Venafi FAQs
Venafi's Frequently Asked Questions page is a central hub where its customers can always go to with their most common questions. These are the 755 most popular questions Venafi receives.
Frequently Asked Questions About Venafi
Summary
Occasionally, we remove functionality from Trust Protection Platform to stay current with emerging technologies and to serve the changing needs of our customers. Some of the more common reasons for deprecating features include the following:
Minimal use of a feature by the majority of our customers
Technologies that have become obsolete
Features that have become too expensive to maintain
Changes in our technology road map
Important security enhancements to Trust Protection Platform
See Also:
For a list of features that have been deprecated prior to the current release, visit:
https://support.venafi.com/hc/en-us/articles/115001578651
Scheduled Feature Deprecations
Although planned feature deprecations are subject to change, the following list indicates which features are planned for removal from upcoming releases of Trust Protection Platform:
Venafi Platform 19.4
Xolphin CA DriverThe Trust Protection Platform integration with the Xolphin CA will be transitioned from a built-in CA driver to a solution that leverages the Adaptable framework in 19.4.
Venafi Platform 20.1
Drop Support for SQL 2012 and SQL Server 2014 SupportBeginning in 20.1, Venafi Trust Protection Platform will no longer support SQL Server 2012 and SQL Server 2014. SQL Server 2016 SP1 Standard will be the minimum version that we support. This is required in order to leverage the Table Partitioning Feature that Microsoft has made available in SQL Server 2016 SP1.
WebSDK Authorization Method involving API Keys (Deprecated)In 19.2, Trust Protection Platform introduced a new token authorization method (modeled after OAuth 2.0) for WebSDK with several advantages including longer session validity, support for load balancing WebSDK servers, and better, more granular access controls (scopes/privileges). As such, the old authorization method that involves API keys will be moved to deprecated status in 20.1 with end-of-support targeted for 20.4.
Eliminate Manual Approval option for DigiCert CADigiCert has recommended that we update our driver to take advantage of a new "skip_approval" option which streamlines processing on their side for up to a 30% increase in performance. As a result, Venafi Platform workflow will be the only method for requiring human approval of certificate requests beginning in 20.1.
Remove SSH connection method for the Citrix NetScaler driverIn 17.1, we began the transition from SSH CLI to the NetScaler REST API. When we updated the NetScaler driver and introduced Onboard Discovery. We continued to support the SSH CLI so customers would have time to migrate existing instances over. After nearly 3 years, the legacy connection method will be removed.
Remove SSH connection method for the IBM DataPower driverIn 17.3, we began the transition from SSH CLI to the DataPower REST API. We updated the DataPower driver and introduced Onboard Discovery. We continued to support the SSH CLI so customers would have time to migrate existing instances over. After over 2 years, the legacy connection method will be removed.
Splunk DriverIn 19.3, we made significant enhancements to our Syslog driver which we believe, based on feedback from customers and Splunk themselves, provides an overall better integration path that the Splunk driver which is delivering event data in a manner that is not common for enterprise applications. Thus the Splunk driver will be removed from the Venafi Platform in 20.1.
SSL/TLS Validation will no longer support SSL 2.0As we update our libraries to support TLS 1.3, SSL 2.0 will no longer be detected on certificate endpoints.
Venafi Platform 20.2
A10 AX Series Application DriverThe A10 Networks AX Series ADC product is now obsolete so the corresponding application driver will be removed from Trust Protection Platform in 20.2. This integration has been transitioned the partner ecosystem where A10 Networks is offering provisioning support for their Thunder ADC products at https://marketplace.venafi.com/apps/218513/a10-thunder-adc.
Juniper SAS Application DriverThe Juniper Secure Access Service product is now obsolete so the corresponding application driver will be removed from Trust Protection Platform in 20.2. Customers seeking support for integration with the replacement product (Pulse Connect Secure SSL VPN) should contact their Pulse Secure account team about joining the Venafi Technology Partner Network.
Venafi Platform 20.4
WebSDK Authorization Method involving API Keys (End-of-Support)The WebSDK authorization method that involves API keys was formally deprecated in Trust Protection Platform 20.1 and will no longer be supported beginning in 20.4.
View Article1. What processes are associated with the Venafi Server Agent?
a. Windows?
vagent.exe which is found by default under C:\Program Files\Venafi\Platform
b. Linux?
/opt/venafi/agent/bin/vagent
2. How do we verify that the Venafi Server Agent is available and operational on the server after the deployment?
a. Windows?
Check that vagent.exe process is running
Check that Windows Application logs show that Agent called home
Check that Aperture shows the Agent last seen time updated
b. Linux?
Check that vagent process is running
Check that syslogs logs show that Agent called home
Check that Aperture shows the Agent last seen time updated
3. What services are associated with the Venafi Server Agent as listed in Task Manager? What state should services be in when properly functioning?
a. Windows?
Venafi Server Agent set to Automatic startup type
b. Linux?
/etc/init.d/vagent
4. What configuration files are associated with the Venafi
ServerAgent? What should they contain?
a. Windows?
config.sq3 found under C:\Program Files\Venafi\Agent\Data.
Contains the Agent settings that are listed when running vagent -l all
b. Linux?
config.sq3 found under /var/opt/venafi/agent/data.
Contains the Agent settings that are listed when running vagent -l all
5. What log files are associated with the VenafiServerAgent? What should they contain?
a. Windows?
events.sq3 found under C:\Program Files\Venafi\Agent\Data.
Contains Debug logs. These logs will be dumped to stdout when using the -v switch with the vagent command.
b. Linux?
events.sq3 found under /var/opt/venafi/agent/data.
Contains Debug logs. These logs will be dumped to stdout when using the -v switch with the vagent command.
6. What certificate file(s) are associated with the VenafiServer Agent? What should they contain?
a. Windows?
C:\Program Files\Venafi\Agent\Data\curl-ca-bundle.crt
Stores trust anchors used to validate the Trust Protection Platform server SSL certificate (and possibly certificate presented by other network devices while calling home to the Venafi server).
b. Linux?
/var/opt/venafi/agent/data/curl-ca-bundle.crt
Stores trust anchors used to validate the Trust Protection Platform server SSL certificate (and possibly certificate presented by other network devices while calling home to the Venafi server).
7. What other procedures do you follow/recommend to ensure the Venafi Server Agent is fully operational and functioning as expected?
a. Windows?
Monitoring Windows Application logs for errors logged by Venafi Server Agent.
Monitor Venafi logs for error events starting with ClientRest
Check that the Aperture shows the Agent has been seen recently
Check that we have discovery results from the Agent
b. Linux?
Monitoring syslog for errors logged by Venafi Server Agent.
Monitor Venafi logs for error events starting with ClientRest
Check that the Aperture shows the Agent has been seen recently
Check that we have discovery results from the Agent
8. Please provide the instructions for Repair (Uninstall and Reinstall) of the Venafi Server Agent?
a. Windows?
Uninstall Agent from add/remove programs
Delete C:\Program Files\Venafi\Agent\Data folder
Delete Agent registration from Aperture
Install using the Agent MSI installer with correct configuration options
b. Linux?
Uninstall Agent using --uninstall option with the installer bundle
Delete /var/opt/venafi/agent/data folder
Delete Agent registration from Aperture
Install using the Agent installer bundle with correct configuration options
9. Please provide the instructions for Rollback to previous version (Uninstall and install n-1) of the Venafi Server Agent?
a. Windows?
Uninstall Agent from add/remove programs
Delete C:\Program Files\Venafi\Agent\Data folder
Delete Agent registration from Aperture
Install using the Agent MSI installer with correct configuration options
b. Linux?
Uninstall Agent using --uninstall option with the installer bundle
Delete /var/opt/venafi/agent/data folder
Delete Agent registration from Aperture
Install using the Agent installer bundle with correct configuration options
10. Where are the Agent logs?
a. Windows?
Debug logs are available in the events.sq3 found under C:\Program Files\Venafi\Agent\Data.
We also log to the Windows event log by default at a Info level, but is configurable.
b. *nix systems?
Debug logs are available in theevents.sq3 found under /var/opt/venafi/agent/data.
We also log to the system log by default a the info level, but can be configured to other levels.
11. How do I set the logging level that is written to the system log?
Please refer to this KB: https://support.venafi.com/hc/en-us/articles/215913287-Info-Venafi-Agent-Logging
View ArticleVenafi Trust Protection Platform version 19.4 introduces some significant enhancements across all product lines. In the list below, features related to ideas posted and voted on in the Ideas Portal ( https://ideas.venafi.com) are marked with a double carrot: ^^ followed by the idea number.
IMPORTANT! Before upgrading to version 19.4, carefully review Important Considerations Before Upgrading.
VenafiNext-GenCode Signing
PKCS#11 support for Linux, macOS, and WindowsIn addition to the CSP/KSP support for Windows, Trust Protection Platform 19.4 now includes PKCS#11 support on Windows, Linux, and macOS platforms. This allows a wide variety of code signing applications, such as Jarsigner, OSSLSigncode, and OpenSSL, to use code signing keys protected by Trust Protection Platform. ^^37873111
Importing keys and certificatesEnvironment templates can now use existing keys for code signing. The new user interface and backend code enables you to browse existing keys on an HSM and link or import certificates for use in code signing. In addition, PKCS#12/PFX certificates and keys can be imported. ^^38606362
Environment Template visibility controlCode Signing Administrators now have the ability to restrict which environment templates are available to project owners. This provides Code Signing Administrators the flexibility to determine which Project Owners get to see which environment templates, and it provides increased ability to protect the most sensitive keys.
Entrust Certificate ServicesEntrust Certificate Services has been added as a Supported CA for Code Signing. ^^36324118
SAN E-mailfield support on code signing certificatesProject Owners can now use the Code Signing interface in Aperture to specify the SAN Email that should be used when requesting a new code signing certificate.
Entitlement Report enhanced for Next-Gen Code SigningRoles associated with the product are now included in the Entitlement Report.
Venafi Platform
Dynamic Active Directory Integrationou no longer need to manually select controllers or global catalogs. Instead, Trust Protection platform updates this information for you dynamically. This means that if a domain controller, for example, is taken offline and replaced with a different domain controller, Trust Protection Platform automatically sees the change and begins using the new connection without any intervention on your part. ^^36324265 Learn more.
Local Group Management in ApertureYou can now allow LDAP groups to see local users and groups in Aperture. Previously, you were only able to see users and groups within your own identity environment. With this enhancement, you can use Aperture to add users or groups from your identity providers to Aperture-created and Aperture-managed groups. For example, you can create a group in Aperture, and then you can add an LDAP group to it. As members of the LDAP group change, they inherit the permissions set for the corresponding group in Aperture. An effect of this change is that since LDAP users in an Aperture master administrator group can see local users and groups, any user with the master admin role, even if that role is granted via Active Directory or LDAP group membership, is able to reset the password of a local user account. ^^37273795 Learn more.
"Skip report if no data" optionWhen creating custom reports in Trust Protection Platform, a new option lets you skip sending the report if the report data is empty. This reduces the "noise" of report notifications, so users know that when they open a report that was sent to them, it will contain data. ^^36324031 Learn more.
Improved Accessibility across the productVenafi is working towards section 508 compliance for Aperture and its documentation. The first changes related to that effort are part of Trust Protection Platform version 19.4, including increased contrast for widget buttons, screen reader enhancements for menus and clickable elements, focus improvements for clickable elements, image titles, and alt text. Venafi is committed to providing a product that is accessible to people of all abilities, and is working on this long-term project to implement this vision.
Advanced Key Protect
HSM One-to-Many, Multi-Server supportIf you want a Thales nShield HSM to secure private keys for your Apache HTTP servers, you can create multiple installations. When you create two or more Aperture installations for the same certificate, an Application Group appears in WebAdmin. The Application group allows Trust Protection Platform to generate a new key pair on one server and distribute the key "stub" and application key token files to the other servers in the farm. This feature is available only for Thales nShield HSMs. Learn more.
SSHProtect
Enforce keyset policy valuesTo act quickly and accurately, SSH keysets might need remediation based on unique enterprise context (related client, host, account, or group). By attaching a policy to a keyset, the related keysets will inherit the policies, and in-depth remediation can be enforced. When a keyset in a policy is rotated, Source Restrictions and other options are enforced. Learn more.
Venafi CyberArk AAM integration for SSH key managementWhen discovering SSH hosts and their access keys using agentless discovery, the platform requires access to a privileged account. Through a new integration with CyberArk, the platform can retrieve the correct credentials to connect to the device, where it can scan for and remediate SSH keys. Learn more.
Prevent unauthorized repeated attempts to connectWhen Trust Protection Platform has an incorrect credential for a device, if it repeatedly tries to connect, the system can be locked out. Now, you can configure the system so that when Trust Protection Platform attempts to connect to a device, if the credential is rejected, Trust Protection Platform will stop attempting to connect to the device until the credential is changed, or until an admin resets the connection attempt setting. Learn more.
SQL performance enhancements for SSH keysPreviously in extremely large environments, the performance of the database could experience degradation, resulting in slower automation jobs. In 19.4, several SQL performance improvements improve scalability in larger environments.
Folder filtering in Device ListThe Device Inventory filters have been updated so you can filter on the 'folder' where the device is stored. ^^36375997
Certificate Authority, Hosting Platform, andDevOpsIntegrations
A few changes have been made to Venafi's Entrust Certificate Services integration driver.
Entrust SOAP API replaced by Entrust REST APIVenafi's Entrust CA driver has been updated to support Entrust's new REST API that replaced their SOAP API. When you upgrade to Trust Protection Platform 19.4, any existing Entrust implementations are automatically transitioned to use the new EntrustREST API. When upgrading to 19.4, you don't need to do anything at all!
"Entrust.NET" rebranded to "Entrust Certificate Services"To align with recent branding updates by Entrust, the Entrust.NET product name has been updated within Venafi products and documentation to reflect the change from Entrust.NET to Entrust Certificate Services.
Entrust Certificate Services CA settings modified to match behavior of other driversTo give you greater control over renewal and reissuance of existing Entrust certificates, certificates enrolled outside of the Renewal Window setting are now treated as reissue requests; so for successful enrollment, you need to enable Allow Reissuance. Learn More
Server Agent
Operation on Windows with OS language support for Western-European languages (for example, French)Venafi Server Agent installation and certificate related operation is now supported on all Western-European language Windows installations in addition to English.
Official support for RHEL 8Server agent is now supported on Red Hat Enterprise Linux 8.
Enterprise Mobility Protect
Client certificate authentication to Microsoft IntuneTrust Protection Platform can now use a client certificate to authenticate its requests to Microsoft Intune. Prior to this release, a client Secret (password) was required by Trust Protection Platform to perform its authentication to Microsoft Intune.
Faster certificate enrollment via SCEP protocolDevices are now able to enroll certificates faster via the SCEP protocol. Under-the-hood optimizations were made and now on some environments, devices can enroll certificates five times faster than before. All devices, regardless of whether they are managed by Enterprise Mobility Management solutions, can now enroll certificates faster.
Web SDK
POST Certificates/RequestYou can use the Origin parameter to addinformation, such as the name and version of the calling application. Learn more.
POST Certificates/RequestIf a Unix or Linux device requires sudo privileges to install a certificate, you can add the UseSudoandSudoCredentialDNparameters to automate provisioning. Learn more.
DELETE Discovery/{guid}To delete network discovery jobs, you can use DELETE Discovery/{guid}. Learn more.
