Info: Important considerations before upgrading to Venafi Trust Protection Platform 15.4

Applies to:

Venafi Trust Protection Platform 15.4.0


The release of Venafi Trust Protection Platform 15.4.0 is considered a maintenance release. Although it contains some new new functionality like enhanced certificate API and the ability to install client device certificates through the Enterprise Mobility product, the primary focus is on fixing issues and refactoring areas of the product to improve stability and performance.  Please carefully read through this Knowledgebase Article prior to upgrading. For detailed upgrade steps, please refer to the ReadMe.rtf document that is packaged with Venafi Trust Protection Platform 15.4.0.

Please carefully read through the entire list of considerations before upgrading your production environment of Venafi Trust Protection Platform to version 15.4.0

More Information on Venafi Trust Protection Platform 15.4.0 Life Cycle: https://support.venafi.com/entries/23267241

More Info:

Supported Upgrade Path

To upgrade to Venafi Trust Protection Platform 15.4.0, your current installation must be on at least Trust Protection Platform 14.1.2 or greater.  

The following table shows the supported upgrade paths. It outlines which versions of Venafi can upgrade directly to Venafi Trust Protection Platform 15.4.0, and which versions need to be updated to an intermediate version prior to the final upgrade.

Warning: It may be possible to successfully upgrade directly to Venafi Trust Protection Platform 15.4.0 on versions not outlined on the table below, but those upgrade paths have not been fully tested.  

Current Version

Upgrade Step 

Final Version

Director 14.1.x N/A Venafi Trust Protection
Platform 15.4.0
Trust Protection
Platform 14.2.x
N/A Venafi Trust Protection
Platform 15.4.0

Trust Protection
Platform 14.3.x

N/A Venafi Trust Protection
Platform 15.4.0

Trust Protection
Platform 14.4.x

N/A Venafi Trust Protection
Platform 15.4.0

Trust Protection
Platform 15.1.x

N/A Venafi Trust Protection
Platform 15.4.0

Trust Protection
Platform 15.2.x

N/A Venafi Trust Protection
Platform 15.4.0

Trust Protection
Platform 15.3.x

N/A Venafi Trust Protection
Platform 15.4.0


Supported Browsers

Internet Explorer 8 has not been supported since Venafi Trust Protection Platform 14.1.0.  When 16.1.0 is released in 2016, enhancements will be made to the Aperture console that will make it incompatible with Internet Explorer 8.  In 16.1.0, Aperture will not load on IE8.  Make plans now in your organization to make sure end users have a modern browser available to them.

See Article: Why we deprecated Internet Explorer 8 

Certificate Settings Read-only during Enrollment Processing or while In Error

New in 15.4.0, certificate enrollment settings cannot be modified while a certificate is enrolling/processing or in Error.  In order to make changes to the certificate (ex: change the common name of the certificate), users will need to Reset the certificate state in the Web Administration Console in order to be able to make any required changes.

Password Complexity Requirement on by default

New in 15.4.0, there is a new password complexity requirement for downloading certificates that contain private keys from the Web Administration Console or Aperture.  This requirement can be turned off by administrators via policy, but it is on by default and will probably be a change for most end users.

Password must be:
·At least 8 characters
·At least 1 uppercase letter
·At least 1 non-alpha character

Change in Requirements for Database Service Account Permissions

Enhancements made in 15.1.0 and 15.3.0 have changed the permissions required by the service account used to connect to the database. Due to changes to permissions calculations and log delivery, the database service account that the Venafi Platform uses now requires "Execute" permissions to specific stored procedures in addition to "Receive" permissions to specific messages queues.  This is in addition to DataReader and DataWriter that have traditionally been required.  Please see the following example scripts for assigning the correct permissions to the database service account.

Approving Certificate Installation (Provisioning) Workflows in Aperture

New in 15.3.0 is the ability to approve installation workflows in Aperture.  If you're using a custom SMTP Notification Channel to send approvers emails - those custom channels will need to be updated so that users are navigated to the correct URL in Aperture to approve Enrollment or Certificate Installation workflows.

Click here for detailed steps on updating your custom notifications.
See: https://support.venafi.com/entries/96342568

Important Note for SSH Customers

Due to re-architecting of the SSH product between 14.4 and 15.1, direct or automatic upgrades are not supported from 14.x.x to 15.4.0.  For customers using the SSH Product in production environments, please contact Venafi Professional Services (see https://www.venafi.com/contact/) for assistance with upgrades.  If you are using the SSH product in a sandbox or development environment, we recommend that you not upgrade but instead install with a clean/new database. SSH Customers using 15.1.x, 15.2.x, or 15.3.x can follow normal upgrade steps to upgrade to 15.4.0.

Agent Certificate Discovery

Due to changes in version 15.2.0 in the configuration of work that the Venafi Server Agent does during certificate discovery, agents will stop performing certificate discovery until your Device Placement work has been configured and assigned to all applicable agents.  Certificate Discovery work also needs to be updated to have certificate placement rules applied. Agents will not start or continue certificate discovery until these two configuration items have been completed in Aperture.

Click here for more information about changes to Server Agent in 15.2: https://support.venafi.com/entries/94449178

Change in Hardware Requirements

Version 15.1.0 of the Venafi Platform brings large architecture changes in both the core platform and the User Interfaces for increased performance and scalability.  As of 15.1.0, the product is able to support 1,000,000 certificates and 1,000,000 keys.  Increasing the amount of keys and certificates the platform and user interfaces support required a change in hardware requirements not only for the Venafi Platform servers, but also for the database servers as well.  This is because processing was optimized so that more calculations are done on the database level. Please carefully review the new Venafi Server and Database Server requirements before upgrading to 15.4.0.

15.4.0 System Requirements: https://support.venafi.com/entries/88170977

User Portal now configured in Aperture (not WebAdmin)

There are two basic steps to configuring User Portal:

  1. 1  In ApertureTM, create one or more Agent Groups and define membership criteria by setting Client Types to User Portal.

  2. 2  Configure user certificate work for the new Agent Groups.

  3. * for detailed steps, see online docs or "Certificate Management Guide" pdf starting on starting on page 349

Required Version of Oracle Server and Oracle Client

Oracle 10g is no longer supported as an Oracle Server version.  The minimum required Oracle Server Version is Oracle 11g Release 2 (  The minimum required Oracle Client is ODAC 12c Release 3 (

15.4.0 System Requirements: https://support.venafi.com/entries/88170977

IIS5 Deprecation

IIS5 has been deprecated in Venafi Trust Protection Platform 14.3.  Any IIS5 Application objects will be converted to "Basic" Application objects.  If your organization has Windows 2000 servers hosting web sites on IIS5, it is urgently suggested that you upgrade to a secure version of the Windows Server operating system that is supported by both Microsoft and Venafi.
Note: Microsoft Windows Server 2000 extended support ended on July 13, 2010 (end of life).

15.4 PDF Documentation

The 15.4 documentation can be found in the KB below.





Post is closed for comments.