups within your own identity environment. With this enhancement, you can use Aperture to add users or groups from your identity providers to Aperture-created and Aperture-managed groups. For example, you can create a group in Aperture, and then you can add an LDAP group to it. As members of the LDAP group change, they inherit the permissions set for the corresponding group in Aperture. An effect of this change is that since LDAP users in an Aperture master administrator group can see local users and groups, any user with the master admin role, even if that role is granted via Active Directory or LDAP group membership, is able to reset the password of a local user account. ^^37273795 Learn more.
  • "Skip report if no data" option
    When creating custom reports in Trust Protection Platform, a new option lets you skip sending the report if the report data is empty. This reduces the "noise" of report notifications, so users know that when they open a report that was sent to them, it will contain data. ^^36324031 Learn more.
  • Improved Accessibility across the product
    Venafi is working towards section 508 compliance for Aperture and its documentation. The first changes related to that effort are part of Trust Protection Platform version 19.4, including increased contrast for widget buttons, screen reader enhancements for menus and clickable elements, focus improvements for clickable elements, image titles, and alt text. Venafi is committed to providing a product that is accessible to people of all abilities, and is working on this long-term project to implement this vision. 

Advanced Key Protect

  • HSM One-to-Many, Multi-Server support
    If you want a Thales nShield HSM to secure private keys for your Apache HTTP servers, you can create multiple installations. When you create two or more Aperture installations for the same certificate, an Application Group appears in WebAdmin. The Application group allows Trust Protection Platform to generate a new key pair on one server and distribute the key "stub" and application key token files to the other servers in the farm. This feature is available only for Thales nShield HSMs. Learn more.

SSH Protect

  • Enforce keyset policy values
    To act quickly and accurately, SSH keysets might need remediation based on unique enterprise context (related client, host, account, or group). By attaching a policy to a keyset, the related keysets will inherit the policies, and in-depth remediation can be enforced. When a keyset in a policy is rotated, Source Restrictions and other options are enforced. Learn more.
  • Venafi CyberArk AAM integration for SSH key management
    When discovering SSH hosts and their access keys using agentless discovery, the platform requires access to a privileged account. Through a new integration with CyberArk, the platform can retrieve the correct credentials to connect to the device, where it can scan for and remediate SSH keys. Learn more.
  • Prevent unauthorized repeated attempts to connect
    When Trust Protection Platform has an incorrect credential for a device, if it repeatedly tries to connect, the system can be locked out. Now, you can configure the system so that when Trust Protection Platform attempts to connect to a device, if the credential is rejected, Trust Protection Platform will stop attempting to connect to the device until the credential is changed, or until an admin resets the connection attempt setting. Learn more.
  • SQL performance enhancements for SSH keys
    Previously in extremely large environments, the performance of the database could experience degradation, resulting in slower automation jobs. In 19.4, several SQL performance improvements improve scalability in larger environments.
  • Folder filtering in Device List
    The Device Inventory filters have been updated so you can filter on the 'folder' where the device is stored. ^^36375997

Certificate Authority, Hosting Platform, and DevOpsIntegrations

A few changes have been made to Venafi's Entrust Certificate Services integration driver. 

  • Entrust SOAP API replaced by Entrust REST API
    Venafi's Entrust CA driver has been updated to support Entrust's new REST API that replaced their SOAP API. When you upgrade to Trust Protection Platform 19.4, any existing Entrust implementations are automatically transitioned to use the new Entrust REST API. When upgrading to 19.4, you don't need to do anything at all!
  • "Entrust.NET" rebranded to "Entrust Certificate Services"
    To align with recent branding updates by Entrust, the Entrust.NET product name has been updated within Venafi products and documentation to reflect the change from Entrust.NET to Entrust Certificate Services.
  • Entrust Certificate Services CA settings modified to match behavior of other drivers
    To give you greater control over renewal and reissuance of existing Entrust certificates, certificates enrolled outside of the Renewal Window setting are now treated as reissue requests; so for successful enrollment, you need to enable Allow Reissuance. Learn More

Server Agent 

  • Operation on Windows with OS language support for Western-European languages (for example, French)
    Venafi Server Agent installation and certificate related operation is now supported on all Western-European language Windows installations in addition to English. 

  • Official support for RHEL 8
    Server agent is now supported on Red Hat Enterprise Linux 8.

Enterprise Mobility Protect 

  • Client certificate authentication to Microsoft Intune
    Trust Protection Platform can now use a client certificate to authenticate its requests to Microsoft Intune. Prior to this release, a client Secret (password) was required by Trust Protection Platform to perform its authentication to Microsoft Intune.
  • Faster certificate enrollment via SCEP protocol
    Devices are now able to enroll certificates faster via the SCEP protocol. Under-the-hood optimizations were made and now on some environments, devices can enroll certificates five times faster than before. All devices, regardless of whether they are managed by Enterprise Mobility Management solutions, can now enroll certificates faster.

Web SDK 

  • POST Certificates/Request
    You can use the Origin parameter to add information, such as the name and version of the calling application. Learn more.
  • POST Certificates/Request
    If a Unix or Linux device requires sudo privileges to install a certificate, you can add the UseSudo and SudoCredentialDN parameters to automate provisioning. Learn more.
  • DELETE Discovery/{guid}
    To delete network discovery jobs, you can use DELETE Discovery/{guid}. Learn more.
  • POST Identity/AddGroup
    The local Identity group can now contain members from any Identity Provider. Group visibility is available from the Identity tree. Learn more.
  • PUT Identity/AddGroupMembers
    While working with a local Identity group, you can add AD, LDAP, or local members. Learn more.
  • DELETE Identity/Group/(prefix)/{principal}
    When you delete a local Identity group, the members remain in the Identity Provider. Learn more.
  • Put Identity/RemoveGroupMembers
    When you remove members from a local Identity group, the members remain in the Identity Provider. Learn more.
  • POST Identity/RenameGroup
    When you can rename members from a local Identity group, the members remain in the Identity Provider. Learn more.
  • GET Revoke/Token
    You can revoke the caller's OAuth grant and block the ability to make Web SDK calls. Learn more.
  • POST SSH/DeleteUnmatchedKeyset
    You can delete a keyset that is missing an encrypted private key. Learn more.
  • POST SSH/SetUnmatchedKeysetPassPhrase
    You can assign an encrypted passphrase for a private key that is missing from a keyset. Learn more.
Was this article helpful?
0 out of 0 found this helpful