POST Identity/AddGroupThe local Identity group can now contain members from any Identity Provider.Group visibility is available from the Identity tree. Learn more.
PUT Identity/AddGroupMembersWhile working with a local Identity group, you can add AD, LDAP, or local members. Learn more.
DELETEIdentity/Group/(prefix)/{principal}When you delete a local Identity group, the members remain in the Identity Provider. Learn more.
Put Identity/RemoveGroupMembersWhen you remove members from a local Identity group, the members remain in the Identity Provider. Learn more.
POST Identity/RenameGroupWhen you can rename members from a local Identity group, the members remain in the Identity Provider. Learn more.
GET Revoke/TokenYou can revoke the caller's OAuth grant and block the ability to make Web SDK calls. Learn more.
POST SSH/DeleteUnmatchedKeysetYou can deletea keyset that is missing an encrypted private key. Learn more.
POST SSH/SetUnmatchedKeysetPassPhraseYou can assign an encrypted passphrase for a private key that is missing from a keyset. Learn more.
View ArticleApplies to:
Using Firefox Web Browser or Internet Explorer in WebAdmin or Apertureand TPP is installedon a Windows Server 2016 with HTTP/2 enabled.
Symptom:
When attempting to create or delete an object in either Webadmin or Aperture an error exception will be shown indicating there was a problem with the action.
ObjectAlreadyExists error as shown above.
ObjectDoesNotExist error as shown above.
Cause:
Windows Server 2016 installs with HTTP/2 enabled by default. When using HTTP/2, the TCP/IP connection is established once and there are many calls that can be made within a single connection. This differs from HTTP/1.1 where a new connection is made for each action needed to load or interact with any given page. Because of this, HTTP/2 replicates calls when either "creating" or "deleting" objects within TPP. Ultimately, this leads to misrepresentation of these actions as the replicated call is what is throwing the seen error.
Mozilla are aware of the issue and are investigating.
https://bugzilla.mozilla.org/show_bug.cgi?id=1440479
Resolution:
Disable HTTP/2 on TPP servers running Windows Server 2016 by performing the following:
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Add 2 new REG_DWORD values:
EnableHttp2Tls
EnableHttp2Cleartext
Set both values to 0
Reboot the server
View ArticleSummary:
What is the network load for a Network Discovery job? This depends on the discovery job definition.
More Information:
This depends greatly on how many ports are being scanned per IP address and how many endpoints will be scanned.Onecustomer measured the following with Compuware Application Vantage.
One port on one IP address will produce a load of about 396 bytes.
One port across 25 IP addresses will be about 7 KB.
One IP address with all ports will be about 12.2 MB.
View ArticleApplies to:
19.2, 19.3
Problem:
When viewing a certificate object, you may see the following informational / status message (WinAdmin):
"Certificate renewal values have been changed and no longer match the active certificate"
https://ideas.venafi.com/forums/916234/suggestions/38294458
Resolution:
This message can be ignored, and in fact will be removed in future releases.
This is an information-only message, not an error message. The renewal details aren't matching the values of the current certificate on file. This can happen when:
Either directly on the certificate or via policy in a parent container, the renewal values of the certificate changed after the certificate was enrolled
The Certificate Authority changed the values that it put onto the certificate (Ex, Your request included Utah for the state and but Public CA included UT).
If you look at the following on our ideas portal, you'll see that we have decided to actually remove the message, currently slated for he 19.4 release:
View ArticleVenafi VCert is a command line utility designed to generate keys and simplify certificate acquisition by eliminating the need to write code to interact with the Venafi REST API. VCert is available in 32 and 64 bit versions for Linux, Windows, and macOS.
Click here to download the latest version of VCert from https://github.com/Venafi/vcert/releases/latest
Prerequisites
A user account that has an authentication token with "certificate:manage,revoke" scope or has been granted WebSDK Access
A folder where the user has been granted the following permissions: View, Read, Write, Create, Revoke (for the revoke action), and Private Key Read (for the pickup action when CSR is service generated)
A policy applied to the folder which specifies:
Subject DN values for Organizational Unit (OU), Organization (O), City/Locality (L), State/Province (ST) and Country (C)
CA Template that Trust Protection Platform will use to enroll certificate requests submitted by VCert
Management Type not locked or locked to 'Enrollment'
Certificate Signing Request (CSR) Generation not locked or locked to ServiceGenerated CSR
Generate Key/CSR on Application not locked or locked to 'No'
(Recommended) Disable Automatic Renewal set to 'Yes'
(Recommended) Key Bit Strength set to 2048 or higher
(Recommended) Domain Whitelisting policy appropriately assigned
General Command Line Options
The following options apply to the enroll, pickup, renew, and revoke actions:
-config
Use to specify INI configuration file containing connection details.
For TPP: tpp_url, tpp_user, tpp_password, tpp_zone
For Cloud: cloud_url, cloud_apikey, cloud_zone
For TPP & Cloud: trust_bundle, test_mode
-no-prompt
Use to exclude password prompts. If you enable the prompt and you enter incorrect information, an error is displayed. This option is useful with scripting.
-t
Use to specify the token required to authenticate with Venafi Platform 19.2 (and higher)
-test-mode
Use to test operations without connecting to the Venafi Platform. This option is useful for integration tests where the test environment does not have access to the Venafi Platform. Default is false.
Options: true | false
-test-mode-delay
Use to specify the maximum number of seconds for the random test-mode connection delay. Default is 15 (seconds).
-timeout
Use to specify the maximum amount of time to wait in seconds for a certificate to be processed by the Venafi Platform. Default is 120 (seconds).
-tpp-password
[DEPRECATED] Use to specify the password required to authenticate with the Venafi Platform. Use -t instead for Venafi Platform 19.2 (and higher).
-tpp-user
[DEPRECATED] Use to specify the username required to authenticate with the Venafi Platform. Use -t instead for Venafi Platform 19.2 (and higher).
-trust-bundle
Use to specify a file with PEM formatted certificates to be used as trust anchors when communicating with the Venafi Platform. VCert uses the trust store of your operating system for this purpose if not specified.
Example: -trust-bundle /path-to/bundle.pem
-u
Use to specify the URL of the Venafi Platform server.
Example: -u https://tpp.venafi.example
-verbose
Use to increase the level of logging detail, which is helpful when troubleshooting issues.
Certificate Request Usage
VCert enroll -u <tpp url> -t <auth token> -cn <common name> -z <zone>
VCert enroll -u <tpp url> -tpp-user <username> -tpp-password <password> -cn <common name> -z <zone>
Options:
-cert-file
Use to specify the name and location of an output file that will contain only the end-entity certificate.
Example: /path-to/example.crt
-chain
Use to include the certificate chain in the output, and to specify where to place it in the file. By default, it is placed last.
Options: ignore | root-first | root-last
-chain-file
Use to specify the name and location of an output file that will contain only the root and intermediate certificates applicable to the end-entity certificate.
-cn
Use to specify the common name (CN). This is required for Enrollment.
-csr
Use to specify the CSR and private key location. Default is local.
Options: local | service | file
local: private key and CSR will be generated locally
service: private key and CSR will be generated within the Venafi Platform
file: CSR will be read from a file by name, example: file:/path-to/csr.pem
-file
Use to specify a name and location of an output file that will contain the private key and certificates when they are not written to their own files using -key-file, -cert-file, and/or -chain-file.
Example: /path-to/keycert.pem
-format
Use to specify the output format. PEM is the default format. The -file option must be used with the PKCS#12 format to specify the keystore file.
Options: pem | json | pkcs12
-key-curve
Use to specify the elliptic curve for key generation when -key-type is ECDSA. Default is p256.
Options: p256 | p384 | p521
-key-file
Use to specify the name and location of an output file that will contain only the private key.
Example: /path-to/example.key
-key-password
Use to specify a password for encrypting the private key. For a non-encrypted private key, specify -no-prompt without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file.
Example: -key-password file:/path-to/passwd.txt
-key-size
Use to specify a key size for RSA keys. Default is 2048.
-key-type
Use to specify the key algorithm. Default is RSA.
Options: rsa | ecdsa
-nickname
Use to specify a name for the new certificate object that will be created and placed in a folder (which you specify using the -z option).
-no-pickup
Use to disable the feature of VCert that repeatedly tries to retrieve the issued certificate. When this is used you must run VCert again in pickup mode to retrieve the certificate that was requested.
-pickup-id-file
Use to specify a file name where the unique identifier for the certificate will be stored for subsequent use by pickup, renew, and revoke actions. Default is to write the Pickup ID to STDOUT.
-san-dns
Use to specify a DNS Subject Alternative Name. To specify more than one, use spaces, like this: -san-dns san1.example.com -san-dns san2.example.com ...
-san-email
Use to specify an Email Subject Alternative Name. To specify more than one, use spaces, like this: -san-email [email protected] -san-email [email protected] ...
-san-ip
Use to specify an IP Address Subject Alternative Name. To specify more than one, use spaces, like this: -san-ip 10.20.30.1 -san-ip 10.20.30.2 ...
-z
Use to specify the folder path where the certificate object will be located. vCert automatically prepends \VED\Policy\, so you only need to specify folders below the root Policy folder.
Example: -z DevOps\CorpApp
Certificate Retrieval Usage
VCert pickup -u <tpp url> -t <auth token> [-pickup-id <request id> | -pickup-id-file <file name>]
VCert pickup -u <tpp url> -tpp-user <username> -tpp-password <password> [-pickup-id <request id> | -pickup-id-file <file name>]
Options:
-cert-file
Use to specify the name and location of an output file that will contain only the end-entity certificate.
Example: /path-to/example.crt
-chain
Use to include the certificate chain in the output, and to specify where to place it in the file. By default, it is placed last.
Options: ignore | root-first | root-last
-chain-file
Use to specify the name and location of an output file that will contain only the root and intermediate certificates applicable to the end-entity certificate.
-file
Use to specify a name and location of an output file that will contain certificates when they are not written to their own files using -cert-file and/or -chain-file.
Example: /path-to/keycert.pem
-format
Use to specify the output format. PEM is the default format. The -file option must be used with the PKCS#12 format to specify the keystore file.
Options: pem | json | pkcs12
-pickup-id
Use to specify the unique identifier of the certificate returned by the enroll or renew actions if -no-pickup was used or a timeout occurred. Required when -pickup-id-file is not specified.
-pickup-id-file
Use to specify a file name that contains the unique identifier of the certificate returned by the enroll or renew actions if -no-pickup was used or a timeout occurred. Required when -pickup-id is not specified.
Certificate Renewal Usage
VCert renew -u <tpp url> -t <auth token> [-id <request id> | -thumbprint <certificate thumbprint>]
VCert renew -u <tpp url> -tpp-user <username> -tpp-password <password> [-id <request id> | -thumbprint <certificate thumbprint>]
Options:
-cert-file
Use to specify the name and location of an output file that will contain only the end-entity certificate.
Example: /path-to/example.crt
-chain
Use to include the certificate chain in the output, and to specify where to place it in the file. By default, it is placed last.
Options: ignore | root-first | root-last
-chain-file
Use to specify the name and location of an output file that will contain only the root and intermediate certificates applicable to the end-entity certificate.
-cn
Use to specify the common name (CN). This is required for Enrollment.
-csr
Use to specify the CSR and private key location. Default is local.
Options: local | service | file
local: private key and CSR will be generated locally
service: private key and CSR will be generated within the Venafi Platform. Depending on policy, the private key may be reused
file: CSR will be read from a file by name, example: file:/path-to/csr.pem
-file
Use to specify a name and location of an output file that will contain the private key and certificates when they are not written to their own files using -key-file, -cert-file, and/or -chain-file.
Example: /path-to/keycert.pem
-format
The -file option must be used with the PKCS#12 format to specify the keystore file.
Options: pem | json | pkcs12
-id
Use to specify the unique identifier of the certificate returned by the enroll or renew actions. Value may be specified as a string or read from a file by using the file: prefix. Example: file:cert_id.txt
-key-curve
Use to specify the elliptic curve for key generation when -key-type is ECDSA. Default is p256.
Options: p256 | p384 | p521
-key-file
Use to specify the name and location of an output file that will contain only the private key.
Example: /path-to/example.key
-key-password
Use to specify a password for encrypting the private key. For a non-encrypted private key, specify -no-prompt without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file.
Example: -key-password file:/path-to/passwd.txt
-key-size
Use to specify a key size for RSA keys. Default is 2048.
-key-type
Use to specify the key algorithm. Default is RSA.
Options: rsa | ecdsa
-nickname
Use to specify a name for the new certificate object that will be created and placed in a folder (which you specify using the -z option).
-no-pickup
Use to disable the feature of VCert that repeatedly tries to retrieve the issued certificate. When this is used you must run VCert again in pickup mode to retrieve the certificate that was requested.
-pickup-id-file
Use to specify a file name where the unique identifier for the certificate will be stored for subsequent use by pickup, renew, and revoke actions. By default it is written to STDOUT.
-san-dns
Use to specify a DNS Subject Alternative Name. To specify more than one, use spaces, like this: -san-dns san1.example.com -san-dns san2.example.com ...
-san-email
Use to specify an Email Subject Alternative Name. To specify more than one, use spaces, like this: -san-email [email protected] -san-email [email protected] ...
-san-ip
Use to specify an IP Address Subject Alternative Name. To specify more than one, use spaces, like this: -san-ip 10.20.30.1 -san-ip 10.20.30.2 ...
-thumbprint
Use to specify the SHA1 thumbprint of the certificate to renew. Value may be specified as a string or read from the certificate file using the file: prefix.
Certificate Revocation Usage
VCert revoke -u <tpp url> -t <auth token> [-id <request id> | -thumbprint <certificate thumbprint>]
VCert revoke -u <tpp url> -tpp-user <username> -tpp-password <password> [-id <request id> | -thumbprint <certificate thumbprint>]
Options:
-id
Use to specify the unique identifier of the certificate to revoke. Value may be specified as a string or read from a file using the file: prefix.
-no-retire
Do not disable certificate. Use this option if you intend to enroll a new version of the certificate later. Works only with -id <certificate DN>
-reason
Use to specify the revocation reason. Default is none.
Options: none | key-compromise | ca-compromise | affiliation-changed | superseded | cessation-of-operation
-thumbprint
Use to specify the SHA1 thumbprint of the certificate to revoke. Value may be specified as a string or read from the certificate file using the file: prefix.
Examples
For the purposes of the following examples assume that the Trust Protection Platform REST API is available at https://tpp.venafi.example/vedsdk, and that a user account named DevOps has been created with an authentication token of "ql8AEpCtGSv61XGfAknXIA==" that has "certificate:manage,revoke" scope, a password of Passw0rd, and has been granted WebSDK Access. Also assume that a folder has been created at the root of the Policy Tree called DevOps Certificates and the DevOps user has been granted View, Read, Write, Create, Revoke, and Private Key Read permissions to it. Lastly, assume that a CA Template has been created and assigned to the DevOps Certificates folder along with other typical policy settings (organization, city, state, country, key size, whitelisted domains, etc.).
Use the help to view the command line syntax for enroll:
VCert enroll -h
Submit a Trust Protection Platform request for enrolling a certificate with a common name of first-time.venafi.example using an authentication token and have VCert prompt for the password to encrypt the private key:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -cn first-time.venafi.example
Submit a Trust Protection Platform request for enrolling a certificate with a common name of first-time.venafi.example and have VCert prompt for the DevOps users password and the password to encrypt the private key:
VCert enroll -u https://tpp.venafi.example -tpp-user DevOps -z "DevOps Certificates" -cn first-time.venafi.example
Submit a Trust Protection Platform request for enrolling a certificate where the DevOps user password is specified on the command line and the password for encrypting the private key to be generated is specified in a text file called passwd.txt:
VCert enroll -u https://tpp.venafi.example -tpp-user DevOps -tpp-password Passw0rd -z "DevOps Certificates" -key-password file:passwd.txt -cn passwd-from-file.venafi.example
Submit a Trust Protection Platform request for enrolling a certificate where the private key to be generated is not password encrypted:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -cn non-encrypted-key.venafi.example -no-prompt
Submit a Trust Protection Platform request for enrolling a certificate where the private key and CSR are to be generated by the Venafi Platform:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -cn service-generated.venafi.example -csr service -key-password somePassw0rd!
Submit a Trust Protection Platform request for enrolling a certificate using an externally generated CSR:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -nickname externally-generated-csr -csr file:/opt/pki/cert.req
Submit a Trust Protection Platform request for enrolling a certificate where the certificate and private key are output using JSON syntax to a file called json.txt:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -key-password Passw0rd -cn json-to-file.venafi.example -format json -file json.txt
Submit a Trust Protection Platform request for enrolling a certificate where only the certificate and private key are output, no chain certificates:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -key-password Passw0rd -cn no-chain.venafi.example -chain ignore
Submit a Trust Protection Platform request for enrolling two certificate that have the same common name but are to be represented by distinct objects in TPP rather than having the first certificate be considered an older generation of the second:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -key-password Passw0rd -cn same-cn.venafi.example -nickname same-cn-separate-object-1
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -key-password Passw0rd -cn same-cn.venafi.example -nickname same-cn-separate-object-2
Submit a Trust Protection Platform request for enrolling a certificate with three subject alternative names, one each of DNS name, IP address, and email address:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -no-prompt -cn three-san-types.venafi.example -san-dns demo.venafi.example -san-ip 10.20.30.40 -san-email [email protected]
Submit a Trust Protection Platform request for enrolling a certificate where the certificate is not issued after two minutes and then subsequently retrieve that certificate after it has been issued:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -no-prompt -cn demo-pickup.venafi.example
VCert pickup -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -pickup-id "\VED\Policy\DevOps Certificates\demo-pickup.venafi.example"
Submit a Trust Protection Platform request for enrolling a certificate that will be retrieved later using a Pickup ID from in a text file:
VCert enroll -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -z "DevOps Certificates" -no-prompt -cn demo-pickup.venafi.example -no-pickup -pickup-id-file pickup_id.txt
VCert pickup -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -pickup-id-file pickup_id.txt
Submit a Trust Protection Platform request for renewing a certificate using the enrollment (pickup) ID of the expiring certificate:
VCert renew -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -id "\VED\Policy\DevOps Certificates\demo.venafi.example"
Submit a Trust Protection Platform request for enrolling a certificate using the expiring certificate file:
VCert renew -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -thumbprint file:/opt/pki/demo.crt
Submit a Trust Protection Platform revocation request using the enrollment (pickup) ID of the certificate and keep the certificate enabled so that a replacement certificate can be enrolled later:
VCert revoke -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -id "\VED\Policy\DevOps Certificates\demo.venafi.example" -reason superseded -no-retire
Submit a Trust Protection Platform revocation request using the actual certificate file:
VCert revoke -u https://tpp.venafi.example -t "ql8AEpCtGSv61XGfAknXIA==" -thumbprint file:/opt/pki/demo.crt -reason cessation-of-operation
View ArticleA .HAR file can be used to help determine what information is being posted on each web request and what responses we are getting. This is used to help troubleshoot the web consoles.
1. In Chrome browse to one step before what you want to capture. Then from the menu go to the More Tools -> Developer Tools.
2. Once this is open navigate to the network tab.
3. Once on this tab perform the one step you are trying to capture. Once the traffic halts you can right click in the list and save as a HAR file.
Once complete you can attach the savedfile to your support case.
View ArticleVersion
Ship Date
General Support Ends
Best-effort Support Ends
Trust Protection Platform 19.3
23 Sept 2019
22 Sept 2021
22 Sept 2023
Trust Protection Platform 19.2
28 Jun 2019
27 Jun 2021
27 Jun 2023
Trust Protection Platform 19.1
29 Mar 2019
29 Mar 2021
29 Mar 2023
Trust Protection Platform 18.4
20 Nov 2018
20 Nov 2020
20 Nov 2022
Trust Protection Platform 18.3
29 Sept 2018
28 Sept 2020
28 Sept 2022
Trust Protection Platform 18.2
2 July 2018
1 July 2020
1 July 2022
Trust Protection Platform 18.1
31 March 2018
1 April 2020
1 April 2022
Trust Protection Platform 17.4
20 Nov 2017
19 Nov 2019
19 Nov 2021
Trust Protection Platform 17.3
26 Sept 2017
25 Sept 2019
25 Sept 2021
Trust Protection Platform 17.2
28 June 2017
27 June 2019
27 June 2021
Trust Protection Platform 17.1
28 March 2017
27 March 2019
27 March 2021
Trust Protection Platform 16.4
11 Nov 2016
10 Nov 2018
10 Nov 2020
Trust Protection Platform 16.3
27 Sept 2016
26 Sept 2018
26 Sept 2020
Trust Protection Platform 16.2
24 Jun 2016
23 Jun 2018
23 Jun 2020
Trust Protection Platform 16.1
29 Mar 2016
28 Mar 2018
28 Mar 2020
Trust Protection Platform 15.4
28 Dec 2015
27 Dec 2017
27 Dec 2019
Trust Protection Platform 15.3
24 Sep 2015
23 Sep 2017
23 Sep 2019
Trust Protection Platform 15.2
11 Jun 2015
10 Jun 2017
10 Jun 2019
Trust Protection Platform 15.1
30 Mar 2015
29 Mar 2017
29 Mar 2019
Trust Protection Platform 14.4
21 Nov 2014
20 Nov 2016
20 Nov 2018
Trust Protection Platform 14.3
29 Sept 2014
28 Sept 2016
28 Sept 2018
Trust Protection Platform 14.2
23 June 2014
22 June 2016
22 June 2018
Trust Protection Platform 14.1
19 Mar 2014
18 Mar 2016
18 Mar 2018
Director 11 Accelerated Feature Release
4 Nov 2013
3 Nov 2014
N/A
Director 10 Accelerated Feature Release
16 July 2013
15 July 2014
N/A
Director 9 Accelerated Feature Release
29 Mar 2013
28 Mar 2014
N/A
Director 8.x Standard Release
1 Mar 2013
28 Feb 2015
28 Feb 2017
Director 7 Accelerated Feature Release
19 Nov 2012
18 Nov 2013
N/A
Director 6.1.x Standard Release
14 May 2012
13 May 2014
13 May 2016
Director 6.0.x
28 Jul 2011
27 Jul 2013
27 Jul 2015
Director 5.3.x
31 Aug 2010
30 Aug 2012
30 Aug 2014
----------------------------------------------------------------------------------------
General Support is provided for 2 full years from a version's original release date. General support includes defect resolution, patches, Service Packs, and ability to submit Enhancement Requests.
Best-effort Supportis provided for 2 additional yearsafter the General Support period ends. Best-effort supportdoes not include any engineering support or bug fixes - only assistancewith configuration questions & general troubleshooting by the Customer Support team.
*Extended Support may be available for certain releases at a premium price after the end of its Best-effort support period.
CURRENT RELEASE MODEL
Beginning in 2014, Venafi began releasing a new major release every quarter with the year to the left of the decimal and the quarter being the first decimal to the right of the decimal. Minor releases / patches are indicated as patches with further decimal indicators.
RELEASE TYPE:
Major Releases
(19.1, 19.2, 19.3, 19.4)
Minor Releases / Patches
(19.1.1, 19.2.3 etc.)
Field Test Patch
(not generally released)
Contents
New features & bug fixes
Major bug and security fixes
Critical, high-priority
General support period
24 months
N/A
N/A
Quality Assurance (QA) testing
Full
Partial
Limited
Security Audit
Full
Depends
N/A
View ArticleOverview
Venafi Product Management has moved the manaagement of Customer Enhancement Requests, now called "Ideas" to https://ideas.venafi.com, the new Ideas portal. Ideas can have one of several statuses assigned.
Status Details
no status Venafi Product Management (PM) has not reviewed this idea yet. It can sometimes take several weeks for PM to officially review an idea.
Venafi Marketplace Venafi Product Management is trying to collect more information on the idea before it provides a disposition which includes soliciting input from customers.
- There are some details we want to look into on our end first before we make a determination of Planned, Not Planned, or Declined.
It is a good idea, but doesnt align with our road map for this year. PM will look at the idea again next year.
ideas we are trying to address within the next 12 months
ideas we are actively working on. This does not necessarily mean they will be included in the next software release.
ideas we do not plan on implementing
ideas that have been addressed and released in the software
ideas that have been addressed but the problems were solved in a way that is different than what customers may have initially proposed or discussed. This can also be used with ideas where there is already a great way to solve that problem with features that already exist in the product.
- After reviewing the problem being discussed, we have determined that it is more of a troubleshooting issue and are referring the original poster to Venafi Customer Support for further investigation at https://support.venafi.com
- After review, the idea being discussed relates to a feature that is supported by a third party, such as an integration form the or other Third Party.
View ArticleApplies to:
Venafi Updater versions prior to 19.3
Symptom:
Venafi Updater fails to load update package with following error:
** Processing package file C:\Program Files\Venafi\Packages\Patch 18.04.02.03530.vupkg Package file C:\Program Files\Venafi\Packages\Patch 18.04.02.03530.vupkg is signed by CN="Venafi, Inc.", O="Venafi, Inc.", L=Salt Lake City, S=Utah, C=US Package file C:\Program Files\Venafi\Packages\Patch 18.04.02.03530.vupkg has been tampered with. Signature verification failed. Package 'C:\Program Files\Venafi\Packages\Patch 18.04.02.03530.vupkg' failed verification; error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Cause:
There was an issue with Venafi Updater that resulted in trouble with verification of packages released aftermid 2019.
Resolution:
Install latest version of Venafi Updater. You can find the installer for Venafi Updater in VenafiUpdaterInstallerx64.zip file that can be found in the same folder with the Venafi Update Package on our download server. If this file does not exist, the new Updater is likely bundled in the the zip file containing the service pack you have downloaded.
Make sure to executeVenafiUpdaterInstallerx64.msi from an elevated command prompt! The installation does not prompt for anything during the process. Once done, proceed to launch Venafi Updater to install the update package normally.
View ArticleSummary:
DigiCert is a pluggable certificate authority (CA) driver of Venafi Encryption Director (VED). The purpose of the driver is to request SSL certificates from the DigiCert CA based on the selected product type. When interacting with Digicert through a script or the Venafi Director product you must request and obtain an API key from DigiCert for your account access.
More Info:
First create the 'Certificate Authority' object:
Creating Certificate Authority Object KB
Steps to configure the DigiCert object:
Complete the DigiCert object:
General
Description - Create a description for the DigiCert object.
Contact - User or group identities to be assigned to this object. The default notifications are sent to these contacts.
Account Settings
API Key - Key is needed to connect to the DigiCert web service. Contact DigiCert if you don't have the API key. (An NDA is required with DigiCert).
Account Number - The DigiCert account number to authenticate with DigiCert.
Validate - After entering the API Key and the Account Number, click on the Validate button to validate the web service connection and to retrieve product names, enabled options and available validity periods.
Options
Product Name - Drop down list of the available product types. Choose the type of certificate this object will request.
Manual Approval - This check box is to show whether approval of certificate request is manual or automatic. DigiCert automatically approves all non-extended validation (EV) certificates.
Subject Alt Name Enabled - If the check box is enabled, your account supports Subject Alt Name (SAN). Selecting this option means the object will support SANs.
Extended Validation - If the check box is enabled, your account supports Extended Validation (EV). Check the box if this object is to be used to request Extended Validation certificates.
Validity Period
Available ValidityPeriods(Years) - Lists the available validity periods, in years, for the selected Product Name.
Supported Validity Periods (Years) - Choose the validity period(s) from the Available Validity Periods that this object will support. These values will be available for selection on the Certificate object if this instance of the DigiCert CA object is chosen.
After completing all of the entries, click on the 'Apply' button to save the settings.
Associating the DigiCert CA object to a Certificate object:
Now either create a new certificate object or navigate to an existing certificate object. Select the Settings tab and for CA Template in the Other Information section, choose the DigiCert CA object you just created above. Select the new DigiCert tab that will appear on the tab panel above.
Complete the remaining certificate-specific DigiCert CA fields:
Settings
Validity Period The amount of time, in years, this certificate will be issued for. This list show only the supported validity periods that were selected in the above created DigiCert CA object.
Server Type The type of server that the certificate is being placed on. This information can be used by the organization for reporting purposes.
Additional Organization Info
Street Address The street address of the organization that the certificate is being issued to.
Zip The zip code of the organization that the certificate is being issued to.
After completing all of the entries, click on the 'Apply' button to save the settings.
View ArticleDocumented Event ID/Error Codes in Venafi Trust Protection Platform 19.1 Products
Error codes and Event IDs are categorized in groups. Each group has a unique 4 letter prefix. All the prefixes are listed below, with the name of the associated group. Clicking on the group prefix will take you directly to the associated section of the complete listing of the event IDs.
Note: This list is updated once a year during the XX.1 release.
Group ID
Group Description
0001
Logging
0002
Venafi Configuration
0003
Venafi SecretStore
0004
Venafi Credentials
0005
Venafi Permissions
0006
Vagent
0007
Venafi Discovery
0008
Identity
0009
Venafi Certificate Manager
000A
Venafi Workflow
000B
Venafi Certificate Core
000C
Admin UI
000D
Venafi Certificate Authority
000E
Venafi Platform
000F
Venafi SSH Workflow
0011
Venafi Encryption
0013
Venafi Monitoring
0014
Venafi Validation Service
0015
Venafi Credential Monitoring
0016
Log Client
0017
Venafi Reporter
0018
Venafi Monitor
001A
Network Device Enrollment
001B
Aperture
001C
Certificate Revocation
001D
SSHManager Service Module
001E
Venafi CA Import
0020
SSHManager ClientRest Module
0023
User Portal
0024
Certificate Reports
0025
Client Rest Service
0026
Venafi TrustNet Integration
0027
Venafi Onboard Discovery
0029
WebSDK REST API
0031
Venafi Cloud Instance Monitoring
0032
ACME Service
0033
Bulk Provisioning
0034
Venafi ToDo
0036
AutoLayout
0038
Venafi Authentication Server
0039
Venafi OAuth Subsystem
0040
AutoLayout Cert
0041
Validation Storage
1004
Venafi Software Encryption
1005
Venafi Hardware Encryption
1008
Identity AD
1009
Identity Local
100A
Identity LDAP
2001
LogMsSql
2003
LogSplunk
2100
LogAdaptable
3002
Microsoft CA
3003
Symantec MPKI
3004
Redhat CA
3007
Entrust.Net
3008
UniCERT
3009
Thawte
300A
RSA
300B
GeoTrust CA
300C
DigiCert CA
300D
OpenSSL CA
300E
GlobalSign MSSL CA
300F
GeoTrust Enterprise CA
3011
OpenTrust PKI CA
3013
Self-signed CA
3014
Trustwave CA
3015
QuoVadis CA
3016
HydrantId CA
3017
Comodo CCM CA
3019
GeoTrust TrueFlex CA
3021
Xolphin
3022
Amazon CA
3023
Microsoft CA Pool
3091
Adaptable
4001
Apache
4002
Global Security Kit
4003
IIS6
4005
X509 Certificate
4006
Venafi SSH
4007
Venafi HTTP
4008
Venafi SQL
4009
Pkcs12
400A
Application
400B
IIS5
400D
Cisco CSS
400E
Java Keystore
4010
iPlanet
4011
TealeafSunimp
4013
VAMSunimp
4014
NetScaler
4015
VAM nShield
4017
DataPower
4018
Tealeaf PCA
4019
PEM
401A
F5LTMAdvanced
401B
Basic
401C
Imperva MX
401D
A10AXTM
401E
Layer 7 SSG
401F
Juniper SAS
4020
ConnectDirect
4021
BlueCoat
4022
PaloAlto
4023
Amazon App
4024
Azure Key Vault
4044
TopSecret
4100
Common
4666
Riverbed SteelHead
4668
Adaptable App
4FFF
CAPI
5001
AgentKeystore
5002
AgentSsh
6001
Migration
7001
AWS EC2 Cloud Instance Monitoring Driver
8001
CyberArk
9001
Adaptable Workflow
FFFE
Venafi Tools
FFFF
Tracing
EventID
Description
Readable Log Text
401D
Definitions for events generated by the A10 AX Traffic Manager application driver
401D0001
A10 AX TM - Chain File Name Already Exists
"The chain file being provisioned with name: $Event.Text1$, already exists on device: $Event.Text2$."
401D0002
A10 AX TM - Chain File Failed To Upload
"The chain file: $Event.Text1$, failed to upload with error: $Event.Text2$."
401D0003
A10 AX TM - Private Key Is Null Or Empty
"The private key is null or empty."
401D0004
A10 AX TM - Private Key Already Exists
"The private key: $Event.Text1$ already exists on device $Event.Text2$."
401D0005
A10 AX TM - Private Key Failed To Upload
"The private key failed to upload with error: $Event.Text1$."
401D0006
A10 AX TM - Certificate Is Null Or Empty
"The certificate is null or empty."
401D0007
A10 AX TM - Certificate Already Exists
"The certificate: $Event.Text1$, already exists on device: $Event.Text2$."
401D0008
A10 AX TM - Successfully Uploaded Chain File
"Successfully uploaded chain file: $Event.Text1$."
401D0009
A10 AX TM - Successfully Uploaded Private Key
"Successfully uploaded private key: $Event.Text1$."
401D000A
A10 AX TM - Failed to Upload Certificate
"Failed to upload certificate: $Event.Text1$, on device: $Event.Text2$."
401D000B
A10 AX TM - Successfully Uploaded Certificate
"Successfully uploaded certificate: $Event.Text1$."
401D000C
A10 AX TM - Failed To Update SSL Client Template
"Failed to update SSL client template: $Event.Text1$ with error: $Event.Text2$."
401D000D
A10 AX TM - Successfully Updated SSL Client Template
"Successfully updated SSL client template: $Event.Text1$."
401D000E
A10 AX TM - Failed To Update SSL Server Template
"Failed to update SSL server template: $Event.Text1$. with error: $Event.Text2$."
401D000F
A10 AX TM - Successfully Updated SSL Server Template
"Successfully updated SSL server template: $Event.Text1$."
401D0010
A10 AX TM - Failed To Create Client SSL Template
"Failed to create SSL client template: $Event.Text1$ with error: $Event.Text2$."
401D0011
A10 AX TM - Successfully Created Client SSL Template
"Successfully created SSL client template: $Event.Text1$."
401D0012
A10 AX TM - Failed to Create Server SSL Template
"Failed to create SSL server template: $Event.Text1$ with error: $Event.Text2$."
401D0013
A10 AX TM - Successfully Create Server SSL Template
"Successfully created SSL server template: $Event.Text1$."
401D0014
A10 AX TM - Failed To Associate Certificate And Key To Template
"Failed to associate certificate or key, certificate or key: $Event.Text1$ was not found."
401D0015
A10 AX TM - Successfully Extracted Certificate
"Successfully extracted $Event.Text1$ certificate on $Event.Component$."
401D0016
A10 AX TM - Failed to Extract Certificate
"Failed to extract $Event.Text1$ certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
401D0017
A10 AX TM - Successfully Extracted Key
"Successfully extracted $Event.Text1$ private key on $Event.Component$."
401D0018
A10 AX TM - Failed to Extract Key
"Failed to extract $Event.Text1$ private key on $Event.Component$. Error: $Event.Text2$ Additional error data $Event.Data$."
401D0019
A10 AX TM - Validation Error
"Failed to validate $Event.Text1$ certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
401D001A
A10 AX TM - Network Validation not possible
"Network validation not possible for Server SSL Templates on $Event.Component$"
401D001B
A10 AX TM - Empty SSL Listen Host
"Failed to validate $Event.Text1$ certificate on $Event.Component$ as SSL Listen Host is empty."
401D001C
A10 AX TM - Web Services Connection Error
"Connection to $Event.Text1$ failed on $Event.Component$ with error: $Event.Text2$."
401D001D
A10 AX TM - Failed to Extract Certificate and Key
"Failed to extract certificate and key from device: $Event.Text1$."
401D001E
A10 AX TM - Failed to Connect to Device
"Failed to connect to $Event.Component$."
401D001F
A10 AX TM - SSH Connection Error
"Failed to establish an SSH connection with Host on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
401D0020
A10 AX TM - Inject Command Failed
"$Event.Component$ failed while processing a inject command at stage $Event.Value1$. Command: $Event.Text1$. Return Code: $Event.Value2$."
401D0021
A10 AX TM - Inject Command Success
"The inject command $Event.Text1$ has been run on $Event.Component$ at Stage $Event.Value1$."
401D0022
A10 AX TM - Inject Command Error
"An error occurred while running the inject command $Event.Text1$ on $Event.Component$. Error: $Event.Text2$ Additional error data $Event.Data:String$."
401D0023
A10 AX TM - SSH Disconnect Error
"Error disconnecting from $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data:String$."
401D0024
A10 AX TM - Certificate Name Is Null Or Empty
"The certificate is null or empty."
401D0025
A10 AX TM - Certificate or Key Does Not Exist on the Box
"Certificate or Key does not exist on the application. Additional Information: $Event.Text1$."
0032
Definitions for events generated by ACME Server
00320001
ACME - Registration Success
"ACME account successfully created. Public Key Fingerprint: $Event.Text1$. Contact: $Event.Text2$."
00320002
ACME - Duplicate Registration
"Registration failed because the account is already registered with $Event.Text2$."
00320003
ACME - Registration Without Email
"Registration failed because no email address was provided."
00320004
ACME - Registration No Identity
"Registration failed because no identity could be found that is associated with the provided email address $Event.Text2$."
00320005
ACME - Subfolder Not Found
"The specified folder, $Event.Text2$, does not exist and Trust Protection Platform is not configured to allow the automatic creation of folders."
00320006
ACME - Failed Creating Subfolder
"Failed to create the certificates subfolder $Event.Text2$. Check the subfolder name and try again."
00320007
ACME - Processing Timed Out
"Processing of certificate $Event.Text1$ timed out. Consider configuring engine $Event.Text2$ to check for work more often."
00320008
ACME - Processing Error
"Processing of certificate $Event.Text1$ failed with error: $Event.Text2."
00320009
ACME - Processing Success
"Processing of certificate $Event.Text1$ was successful."
0032000A
ACME - Subfolder Contains Uppercase
"The name of the subfolder, $Event.Text2$, cannot contain uppercase letters."
0032000B
ACME - Domain Whitelisting Violated
"Requested identifier, $Event.Text2$, does not comply with Domain Whitelisting policy."
0032000C
ACME - Validation Error
"Error occurred while validating $Event.Text1$. Error: $Event.Text2$."
0032000D
ACME - Account Not Found
"No account could be found that is associated with the requested public key fingerprint $Event.Text1$."
0032000E
ACME - Authorization Not Found
"No authorization record could be found that is associated with account $Event.Text1$ and identifier $Event.Text2$."
0032000F
ACME - Validation Success
"Identifier validation was successful. Public Key Fingerprint: $Event.Text1$. Identifier: $Event.Text2$."
00320010
ACME - Validation Failed
"Identifier validation failed. Public Key Fingerprint: $Event.Text1$. Identifier: $Event.Text2$. Reason: $Event.Data$"
00320011
ACME - No CA Template
"The certificate folder $Event.Text2$ does not have a CA Template assigned to it."
00320012
ACME - Key Strength Noncompliance
"The requested key size, $Event.Value1$, does not comply with Key Strength policy."
7001
Definitions for events generated by the AWS EC2 Cloud Instance Monitoring service
70010001
AWS EC2 Instance Monitoring - Missing Credentials
"The AWS EC2 Cloud Instance Monitor $Event.Component$ is missing credentials required for communicating with AWS services."
70010002
AWS EC2 Instance Monitoring - Error
"The AWS EC2 Cloud Instance Monitor $Event.Component$ encountered an error communicating with AWS services. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$"
70010003
AWS EC2 Instance Monitoring - Connection Error
"The AWS EC2 Cloud Instance Monitor $Event.Component$ encountered an error communicating with AWS services, for the $Event.Text1$ region. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$"
7001001A
AWS EC2 Instance Monitoring - Credential Retrieval Failure
"Failed to retrieve the credential at $Event.Text1$. Error:$Event.Text2$"
7001001B
AWS EC2 Instance Monitoring - No Value Retrieved for Credential
"No $Event.Text2$ value was retrieved for $Event.Text1$. Credential error: $Event.Data:String$"
3091
Definitions for events generated by the Adaptable certificate authority driver
30910001
Adaptable CA - CA Communication error
"Failed to communicate with the CA $Event.Component$ for $Event.Text1$. Error: $Event.Text2$. Additional error data: $Event.Data$"
30910002
Adaptable CA - Certificate Revocation Failed
"Failed to revoke a certificate from the CA $Event.Component$. Certificate Serial Number: $Event.Text1$. Error: $Event.Text2$. Additional error data: $Event.Data$"
30910003
Adaptable CA - CSR Post Successful
"Successfully posted certificate signing request (CSR) to CA $Event.Component$ for $Event.Text1$. Transaction ID: $Event.Text2$. Enrollment mode: $Event.Data:String$"
30910004
Adaptable CA - Certificate Retrieval Successful
"Successfully retrieved certificate from the CA $Event.Component$ for $Event.Text1$."
30910005
Adaptable CA - Certificate Revocation Successful
"Successfully revoked certificate from CA $Event.Component$. Certificate Serial Number: $Event.Text1$ Revocation Reason: $Event.Text2$"
30910006
Adaptable CA - CSR Post Failure
"Failed to post CSR to $Event.Component$ for $Event.Text1$. Error: $Event.Text2$"
30910007
Adaptable CA - Certificate Retrieval Failure
"Failed to retrieve certificate from $Event.Component$ for $Event.Text1$. Error: $Event.Text2$"
30910008
Adaptable CA - Attribute Save Failure
"Failed to save $Event.Text2$ value of '$Event.Text1$' to the database."
30910009
Adaptable CA - Prepare For Certificate Request Successful
"Prepare For Certificate Request stage passed successfully."
3091000A
Adaptable CA - Prepare For Certificate Request Failed
"Prepare For Certificate Request stage failed for $Event.Component$. Error: $Event.Text2$."
3091000B
Adaptable CA - Missing Transaction ID for the Certificate to be Revoked
"Warning: Missing Transaction ID for the Certificate to be Revoked."
3091000C
Adaptable CA - Certificate Process Completion Successful
"Complete stage passed successfully."
3091000D
Adaptable CA - Certificate Process Completion Failed
"Complete stage failed for $Event.Component$. Error: $Event.Text2$."
3091000E
Adaptable CA - Approve Request Successful
"Approve Request stage passed successfully."
3091000F
Adaptable CA - Approve Request Failed
"Approve Request stage failed for $Event.Component$. Error: $Event.Text2$."
30910010
Adaptable CA - Script Approved
"A new PowerShell script was approved by user $Event.Text2$. Hash of script: $Event.Text1$."
30910011
Adaptable CA - Script Mismatch Detected
"Approved hash and hash computed for the script are not equal. Approved Hash: $Event.Text1$. Script Hash: $Event.Text2$."
30910012
Adaptable CA - Retry After Script Mismatch Initiated
"Retry for certificate $Event.Text1$ initiated after approval of the script on CA template $Event.Component$."
30910013
Adaptable CA - CA Template Save Failure
"Failed to save CA template $Event.Component$. Error:$Event.Text1$."
4668
Definitions for events generated by the Adaptable application driver
46680001
Adaptable App - Prepare Keystore Success
"Keystore was successfully prepared for $Event.Component$."
46680002
Adaptable App - Prepare Keystore Failed
"Failed to prepare keystore on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680003
Adaptable App - Start Processing Success
"Processing was successfully started for $Event.Component$."
46680004
Adaptable App - Start Processing Failed
"Failed to start processing on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680005
Adaptable App - Create Private Key Success
"Private Key was successfully created for $Event.Text1$ on $Event.Component$."
46680006
Adaptable App - Failed to Create Private Key
"Failed to create private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680007
Adaptable App - Generate CSR Success
"CSR was successfully generated for $Event.Text1$ on $Event.Component$."
46680008
Adaptable App - Failed to Generate CSR
"Failed to generate CSR on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680009
Adaptable App - Install Certificate Chain Success
"Successfully installed Certificate Chain on $Event.Component$."
4668000A
Adaptable App - Certificate Chain Installation Failed
"Failed to install certificate chain on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000B
Adaptable App - Install Private Key Success
"Successfully installed Private Key named $Event.Text1$ on $Event.Component$."
4668000C
Adaptable App - Private Key Installation Failed
"Failed to install private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000D
Adaptable App - Install Certificate Success
"Successfully installed Certificate named $Event.Text1$ on $Event.Component$."
4668000E
Adaptable App - Certificate Installation Failed
"Failed to install certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000F
Adaptable App - Update Binding Success
"Bindings successfully updated on $Event.Component$."
46680010
Adaptable App - Binding Update Failed
"Failed to update bindings on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680011
Adaptable App - Activate Certificate Success
"Successfully activated certificate on $Event.Component$."
46680012
Adaptable App - Activate Certificate Failed
"Failed to activate certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680013
Adaptable App - Extract Certificate Success
"Successfully extracted certificate on $Event.Component$."
46680014
Adaptable App - Extract Certificate Failed
"Failed to extract certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680015
Adaptable App - Extract Private Key Success
"Successfully extracted private key on $Event.Component$."
46680016
Adaptable App - Extract Private Key Failed
"Failed to extract private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680017
Adaptable App - Validate Installation Failure
"Failed to validate the installation on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680018
Adaptable App - Remove Certificate Success
"Successfully removed obsolete certificate named $Event.Text1$ from $Event.Component$."
46680019
Adaptable App - Remove Certificate Failed
"Failed to remove obsolete certificate named $Event.Text1$ from $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
4668001A
Adaptable App - Generational Certificate Names Retrieved
"Successfully retrieved current certificate name as $Event.Text1$ and parent certificate name as $Event.Text2$."
4668001B
Adaptable App - Generational Object Creation Error
"While creating a generational object, an error occurred with a result of $Event.Text1$. Error: $Event.Text2$."
4668001C
Adaptable App - Generational Data Update Failure
"Failed to update a generational object with data ($Event.Text1$). Error: $Event.Text2$."
4668001D
Adaptable App - Generational Data Update Success
"Successfully updated a generational object with data ($Event.Text1$)."
4668001E
Adaptable App - Stage Skipped
"$Event.Text1$ stage has been skipped on $Event.Component$."
4668001F
Adaptable App - Private Key Already Installed
"Private Key named $Event.Text1$ is already installed on $Event.Component$."
46680020
Adaptable App - Certificate Already Installed
"Certificate named $Event.Text1$ is already installed on $Event.Component$."
46680021
Adaptable App - Chain Certificate(s) Already Installed
"Chain Certificate(s) already installed on $Event.Component$."
46680022
Adaptable App - Bulk Certificates Installation Successful
"The application, $Event.Component$, successfully installed certificates."
46680023
Adaptable App - Bulk Certificates Installation Failed
"Failed to install certificates on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680024
Adaptable App - Bulk Certificate Installation Failed
"Failed to install certificate on $Event.Component$. Thumbprint $Event.Text1$. Error: $Event.Text2$."
46680025
Adaptable App - Bulk Certificate Installation Rejected
"Certificate installation rejected by $Event.Component$. Thumbprint $Event.Text1$. Error: $Event.Text2$."
46680026
Adaptable App - Script Mismatch Detected
"Approved hash and hash computed for the script are not equal. Approved Hash: $Event.Text1$. Script Hash: $Event.Text2$."
46680027
Adaptable App - Script Approved
"A new PowerShell script was approved by user $Event.Text2$. Hash of script: $Event.Text1$."
46680028
Adaptable App - Retry After Script Mismatch Initiated
"Retry for $Event.Text1$ initiated after approval of the script on the Adaptable Application policy $Event.Component$."
9001
Definitions for events generated by the Adaptable Workflow
90010001
Adaptable Workflow - PowerShell Execution Results
"PowerShell script returned '$Event.Text1$'. Details: $Event.Text2$."
90010002
Adaptable Workflow - PowerShell Processing Failure
"Failed to process PowerShell script: $Event.Text2$. Additional Data: $Event.Data$"
90010003
Adaptable Workflow - Attribute Write Failure
"Failed to save a value for $Event.Text1$. Error: $Event.Text2$."
90010004
Adaptable Workflow - Attribute Clear Failure
"Failed to clear a value of $Event.Text1$. Error: $Event.Text2$."
90010005
Adaptable Workflow - Approvers Returned by Script
"The PowerShell script of $Event.Text2$ returned the approvers of $Event.Text1$."
90010006
Adaptable Workflow - TPP Workflow Ticket Requested
"A workflow ticket is requested to TPP by the script of $Event.Text1$. Details:$Event.Text2$"
90010007
Adaptable Workflow - Workflow Paused
"A workflow is paused by the script with the reference ID of $Event.Text1$. Details: $Event.Text2$"
90010008
Adaptable Workflow - Workflow Rejected
"A workflow is rejected by the script of $Event.Text1$. Details: $Event.Text2$"
90010009
Adaptable Workflow - Workflow Approved
"A workflow is approved by the script of $Event.Text1$. Details: $Event.Text2$"
9001000A
Adaptable Workflow - Invalid Seconds To Pause Value
"A workflow pause reported by the script of $Event.Text1$ has an invalid value: '$Event.Text2$'"
9001000B
Adaptable Workflow - Script Mismatch Detected
"Approved hash and hash computed for the script are not equal. Approved Hash: $Event.Text1$. Script Hash: $Event.Text2$."
9001000C
Adaptable Workflow - Script Approved
"A new PowerShell script was approved by user $Event.Text2$. Hash of script: $Event.Text1$."
000C
Definitions for events generated by the Administration Consoles
000C0001
Admin UI - Logout Successful
"User $Event.Component$ logged out. Prefixed name: $Event.Text1$. Prefixed universal ID: $Event.Text2$."
000C0002
Admin UI - Login Successful
"User $Event.Component$ logged in from IP Address $Event.Data$. Prefixed name: $Event.Text1$. Prefixed universal ID: $Event.Text2$."
000C0003
Admin UI - [Deprecated] Login Failure
"User $Event.Text1$ ($Event.Component$) was not able to log in."
000C0004
Admin UI - Object Created
"$Event.Text2$ $Event.Component$ was created by user $Event.Text1$."
000C0005
Admin UI - Object Updated
"$Event.Text2$ $Event.Component$ was updated by user $Event.Text1$."
000C0006
Admin UI - Object Deleted
"$Event.Text2$ $Event.Component$ was deleted by user $Event.Text1$."
000C0007
Admin UI - CSR Uploaded
"User $Event.Text1$ uploaded a CSR for certificate $Event.Component$. CSR vault ID: $Event.Value1$."
000C0008
Admin UI - Certificate Uploaded
"Certificate $Event.Component$ was uploaded by user $Event.Text1$. Serial number $Event.Text2$. Certificate vault ID: $Event.Value1$."
000C0009
Admin UI - Private Key Uploaded
"User $Event.Text1$ uploaded a private key for certificate $Event.Component$. Private key vault ID: $Event.Value1$."
000C000A
Admin UI - Certificate Downloaded
"Certificate $Event.Component$ was downloaded by user $Event.Text1$. Serial number: $Event.Text2$. Private Keys Included: $Event.Value1$ Chain Included: $Event.Value2$"
000C000B
Admin UI - Configuration Saved
"$Event.Component$ setting ($Event.Text2$) was saved by user $Event.Text1$."
000C000C
Admin UI - Renew Now
"Certificate renewal for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C000D
Admin UI - Restart Certificate
"Certificate restart for $Event.Component$ was requested by $Event.Text1$."
000C000E
Admin UI - Retry Application
"Application retry for $Event.Component$ was requested by $Event.Text1$. Certificate: $Event.Text2$."
000C000F
Admin UI - Object Renamed
"Object $Event.Text2$ was renamed to $Event.Component$ by user $Event.Text1$."
000C0010
Admin UI - Root Certificate Uploaded
"Root certificate $Event.Component$ was uploaded by user $Event.Text1$. Serial number: $Event.Text2$. Certificate vault ID: $Event.Value1$."
000C0011
Admin UI - [Deprecated] Permissions Added
"Permissions for $Event.Text2$ were added for object $Event.Component$ by user $Event.Text1$ (Permissions set to $TranslateRights[Config, $Event.Value1$]$)."
000C0012
Admin UI - [Deprecated] Permissions Updated
"Permissions for $Event.Text2$ were updated for $Event.Component$ by user $Event.Text1$ (Permissions set to $TranslateRights[Config, $Event.Value1$]$)."
000C0013
Admin UI - Permissions Removed
"Permissions for $Event.Text2$ were removed for $Event.Component$ by user $Event.Text1$."
000C0014
Admin UI - Application Association Added
"Association between application $Event.Component$ and certificate $Event.Text2$ was added by user $Event.Text1$."
000C0015
Admin UI - Application Association Removed
"Association between application $Event.Component$ and certificate $Event.Text2$ was removed by user $Event.Text1$."
000C0016
Admin UI - Application Association Enabled
"Association between application $Event.Component$ and certificate $Event.Text2$ was enabled by user $Event.Text1$."
000C0017
Admin UI - Application Association Disabled
"Association between application $Event.Component$ and certificate $Event.Text2$ was disabled by user $Event.Text1$."
000C0018
Admin UI - Certificate Pushed
"Certificate $Event.Text2$ has been queued for a push operation to application $Event.Component$ by user $Event.Text1$."
000C0019
Admin UI - Certificate Extracted
"Certificate $Event.Text2$ has been extracted from application $Event.Component$ by user $Event.Text1$."
000C001A
Admin UI - Retry Certificate
"Certificate retry for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C001B
Admin UI - Login Failure
"User $Event.Text1$ was not able to log in on $Event.Component$. IP Address: $Event.Data$."
000C001C
Admin UI - Configuration Cleared
"User $Event.Text1$ cleared attribute $Event.Text2$ on object $Event.Component$."
000C001D
Admin UI - Configuration Changed
"User $Event.Text1$ changed attribute $Event.Text2$ on object $Event.Component$ (Details: $Event.Data$)."
000C001E
Admin UI - Policy Configuration Cleared
"User $Event.Text1$ cleared policy attribute $Event.Text2$ on object $Event.Component$."
000C001F
Admin UI - Policy Configuration Changed
"User $Event.Text1$ changed policy attribute $Event.Text2$ on object $Event.Component$ (Details: $Event.Data$)."
000C0020
Admin UI - Change Password Successful
"User $Event.Component$ successfully changed the password for user $Event.Text1$ at $Event.Text2$."
000C0021
Admin UI - Reset Password Successful
"Administrator $Event.Component$ successfully reset the password for user $Event.Text1$ at $Event.Text2$."
000C0022
Admin UI - Change Password Unsuccessful
"User $Event.Component$ unsuccessfully tried to change the password for user $Event.Text1$ at $Event.Text2$."
000C0023
Admin UI - Reset Password Unsuccessful
"Administrator $Event.Component$ unsuccessfully tried to reset the password for user $Event.Text1$ at $Event.Text2$."
000C0024
Admin UI - Encountered Invalid Web Data
"Invalid web data: $Event.Component$ occurred in WebApp. User: $Event.Text1$. Error Details: $Event.Data$"
000C0025
Admin UI - Configuration Change Failed
"User $Event.Text1$ failed to change attribute $Event.Text2$ on object $Event.Component$ (Config Result: $Event.Data$)."
000C0026
Admin UI - Policy Change Failed
"User $Event.Text1$ failed to change policy attribute $Event.Text2$ on object $Event.Component$ (Config Result: $Event.Data$)."
000C0027
Admin UI - Key Rotated
"User $Event.Text1$ rotated the key for object $Event.Component$."
000C0028
Admin UI - Key Uploaded
"User $Event.Text1$ uploaded the key for object $Event.Component$."
000C0029
Admin UI - Reset Certificate
"Certificate reset for $Event.Component$ was requested by $Event.Text1$."
000C002A
Admin UI - Policy Inheritance Changed
"User $Event.Text1$ changed the inheritance of the attribute $Event.Text2$ for object $Event.Component$ from $Event.Value1$ to $Event.Value2$ (0 = suggested, 1 = locked)."
000C002B
Admin UI - SSH Dashboard Calculation Failure
"$Event.Component:String$ failed to calculate SSH Dashboard, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002C
Admin UI - SSH Dashboard Thread Exception
"$Event.Component:String$ encountered exception in SSH Dashboard update thread., System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002D
Admin UI - Certificate Dashboard Calculation Failed
"$Event.Component:String$ failed to calculate Certificate Dashboard, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002E
Admin UI - Certificate Dashboard Expirations Calculation Failed
"$Event.Component:String$ failed to calculate Dashboard Certificate Expirations, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002F
Admin UI - Dashboard Generic Expirations Calculation Failed
"$Event.Component:String$ failed to calculate generic Dashboard Expirations, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C0030
Admin UI - Revoke Certificate
"Certificate revocation for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C0031
Admin UI - Challenge Accepted
"Support Tab challenge/response code $Event.Text2$ accepted for user $Event.Text1$."
000C0032
Admin UI - Client Certificate
"Client certificate was used to sign in. Subject: $Event.Text1$. Serial: $Event.Text2$."
000C0033
Admin UI - Validate Now
"Certificate validation for $Event.Component$ was requested by $Identity[$Event.Text1$]$."
000C0034
Admin UI - User Data Error
"Unable to retrieve the $Event.Text1$ for the current user."
000C0035
Admin UI - Plugin Initialization Error
"Unable to $Event.Text1$ the $Event.Text2$ plugin."
000C0036
Admin UI - Reset Application
"Application reset for $Event.Component$ was requested by $Event.Text1$."
000C0037
Admin UI - Validation Request on Application
"Certificate validation for $Event.Component$ on $Event.Text2$ was requested by $Identity[$Event.Text1$]$."
000C0038
Admin UI - Validation Request Failure on Application
"Failed requesting certificate validation on $Event.Text2$ for certificate of $Event.Component$ requested by $Identity[$Event.Text1$]$."
000C0039
Admin UI - Validation Request Error on Application
"Error in requesting certificate validation on $Event.Text1$ for certificate of $Event.Component$. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$."
000C003A
Admin UI - Object Creation Failed
"$Event.Text1$ creation failed. Error: $Event.Text2$."
000C003B
Admin UI - Mismatched Certificate Uploaded
"User $Event.Text1$ uploaded certificate $Event.Component$ with a mismatched public and private key."
000C003C
Admin UI - Mismatched Certificate Updated
"Certificate $Event.Component$ with a mismatched public and private key was updated by user $Event.Text1$."
000C003D
Admin UI - Certificate Imported
"Certificate $Event.Component$ was imported by user $Event.Text1$."
000C003E
Admin UI - Potential CSRF
"A POST request with missing or invalid security tokens was received. Restart your browser and try again. If you receive this error message repeatedly, contact your network security team to investigate a potential CSRF attack."
000C003F
Admin UI - Certificate Expiration Cache Collision
"User: $Event.Component$ experienced a collision in the Certificate Expiration Data cache $Event.Text1$ on object $Event.Text2$."
000C0040
Admin UI - Permissions Added
"Permissions for $Event.Text2$ were added for object $Event.Component$ by user $Event.Text1$ (Permissions set to $Event.Data$)."
000C0041
Admin UI - Permissions Updated
"Permissions for $Event.Text2$ were updated for $Event.Component$ by user $Event.Text1$ (Permissions set to $Event.Data$)."
000C0042
Admin UI - Reset Revocation Status
"Reset Revocation Status for $Event.Component$ was requested by $Event.Text1$."
000C0043
Admin UI - Unable to Delete Object
"Unable to delete this object by user $Event.Text1$ because it has child objects. Please delete it manually."
000C0044
Admin UI - Object Deletion Failure
"Failed in deleting this object by user $Event.Text1$: $Event.Text2$. Please delete it manually."
000C0045
Admin UI - Pass-through Auth Enabled
"Pass-through authentication has been successfully set up and enabled on $Event.Text1$ $CN[$Event.Component$]$."
000C0046
Admin UI - Pass-through Auth Missing Registry Setting
"Pass-through authentication was enabled on $Event.Text1$ $CN[$Event.Component$]$ but the registry was not updated."
000C0047
Admin UI - Pass-through Auth Missing Global Setting
"The registry for pass-through authentication was updated on $Event.Text1$ $CN[$Event.Component$]$ but was not enabled globally in the Web Administration console."
000C0048
Admin UI - Missing Referral Headers
"A request with missing REFERER and ORIGIN headers was blocked."
000C0049
Admin UI - Invalid Referral Headers
"A request with invalid REFERER/ORIGIN headers was blocked."
000C004A
Admin UI - Failed to Add To Processing Queue
"Failed to add $Event.Text2$ to processing queue. $Event.Component$ by user $Event.Text1$."
5001
Definitions for the Venafi Agent Keystore events
5001001F
AgentKeystore - Cert Decrypt failure
"The agent module $Event.Component:String$, unable to open encrypted PKCS12 keystore found at: $Event.Text1$, no passwords."
50010020
AgentKeystore - Cert Decrypt failed
"The agent module $Event.Component:String$, unable to open encrypted PKCS12 keystore at: $Event.Text1$, no password."
5001810A
AgentKeystore - Placement Configuration Error
"The Venafi Agent running on $Event.Text1$ has encountered an error: Discovery results certificate placement error for the $Event.Text2$ work object. No results can be saved."
5001810C
AgentKeystore - Discovery Configuration Error
"The Venafi Agent running on $Event.Text1$ has encountered an error: No default certificate placement location is set for the $Event.Text2$ work object."
5001810D
AgentKeystore - Discovered Keystore
"The Venafi Agent running on $Event.Text1$ discovered $Event.Text2$."
5001810E
AgentKeystore - Certificate Operation Status
"Agent file operation, $Event.Data:String$, for $Event.Text1$ file, $Event.Text2$, succeeded."
5001810F
AgentKeystore - Certificate Installation Status
"Agent certificate installation for $Event.Text1$ file $Event.Text2$ status: $Event.Data:String$"
50018110
AgentKeystore - Certificate Validation Status
"Agent file validation for $Event.Text1$ keystore/certificate, $Event.Text2$, result: $Event.Data:String$."
50018113
AgentKeystore - Discovery Placement Failed
"$Event.Text1$ was not placed in storage. Reason: $Event.Text2$"
50018114
AgentKeystore - PEM Private Key Installation Failure
"Agent Failed to install private key for $Event.Text1$ file $Event.Text2$. Additional error data: $Event.Data:String$"
50018115
AgentKeystore - Undiscovered Keystore
"The Venafi Agent running on $Event.Text1$ did not discover $Event.Text2$."
50018116
AgentKeystore - Dynamic Provisioning Certificate Creation Error
"The certificate, $Event.Text1$, cannot be issued or installed because of the following error: $Event.Text2$. Verify settings on the related work and CA template objects, and then try again."
50018117
AgentKeystore - Dynamic Provisioning Certificate Name Error
"The certificate, $Event.Text1$, cannot be created because its name is already in use. Review Work settings of $Event.Text2$, and then try again."
50018118
AgentKeystore - Certificate Operation Error
"Agent file operation, $Event.Data:String$, for $Event.Text1$ file, Error: $Event.Text2$."
50018119
AgentKeystore - Perform Layout Failed
"Failed to perform layout on $Event.Text1$. Error: $Event.Text2$"
5001811A
AgentKeystore - Perform Layout Exception
"An unexpected exception occurred while trying to perform layout on $Event.Text1$. Error: $Event.Text2$. Additional Information: $Event.Data:String$"
5002
Definitions for the Venafi Agent SSH events
50020001
AgentSSH - Key Decrypt failure
"The agent module $Event.Component:String$, unable to open encrypted key found at $Event.Text1$, no passwords."
50020002
AgentSSH - Key Decrypt failed
"The agent module $Event.Component:String$, unable to open key type, $Event.Text1$, found at $Event.Text2$, no password."
50020003
AgentSSH - Discovered Key Count
"The agent module $Event.Component:String$, discovered key count: $Event.Value1$."
50020004
AgentSSH - Discovered Service Count
"The agent module $Event.Component:String$, discovered service count: $Event.Value1$."
50020005
AgentSSH - Discovered Key
"The agent module $Event.Component:String$, discovered ley at: $Event.Text1$."
50020006
AgentSSH - Discovered Service
"The agent module $Event.Component:String$, discovered service at: $Event.Text1$."
50020007
AgentSSH - Shrink Custom DB
"The agent module $Event.Component:String$, failed to shrink the data base: $Event.Text1$ reason:$Event.Text2$."
50020008
AgentSSH - Found config file remote path
"SSH config file remote path: $Event.Component$."
50028001
AgentSSH - Out of Memory
"The agent module handler $Event.Component:String$ encountered an out of memory condition processing the delivery from the agent at $Event.Text1$."
50028002
AgentSSH - Not Supported
"The agent module handler $Event.Component:String$ could not process the scan type $Event.Value1$ from the agent at $Event.Text1$."
50028003
AgentSSH - GUID not found
"Failed to find GUID for $Event.Component$."
50028004
AgentSSH - Create Config Failed
"Failed to create config for $Event.Component$."
50028005
AgentSSH - Create Secret Store Failed
"Failed to create secret store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028006
AgentSSH - Create Key Store Failed
"Failed to create key store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028007
AgentSSH - Create Discovery Store Failed
"Failed to create discovery store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028009
AgentSSH - Config Read Error
"Failed to read the $Event.Text2$ attribute on the object $Event.Text1$."
50028080
AgentSSH - Cryptographic Failure
"The agent module handler $Event.Component:String$ encountered an error processing an asymmetric key with the message $Event.Text1:String$ for the hash $Event.Text2:String$ at payload index $Event.Value1$ from the agent at $Event.Text1$."
50028100
AgentSSH - Key Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the key scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028101
AgentSSH - Key Inventory
"The agent module $Event.Component:String$, $Event.Text1$ key found at: $Event.Text2$ id: $Event.Value1$ type:$Event.Value2$."
50028102
AgentSSH - Key Scan Inventory Stored
"The agent module $Event.Component:String$, stored key, id: $Event.Value1$ type:$Event.Value2$."
50028103
AgentSSH - Key Scan Inventory Updated
"The agent module $Event.Component:String$, updated key, id: $Event.Value1$ type:$Event.Value2$."
50028104
AgentSSH - Key Ignored
"The discovery service module is excluding the Key for Agent SSH Discovery $Event.Component$ found on $Event.Text2$ from storage based on the Exclusion $Event.Text1$, Location: Format - Size - $Event.Data$."
50028200
AgentSSH - Service Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the service scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028300
AgentSSH - User Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the user scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028400
AgentSSH - Association Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the user association scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
4023
Definitions for events generated by the Amazon application driver
40230001
Amazon App - No Certificate To Process
"No certificate of $Event.Text1$ is associated with the application to process."
40230002
Amazon App - Certificate Name Error
"Unable to compose a certificate name due to a invalid '$Event.Text1$' of the certificate."
40230003
Amazon App - No Common Name
"The certificate does not have a common name."
40230004
Amazon App - No Private Key
"The private key is not found. If the certificate is issued by Amazon Web Services (AWS), change your settings and try again."
40230005
Amazon App - Invalid Private Key Format
"The private key is in an invalid format."
40230006
Amazon App - Certificate Body Parsing Failure
"Failed to parse the certificate body from $Event.Text1$."
40230007
Amazon App - Chain Build Failure
"Failed to build the certificate chain with $Event.Text1$."
40230008
Amazon App - Chain Body Parsing Failure
"Failed to parse the certificate chain body."
40230009
Amazon App - Authorization Header Failure
"Failed to compose an authorization header for '$Event.Text1$'."
4023000A
Amazon App - No Response Object Received
"No response object was received from the CA for '$Event.Text1$'."
4023000B
Amazon App - Response Object Parsing Failure
"Failed to parse the response object for '$Event.Text1$'."
4023000C
Amazon App - Certificate Deletion Success
"Successfully deleted a certificate ($Event.Text1$) from Amazon Web Services (AWS)."
4023000D
Amazon App - Certificate Deletion Failure
"Failed to delete the certificate ($Event.Text1$). Error:$Event.Data$"
4023000E
Amazon App - Certificate Meta Data Config Write Failure
"Failed to write one or more of $Event.Text1$ into Config."
4023000F
Amazon App - Certificate Upload Success
"Successfully uploaded the certificate of $Event.Text1$ ($Event.Text2$) to Amazon Web Services (AWS)."
40230010
Amazon App - Certificate Name Discrepancy
"Amazo
View ArticleApplies To:
All versions of TPP with Aperture once the System Status was moved to it (v15+)
Summary:
The System Status Dashboard in Aperture may not always accurately reflect the status of the installation options or service running status.
A classic example of this is if the Logging service is disabled on a TPP server in a TPP cluster, but in the System Status, you get an error that shows it is not running.
Per the documentation here:
https://docs.venafi.com/Docs/current/TopNav/Content/Dashboard/c-dashboard-systemstatus-widget.php?Highlight=system%20status%20dashboard
Simply stopping the service will give this error, but once it's disabled, it should be "removed" from the dashboard.
A check to the VCC will even show the service stopped and disabled.
Cause:
These discrepancies are caused when the status of components are modified using other tools instead of using the VCC.
For instance, stopping the logging service outside the VCC could leave the System Status showing a running service for a short time (until a system check is run - default every 5 minutes).
Another example is that disabling a service using services.mmc will stop the service from ever starting, and the VCC will even "see" that it's disabled. However, because the VCC didn't make that change, the "switch" in our system wasn't logged, and the change isn't registered. This results in the example given above in the Summary section.
Resolution:
Unmake the changes, and then remake any desired changes using the VCC utility rather than some other method. This will always keep the System Status Dashboard current and accurate.
.
View ArticleDocumented Event ID/Error Codes in Venafi Trust Protection Platform 18.1 Products
Error codes and Event IDs are categorized in groups. Each group has a unique 4 letter prefix. All the prefixes are listed below, with the name of the associated group. Clicking on the group prefix will take you directly to the associated section of the complete listing of the event IDs.
Group ID
Group Description
0001
Logging
0002
Venafi Configuration
0003
Venafi SecretStore
0004
Venafi Credentials
0005
Venafi Permissions
0006
Vagent
0007
Venafi Discovery
0008
Identity
0009
Venafi Certificate Manager
000A
Venafi Workflow
000B
Venafi Certificate Core
000C
Admin UI
000D
Venafi Certificate Authority
000E
Venafi Platform
000F
Venafi SSH Workflow
0011
Venafi Encryption
0013
Venafi Monitoring
0014
Venafi Validation Service
0015
Venafi Credential Monitoring
0016
Log Client
0017
Venafi Reporter
0018
Venafi Monitor
001A
Network Device Enrollment
001B
Aperture
001C
Certificate Revocation
001D
SSHManager Service Module
001E
Venafi CA Import
0020
SSHManager ClientRest Module
0023
User Portal
0024
Certificate Reports
0025
Client Rest Service
0026
Venafi TrustNet Integration
0027
Venafi Onboard Discovery
0029
WebSDK REST API
0031
Venafi Cloud Instance Monitoring
0032
ACME Service
1004
Venafi Software Encryption
1005
Venafi Hardware Encryption
1008
Identity AD
1009
Identity Local
100A
Identity LDAP
2001
LogMsSql
2003
LogSplunk
2100
LogAdaptable
3002
Microsoft CA
3003
Symantec MPKI
3004
Redhat CA
3007
Entrust.Net
3008
UniCERT
3009
Thawte
300A
RSA
300B
GeoTrust CA
300C
DigiCert CA
300D
OpenSSL CA
300E
GlobalSign MSSL CA
300F
GeoTrust Enterprise CA
3011
OpenTrust PKI CA
3013
Self-signed CA
3014
Trustwave CA
3015
QuoVadis CA
3016
HydrantId CA
3017
Comodo CCM CA
3019
GeoTrust TrueFlex CA
3021
Xolphin
3022
Amazon CA
3091
Adaptable
4001
Apache
4002
Global Security Kit
4003
IIS6
4005
X509 Certificate
4006
Venafi SSH
4007
Venafi HTTP
4008
Venafi SQL
4009
Pkcs12
400A
Application
400B
IIS5
400C
Cisco ACE
400D
Cisco CSS
400E
Java Keystore
4010
iPlanet
4014
NetScaler
4015
VAM nShield
4017
DataPower
4018
Tealeaf PCA
4019
PEM
401A
F5LTMAdvanced
401B
Basic
401C
Imperva MX
401D
A10AXTM
401E
Layer 7 SSG
401F
Juniper SAS
4020
ConnectDirect
4021
BlueCoat
4022
PaloAlto
4023
Amazon App
4024
Azure Key Vault
4100
Common
4666
Riverbed SteelHead
4668
Adaptable App
4FFF
CAPI
5001
AgentKeystore
5002
AgentSsh
6001
Migration
7001
AWS EC2 Cloud Instance Monitoring Driver
8001
CyberArk
FFFE
Venafi Tools
FFFF
Tracing
EventID
Description
Readable Log Text
401D
Definitions for events generated by the A10 AX Traffic Manager application driver
401D0001
A10 AX TM - Chain File Name Already Exists
"The chain file being provisioned with name: $Event.Text1$, already exists on device: $Event.Text2$."
401D0002
A10 AX TM - Chain File Failed To Upload
"The chain file: $Event.Text1$, failed to upload with error: $Event.Text2$."
401D0003
A10 AX TM - Private Key Is Null Or Empty
"The private key is null or empty."
401D0004
A10 AX TM - Private Key Already Exists
"The private key: $Event.Text1$ already exists on device $Event.Text2$."
401D0005
A10 AX TM - Private Key Failed To Upload
"The private key failed to upload with error: $Event.Text1$."
401D0006
A10 AX TM - Certificate Is Null Or Empty
"The certificate is null or empty."
401D0007
A10 AX TM - Certificate Already Exists
"The certificate: $Event.Text1$, already exists on device: $Event.Text2$."
401D0008
A10 AX TM - Successfully Uploaded Chain File
"Successfully uploaded chain file: $Event.Text1$."
401D0009
A10 AX TM - Successfully Uploaded Private Key
"Successfully uploaded private key: $Event.Text1$."
401D000A
A10 AX TM - Failed to Upload Certificate
"Failed to upload certificate: $Event.Text1$, on device: $Event.Text2$."
401D000B
A10 AX TM - Successfully Uploaded Certificate
"Successfully uploaded certificate: $Event.Text1$."
401D000C
A10 AX TM - Failed To Update SSL Client Template
"Failed to update SSL client template: $Event.Text1$ with error: $Event.Text2$."
401D000D
A10 AX TM - Successfully Updated SSL Client Template
"Successfully updated SSL client template: $Event.Text1$."
401D000E
A10 AX TM - Failed To Update SSL Server Template
"Failed to update SSL server template: $Event.Text1$. with error: $Event.Text2$."
401D000F
A10 AX TM - Successfully Updated SSL Server Template
"Successfully updated SSL server template: $Event.Text1$."
401D0010
A10 AX TM - Failed To Create Client SSL Template
"Failed to create SSL client template: $Event.Text1$ with error: $Event.Text2$."
401D0011
A10 AX TM - Successfully Created Client SSL Template
"Successfully created SSL client template: $Event.Text1$."
401D0012
A10 AX TM - Failed to Create Server SSL Template
"Failed to create SSL server template: $Event.Text1$ with error: $Event.Text2$."
401D0013
A10 AX TM - Successfully Create Server SSL Template
"Successfully created SSL server template: $Event.Text1$."
401D0014
A10 AX TM - Failed To Associate Certificate And Key To Template
"Failed to associate certificate or key, certificate or key: $Event.Text1$ was not found."
401D0015
A10 AX TM - Successfully Extracted Certificate
"Successfully extracted $Event.Text1$ certificate on $Event.Component$."
401D0016
A10 AX TM - Failed to Extract Certificate
"Failed to extract $Event.Text1$ certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
401D0017
A10 AX TM - Successfully Extracted Key
"Successfully extracted $Event.Text1$ private key on $Event.Component$."
401D0018
A10 AX TM - Failed to Extract Key
"Failed to extract $Event.Text1$ private key on $Event.Component$. Error: $Event.Text2$ Additional error data $Event.Data$."
401D0019
A10 AX TM - Validation Error
"Failed to validate $Event.Text1$ certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
401D001A
A10 AX TM - Network Validation not possible
"Network validation not possible for Server SSL Templates on $Event.Component$"
401D001B
A10 AX TM - Empty SSL Listen Host
"Failed to validate $Event.Text1$ certificate on $Event.Component$ as SSL Listen Host is empty."
401D001C
A10 AX TM - Web Services Connection Error
"Connection to $Event.Text1$ failed on $Event.Component$ with error: $Event.Text2$."
401D001D
A10 AX TM - Failed to Extract Certificate and Key
"Failed to extract certificate and key from device: $Event.Text1$."
401D001E
A10 AX TM - Failed to Connect to Device
"Failed to connect to $Event.Component$."
401D001F
A10 AX TM - SSH Connection Error
"Failed to establish an SSH connection with Host on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
401D0020
A10 AX TM - Inject Command Failed
"$Event.Component$ failed while processing a inject command at stage $Event.Value1$. Command: $Event.Text1$. Return Code: $Event.Value2$."
401D0021
A10 AX TM - Inject Command Success
"The inject command $Event.Text1$ has been run on $Event.Component$ at Stage $Event.Value1$."
401D0022
A10 AX TM - Inject Command Error
"An error occurred while running the inject command $Event.Text1$ on $Event.Component$. Error: $Event.Text2$ Additional error data $Event.Data:String$."
401D0023
A10 AX TM - SSH Disconnect Error
"Error disconnecting from $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data:String$."
401D0024
A10 AX TM - Certificate Name Is Null Or Empty
"The certificate is null or empty."
401D0025
A10 AX TM - Certificate or Key Does Not Exist on the Box
"Certificate or Key does not exist on the application. Additional Information: $Event.Text1$."
0032
Definitions for events generated by ACME Server
00320001
ACME - Registration Success
"ACME account successfully created. Public Key Fingerprint: $Event.Text1$. Contact: $Event.Text2$."
00320002
ACME - Duplicate Registration
"Registration failed because the account is already registered with $Event.Text2$."
00320003
ACME - Registration Without Email
"Registration failed because no email address was provided."
00320004
ACME - Registration No Identity
"Registration failed because no identity could be found that is associated with the provided email address $Event.Text2$."
00320005
ACME - Subfolder Not Found
"The specified folder, $Event.Text2$, does not exist and Trust Protection Platform is not configured to allow the automatic creation of folders."
00320006
ACME - Failed Creating Subfolder
"Failed to create the certificates subfolder $Event.Text2$. Check the subfolder name and try again."
00320007
ACME - Processing Timed Out
"Processing of certificate $Event.Text1$ timed out. Consider configuring engine $Event.Text2$ to check for work more often."
00320008
ACME - Processing Error
"Processing of certificate $Event.Text1$ failed with error: $Event.Text2."
00320009
ACME - Processing Success
"Processing of certificate $Event.Text1$ was successful."
0032000A
ACME - Subfolder Contains Uppercase
"The name of the subfolder, $Event.Text2$, cannot contain uppercase letters."
0032000B
ACME - Domain Whitelisting Violated
"Requested identifier, $Event.Text2$, does not comply with Domain Whitelisting policy."
0032000C
ACME - Validation Error
"Error occurred while validating $Event.Text1$. Error: $Event.Text2$."
0032000D
ACME - Account Not Found
"No account could be found that is associated with the requested public key fingerprint $Event.Text1$."
0032000E
ACME - Authorization Not Found
"No authorization record could be found that is associated with account $Event.Text1$ and identifier $Event.Text2$."
0032000F
ACME - Validation Success
"Identifier validation was successful. Public Key Fingerprint: $Event.Text1$. Identifier: $Event.Text2$."
00320010
ACME - Validation Failed
"Identifier validation failed. Public Key Fingerprint: $Event.Text1$. Identifier: $Event.Text2$. Reason: $Event.Data$"
00320011
ACME - No CA Template
"The certificate folder $Event.Text2$ does not have a CA Template assigned to it."
00320012
ACME - Key Strength Noncompliance
"The requested key size, $Event.Value1$, does not comply with Key Strength policy."
7001
Definitions for events generated by the AWS EC2 Cloud Instance Monitoring service
70010001
AWS EC2 Instance Monitoring - Missing Credentials
"The AWS EC2 Cloud Instance Monitor $Event.Component$ is missing credentials required for communicating with AWS services."
70010002
AWS EC2 Instance Monitoring - Error
"The AWS EC2 Cloud Instance Monitor $Event.Component$ encountered an error communicating with AWS services. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$"
70010003
AWS EC2 Instance Monitoring - Connection Error
"The AWS EC2 Cloud Instance Monitor $Event.Component$ encountered an error communicating with AWS services, for the $Event.Text1$ region. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$"
3091
Definitions for events generated by the Adaptable certificate authority driver
30910001
Adaptable - CA Communication error
"Failed to communicate with the CA $Event.Component$ for $Event.Text1$. Error: $Event.Text2$. Additional error data: $Event.Data$"
30910002
Adaptable - Certificate Revocation Failed
"Failed to revoke a certificate from the CA $Event.Component$. Certificate Serial Number: $Event.Text1$. Error: $Event.Text2$. Additional error data: $Event.Data$"
30910003
Adaptable - CSR Post Successful
"Successfully posted certificate signing request (CSR) to CA $Event.Component$ for $Event.Text1$. Transaction ID: $Event.Text2$. Enrollment mode: $Event.Data:String$"
30910004
Adaptable - Certificate Retrieval Successful
"Successfully retrieved certificate from the CA $Event.Component$ for $Event.Text1$."
30910005
Adaptable - Certificate Revocation Successful
"Successfully revoked certificate from CA $Event.Component$. Certificate Serial Number: $Event.Text1$ Revocation Reason: $Event.Text2$"
30910006
Adaptable - CSR Post Failure
"Failed to post CSR to $Event.Component$ for $Event.Text1$. Error: $Event.Text2$"
30910007
Adaptable - Certificate Retrieval Failure
"Failed to retrieve certificate from $Event.Component$ for $Event.Text1$. Error: $Event.Text2$"
30910008
Adaptable - Attribute Save Failure
"Failed to save $Event.Text2$ value of '$Event.Text1$' to the database."
30910009
Adaptable - Prepare For Certificate Request Successful
"Prepare For Certificate Request stage passed successfully."
3091000A
Adaptable - Prepare For Certificate Request Failed
"Prepare For Certificate Request stage failed for $Event.Component$. Error: $Event.Text2$."
3091000B
Adaptable - Missing Transaction ID for the Certificate to be Revoked
"Warning: Missing Transaction ID for the Certificate to be Revoked."
3091000C
Adaptable - Certificate Process Completion Successful
"Complete stage passed successfully."
3091000D
Adaptable - Certificate Process Completion Failed
"Complete stage failed for $Event.Component$. Error: $Event.Text2$."
3091000E
Adaptable - Approve Request Successful
"Approve Request stage passed successfully."
3091000F
Adaptable - Approve Request Failed
"Approve Request stage failed for $Event.Component$. Error: $Event.Text2$."
4668
Definitions for events generated by the Adaptable application driver
46680001
Adaptable App - Prepare Keystore Success
"Keystore was successfully prepared for $Event.Component$."
46680002
Adaptable App - Prepare Keystore Failed
"Failed to prepare keystore on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680003
Adaptable App - Start Processing Success
"Processing was successfully started for $Event.Component$."
46680004
Adaptable App - Start Processing Failed
"Failed to start processing on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680005
Adaptable App - Create Private Key Success
"Private Key was successfully created for $Event.Text1$ on $Event.Component$."
46680006
Adaptable App - Failed to Create Private Key
"Failed to create private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680007
Adaptable App - Generate CSR Success
"CSR was successfully generated for $Event.Text1$ on $Event.Component$."
46680008
Adaptable App - Failed to Generate CSR
"Failed to generate CSR on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680009
Adaptable App - Install Certificate Chain Success
"Successfully installed Certificate Chain on $Event.Component$."
4668000A
Adaptable App - Certificate Chain Installation Failed
"Failed to install certificate chain on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000B
Adaptable App - Install Private Key Success
"Successfully installed Private Key named $Event.Text1$ on $Event.Component$."
4668000C
Adaptable App - Private Key Installation Failed
"Failed to install private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000D
Adaptable App - Install Certificate Success
"Successfully installed Certificate named $Event.Text1$ on $Event.Component$."
4668000E
Adaptable App - Certificate Installation Failed
"Failed to install certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
4668000F
Adaptable App - Update Binding Success
"Bindings successfully updated on $Event.Component$."
46680010
Adaptable App - Binding Update Failed
"Failed to update bindings on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680011
Adaptable App - Activate Certificate Success
"Successfully activated certificate on $Event.Component$."
46680012
Adaptable App - Activate Certificate Failed
"Failed to activate certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680013
Adaptable App - Extract Certificate Success
"Successfully extracted certificate on $Event.Component$."
46680014
Adaptable App - Extract Certificate Failed
"Failed to extract certificate on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680015
Adaptable App - Extract Private Key Success
"Successfully extracted private key on $Event.Component$."
46680016
Adaptable App - Extract Private Key Failed
"Failed to extract private key on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680017
Adaptable App - Validate Installation Failure
"Failed to validate the installation on $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
46680018
Adaptable App - Remove Certificate Success
"Successfully removed obsolete certificate named $Event.Text1$ from $Event.Component$."
46680019
Adaptable App - Remove Certificate Failed
"Failed to remove obsolete certificate named $Event.Text1$ from $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$."
4668001A
Adaptable App - Generational Certificate Names Retrieved
"Successfully retrieved current certificate name as $Event.Text1$ and parent certificate name as $Event.Text2$."
4668001B
Adaptable App - Generational Object Creation Error
"While creating a generational object, an error occured with a result of $Event.Text1$. Error: $Event.Text2$."
4668001C
Adaptable App - Generational Data Update Failure
"Failed to update a generational object with data ($Event.Text1$). Error: $Event.Text2$."
4668001D
Adaptable App - Generational Data Update Success
"Successfully updated a generational object with data ($Event.Text1$)."
4668001E
Adaptable App - Stage Skipped
"$Event.Text1$ stage has been skipped on $Event.Component$."
4668001F
Adaptable App - Private Key Already Installed
"Private Key named $Event.Text1$ is already installed on $Event.Component$."
46680020
Adaptable App - Certificate Already Installed
"Certificate named $Event.Text1$ is already installed on $Event.Component$."
46680021
Adaptable App - Chain Certificate(s) Already Installed
"Chain Certificate(s) already installed on $Event.Component$."
000C
Definitions for events generated by the Administration Consoles
000C0001
Admin UI - Logout Successful
"User $Event.Component$ logged out. Prefixed name: $Event.Text1$. Prefixed universal ID: $Event.Text2$."
000C0002
Admin UI - Login Successful
"User $Event.Component$ logged in from IP Address $Event.Data$. Prefixed name: $Event.Text1$. Prefixed universal ID: $Event.Text2$."
000C0003
Admin UI - [Deprecated] Login Failure
"User $Event.Text1$ ($Event.Component$) was not able to log in."
000C0004
Admin UI - Object Created
"$Event.Text2$ $Event.Component$ was created by user $Event.Text1$."
000C0005
Admin UI - Object Updated
"$Event.Text2$ $Event.Component$ was updated by user $Event.Text1$."
000C0006
Admin UI - Object Deleted
"$Event.Text2$ $Event.Component$ was deleted by user $Event.Text1$."
000C0007
Admin UI - CSR Uploaded
"User $Event.Text1$ uploaded a CSR for certificate $Event.Component$. CSR vault ID: $Event.Value1$."
000C0008
Admin UI - Certificate Uploaded
"Certificate $Event.Component$ was uploaded by user $Event.Text1$. Serial number $Event.Text2$. Certificate vault ID: $Event.Value1$."
000C0009
Admin UI - Private Key Uploaded
"User $Event.Text1$ uploaded a private key for certificate $Event.Component$. Private key vault ID: $Event.Value1$."
000C000A
Admin UI - Certificate Downloaded
"Certificate $Event.Component$ was downloaded by user $Event.Text1$. Serial number: $Event.Text2$. Private Keys Included: $Event.Value1$ Chain Included: $Event.Value2$"
000C000B
Admin UI - Configuration Saved
"$Event.Component$ setting ($Event.Text2$) was saved by user $Event.Text1$."
000C000C
Admin UI - Renew Now
"Certificate renewal for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C000D
Admin UI - Restart Certificate
"Certificate restart for $Event.Component$ was requested by $Event.Text1$."
000C000E
Admin UI - Retry Application
"Application retry for $Event.Component$ was requested by $Event.Text1$. Certificate: $Event.Text2$."
000C000F
Admin UI - Object Renamed
"Object $Event.Text2$ was renamed to $Event.Component$ by user $Event.Text1$."
000C0010
Admin UI - Root Certificate Uploaded
"Root certificate $Event.Component$ was uploaded by user $Event.Text1$. Serial number: $Event.Text2$. Certificate vault ID: $Event.Value1$."
000C0011
Admin UI - [Deprecated] Permissions Added
"Permissions for $Event.Text2$ were added for object $Event.Component$ by user $Event.Text1$ (Permissions set to $TranslateRights[Config, $Event.Value1$]$)."
000C0012
Admin UI - [Deprecated] Permissions Updated
"Permissions for $Event.Text2$ were updated for $Event.Component$ by user $Event.Text1$ (Permissions set to $TranslateRights[Config, $Event.Value1$]$)."
000C0013
Admin UI - Permissions Removed
"Permissions for $Event.Text2$ were removed for $Event.Component$ by user $Event.Text1$."
000C0014
Admin UI - Application Association Added
"Association between application $Event.Component$ and certificate $Event.Text2$ was added by user $Event.Text1$."
000C0015
Admin UI - Application Association Removed
"Association between application $Event.Component$ and certificate $Event.Text2$ was removed by user $Event.Text1$."
000C0016
Admin UI - Application Association Enabled
"Association between application $Event.Component$ and certificate $Event.Text2$ was enabled by user $Event.Text1$."
000C0017
Admin UI - Application Association Disabled
"Association between application $Event.Component$ and certificate $Event.Text2$ was disabled by user $Event.Text1$."
000C0018
Admin UI - Certificate Pushed
"Certificate $Event.Text2$ has been queued for a push operation to application $Event.Component$ by user $Event.Text1$."
000C0019
Admin UI - Certificate Extracted
"Certificate $Event.Text2$ has been extracted from application $Event.Component$ by user $Event.Text1$."
000C001A
Admin UI - Retry Certificate
"Certificate retry for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C001B
Admin UI - Login Failure
"User $Event.Text1$ was not able to log in on $Event.Component$. IP Address: $Event.Data$."
000C001C
Admin UI - Configuration Cleared
"User $Event.Text1$ cleared attribute $Event.Text2$ on object $Event.Component$."
000C001D
Admin UI - Configuration Changed
"User $Event.Text1$ changed attribute $Event.Text2$ on object $Event.Component$ (Details: $Event.Data$)."
000C001E
Admin UI - Policy Configuration Cleared
"User $Event.Text1$ cleared policy attribute $Event.Text2$ on object $Event.Component$."
000C001F
Admin UI - Policy Configuration Changed
"User $Event.Text1$ changed policy attribute $Event.Text2$ on object $Event.Component$ (Details: $Event.Data$)."
000C0020
Admin UI - Change Password Successful
"User $Event.Component$ successfully changed the password for user $Event.Text1$ at $Event.Text2$."
000C0021
Admin UI - Reset Password Successful
"Administrator $Event.Component$ successfully reset the password for user $Event.Text1$ at $Event.Text2$."
000C0022
Admin UI - Change Password Unsuccessful
"User $Event.Component$ unsuccessfully tried to change the password for user $Event.Text1$ at $Event.Text2$."
000C0023
Admin UI - Reset Password Unsuccessful
"Administrator $Event.Component$ unsuccessfully tried to reset the password for user $Event.Text1$ at $Event.Text2$."
000C0024
Admin UI - Encountered Invalid Web Data
"Invalid web data: $Event.Component$ occurred in WebApp. User: $Event.Text1$. Error Details: $Event.Data$"
000C0025
Admin UI - Configuration Change Failed
"User $Event.Text1$ failed to change attribute $Event.Text2$ on object $Event.Component$ (Config Result: $Event.Data$)."
000C0026
Admin UI - Policy Change Failed
"User $Event.Text1$ failed to change policy attribute $Event.Text2$ on object $Event.Component$ (Config Result: $Event.Data$)."
000C0027
Admin UI - Key Rotated
"User $Event.Text1$ rotated the key for object $Event.Component$."
000C0028
Admin UI - Key Uploaded
"User $Event.Text1$ uploaded the key for object $Event.Component$."
000C0029
Admin UI - Reset Certificate
"Certificate reset for $Event.Component$ was requested by $Event.Text1$."
000C002A
Admin UI - Policy Inheritance Changed
"User $Event.Text1$ changed the inheritance of the attribute $Event.Text2$ for object $Event.Component$ from $Event.Value1$ to $Event.Value2$ (0 = suggested, 1 = locked)."
000C002B
Admin UI - SSH Dashboard Calculation Failure
"$Event.Component:String$ failed to calculate SSH Dashboard, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002C
Admin UI - SSH Dashboard Thread Exception
"$Event.Component:String$ encountered exception in SSH Dashboard update thread., System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002D
Admin UI - Certificate Dashboard Calculation Failed
"$Event.Component:String$ failed to calculate Certificate Dashboard, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002E
Admin UI - Certificate Dashboard Expirations Calculation Failed
"$Event.Component:String$ failed to calculate Dashboard Certificate Expirations, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C002F
Admin UI - Dashboard Generic Expirations Calculation Failed
"$Event.Component:String$ failed to calculate generic Dashboard Expirations, System Error: $Event.Text2:String$. Additional Error Data: $Event.Data:String$."
000C0030
Admin UI - Revoke Certificate
"Certificate revocation for $Event.Component$ was requested by $Event.Text1$. $Event.Data$"
000C0031
Admin UI - Challenge Accepted
"Support Tab challenge/response code $Event.Text2$ accepted for user $Event.Text1$."
000C0032
Admin UI - Client Certificate
"Client certificate was used to sign in. Subject: $Event.Text1$. Serial: $Event.Text2$."
000C0033
Admin UI - Validate Now
"Certificate validation for $Event.Component$ was requested by $Identity[$Event.Text1$]$."
000C0034
Admin UI - User Data Error
"Unable to retrieve the $Event.Text1$ for the current user."
000C0035
Admin UI - Plugin Initialization Error
"Unable to $Event.Text1$ the $Event.Text2$ plugin."
000C0036
Admin UI - Reset Application
"Application reset for $Event.Component$ was requested by $Event.Text1$."
000C0037
Admin UI - Validation Request on Application
"Certificate validation for $Event.Component$ on $Event.Text2$ was requested by $Identity[$Event.Text1$]$."
000C0038
Admin UI - Validation Request Failure on Application
"Failed requesting certificate validation on $Event.Text2$ for certificate of $Event.Component$ requested by $Identity[$Event.Text1$]$."
000C0039
Admin UI - Validation Request Error on Application
"Error in requesting certificate validation on $Event.Text1$ for certificate of $Event.Component$. Error: $Event.Text2$. Additional Error Data: $Event.Data:String$."
000C003A
Admin UI - Object Creation Failed
"$Event.Text1$ creation failed. Error: $Event.Text2$."
000C003B
Admin UI - Mismatched Certificate Uploaded
"User $Event.Text1$ uploaded certificate $Event.Component$ with a mismatched public and private key."
000C003C
Admin UI - Mismatched Certificate Updated
"Certificate $Event.Component$ with a mismatched public and private key was updated by user $Event.Text1$."
000C003D
Admin UI - Certificate Imported
"Certificate $Event.Component$ was imported by user $Event.Text1$."
000C003E
Admin UI - Potential CSRF
"A POST request with missing or invalid security tokens was received. Restart your browser and try again. If you receive this error message repeatedly, contact your network security team to investigate a potential CSRF attack."
000C003F
Admin UI - Certificate Expiration Cache Collision
"User: $Event.Component$ experienced a collision in the Certificate Expiration Data cache $Event.Text1$ on object $Event.Text2$."
000C0040
Admin UI - Permissions Added
"Permissions for $Event.Text2$ were added for object $Event.Component$ by user $Event.Text1$ (Permissions set to $Event.Data$)."
000C0041
Admin UI - Permissions Updated
"Permissions for $Event.Text2$ were updated for $Event.Component$ by user $Event.Text1$ (Permissions set to $Event.Data$)."
000C0042
Admin UI - Reset Revocation Status
"Reset Revocation Status for $Event.Component$ was requested by $Event.Text1$."
000C0043
Admin UI - Unable to Delete Object
"Unable to delete this object by user $Event.Text1$ because it has child objects. Please delete it manually."
000C0044
Admin UI - Object Deletion Failure
"Failed in deleting this object by user $Event.Text1$: $Event.Text2$. Please delete it manually."
000C0045
Admin UI - Pass-through Auth Enabled
"Pass-through authentication has been successfully set up and enabled on $Event.Text1$ $CN[$Event.Component$]$."
000C0046
Admin UI - Pass-through Auth Missing Registry Setting
"Pass-through authentication was enabled on $Event.Text1$ $CN[$Event.Component$]$ but the registry was not updated."
000C0047
Admin UI - Pass-through Auth Missing Global Setting
"The registry for pass-through authentication was updated on $Event.Text1$ $CN[$Event.Component$]$ but was not enabled globally in the Web Administration console."
5001
Definitions for the Venafi Agent Keystore events
5001001F
AgentKeystore - Cert Decrypt failure
"The agent module $Event.Component:String$, unable to open encrypted PKCS12 keystore found at: $Event.Text1$, no passwords."
50010020
AgentKeystore - Cert Decrypt failed
"The agent module $Event.Component:String$, unable to open encrypted PKCS12 keystore at: $Event.Text1$, no password."
5001810A
AgentKeystore - Placement Configuration Error
"The Venafi Agent running on $Event.Text1$ has encountered an error: Discovery results certificate placement error for the $Event.Text2$ work object. No results can be saved."
5001810C
AgentKeystore - Discovery Configuration Error
"The Venafi Agent running on $Event.Text1$ has encountered an error: No default certificate placement location is set for the $Event.Text2$ work object."
5001810D
AgentKeystore - Discovered Keystore
"The Venafi Agent running on $Event.Text1$ discovered $Event.Text2$."
5001810E
AgentKeystore - Certificate Operation Status
"Agent file operation, $Event.Data:String$, for $Event.Text1$ file, $Event.Text2$, succeeded."
5001810F
AgentKeystore - Certificate Installation Status
"Agent certificate installation for $Event.Text1$ file $Event.Text2$ status: $Event.Data:String$"
50018113
AgentKeystore - Discovery Placement failed
"$Event.Text1$ was not placed in storage. Reason: $Event.Text2$"
50018114
AgentKeystore - PEM Private Key Installation Failure
"Agent Failed to install private key for $Event.Text1$ file $Event.Text2$. Additional error data: $Event.Data:String$"
50018115
AgentKeystore - Undiscovered Keystore
"The Venafi Agent running on $Event.Text1$ did not discover $Event.Text2$."
5002
Definitions for the Venafi Agent SSH events
50020001
AgentSSH - Key Decrypt failure
"The agent module $Event.Component:String$, unable to open encrypted key found at $Event.Text1$, no passwords."
50020002
AgentSSH - Key Decrypt failed
"The agent module $Event.Component:String$, unable to open key type, $Event.Text1$, found at $Event.Text2$, no password."
50020003
AgentSSH - Discovered Key Count
"The agent module $Event.Component:String$, discovered key count: $Event.Value1$."
50020004
AgentSSH - Discovered Service Count
"The agent module $Event.Component:String$, discovered service count: $Event.Value1$."
50020005
AgentSSH - Discovered Key
"The agent module $Event.Component:String$, discovered ley at: $Event.Text1$."
50020006
AgentSSH - Discovered Service
"The agent module $Event.Component:String$, discovered service at: $Event.Text1$."
50020007
AgentSSH - Shrink Custom DB
"The agent module $Event.Component:String$, failed to shrink the data base: $Event.Text1$ reason:$Event.Text2$."
50020008
AgentSSH - Found config file remote path
"SSH config file remote path: $Event.Component$."
50028001
AgentSSH - Out of Memory
"The agent module handler $Event.Component:String$ encountered an out of memory condition processing the delivery from the agent at $Event.Text1$."
50028002
AgentSSH - Not Supported
"The agent module handler $Event.Component:String$ could not process the scan type $Event.Value1$ from the agent at $Event.Text1$."
50028003
AgentSSH - GUID not found
"Failed to find GUID for $Event.Component$."
50028004
AgentSSH - Create Config Failed
"Failed to create config for $Event.Component$."
50028005
AgentSSH - Create Secret Store Failed
"Failed to create secret store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028006
AgentSSH - Create Key Store Failed
"Failed to create key store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028007
AgentSSH - Create Discovery Store Failed
"Failed to create discovery store for $Event.Component$. Error: $Event.Text2$. Additional error data $Event.Data$"
50028009
AgentSSH - Config Read Error
"Failed to read the $Event.Text2$ attribute on the object $Event.Text1$."
50028080
AgentSSH - Cryptographic Failure
"The agent module handler $Event.Component:String$ encountered an error processing an asymmetric key with the message $Event.Text1:String$ for the hash $Event.Text2:String$ at payload index $Event.Value1$ from the agent at $Event.Text1$."
50028100
AgentSSH - Key Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the key scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028101
AgentSSH - Key Inventory
"The agent module $Event.Component:String$, $Event.Text1$ key found at: $Event.Text2$ id: $Event.Value1$ type:$Event.Value2$."
50028102
AgentSSH - Key Scan Inventory Stored
"The agent module $Event.Component:String$, stored key, id: $Event.Value1$ type:$Event.Value2$."
50028103
AgentSSH - Key Scan Inventory Updated
"The agent module $Event.Component:String$, updated key, id: $Event.Value1$ type:$Event.Value2$."
50028104
AgentSSH - Key Ignored
"The discovery service module is excluding the Key for Agent SSH Discovery $Event.Component$ found on $Event.Text2$ from storage based on the Exclusion $Event.Text1$, Location: Format - Size - $Event.Data$."
50028200
AgentSSH - Service Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the service scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028300
AgentSSH - User Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the user scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
50028400
AgentSSH - Association Scan Delivery Failure
"The agent module handler $Event.Component:String$ encountered an error processing the user association scan payload from the agent at $Event.Text1$ with the message $Event.Text2$ and the storage result $Event.Value1$."
4023
Definitions for events generated by the Amazon application driver
40230001
Amazon App - No Certificate To Process
"No certificate of $Event.Text1$ is associated with the application to process."
40230002
Amazon App - Certificate Name Error
"Unable to compose a certificate name due to a invalid '$Event.Text1$' of the certificate."
40230003
Amazon App - No Common Name
"The certificate does not have a common name."
40230004
Amazon App - No Private Key
"The private key is not found. If the certificate is issued by Amazon Web Services (AWS), change your settings and try again."
40230005
Amazon App - Invalid Private Key Format
"The private key is in an invalid format."
40230006
Amazon App - Certificate Body Parsing Failure
"Failed to parse the certificate body from $Event.Text1$."
40230007
Amazon App - Chain Build Failure
"Failed to build the certificate chain with $Event.Text1$."
40230008
Amazon App - Chain Body Parsing Failure
"Failed to parse the certificate chain body."
40230009
Amazon App - Authorization Header Failure
"Failed to compose an authorization header for '$Event.Text1$'."
4023000A
Amazon App - No Response Object Received
"No response object was received from the CA for '$Event.Text1$'."
4023000B
Amazon App - Response Object Parsing Failure
"Failed to parse the response object for '$Event.Text1$'."
4023000C
Amazon App - Certificate Deletion Success
"Successfully deleted a certificate ($Event.Text1$) from Amazon Web Services (AWS)."
4023000D
Amazon App - Certificate Deletion Failure
"Failed to delete the certificate ($Event.Text1$). Error:$Event.Data$"
4023000E
Amazon App - Certificate Meta Data Config Write Failure
"Failed to write one or more of $Event.Text1$ into Config."
4023000F
Amazon App - Certificate Upload Success
"Successfully uploaded the certificate of $Event.Text1$ ($Event.Text2$) to Amazon Web Services (AWS)."
40230010
Amazon App - Certificate Name Discrepancy
"Amazon Web Services (AWS) returned a different certificate name($Event.Text2$) than the one requested($Event.Text1$)."
40230011
Amazon App - Unexpected Response Received
"An unexpected response was received for $Event.Text1$ request. Manually verify whether the request was completed on Amazon Web Services (AWS)."
40230012
Amazon App - Duplicated Certificate Name on AWS
"A certificate with the same name($Event.Text1$) already exists in Amazon Web Services (AWS). If you want Trust Protection Platform to manage the certificate, remove the existing certificate from Amazon Web Services (AWS) and try again."
40230013
Amazon App - Certificate Upload Failure
"Failed to upload a certificate ($Event.Text1$) to Amazon Web Services (AWS). Error:$Event.Data$"
40230014
Amazon App - Missing Attribute
"The value for '$Event.Text1$' is missing."
40230015
Amazon App - Grandparent Certificate Clean-up Failure
"Failed to clean up the grandparent certificate ($Event.Text1$) from Amazon Web Services (AWS). You must remove it manually."
40230016
Amazon App - Generational Object Creation Error
"While creating a generational object, an error occured with a result of $Event.Text1$. Error: $Event.Text2$."
40230017
Amazon App - Generational Data Update Failure
"Failed to update a generational object with data ($Event.Text1$). Error: $Event.Text2$."
40230018
Amazon App - Generational Data Update Success
"Successfully updated a generational object with data ($Event.Text1$)."
40230019
Amazon App - Generational Certificate Names Retrieved
"Successfully retrieved current certificate name as $Event.Text1$ and parent certificate name as $Event.Text2$."
4023001A
Amazon App - Credential Retrieval Failure
"Failed to retrieve the credential at $Event.Text1$. Error:$Event.Text2$"
4023001B
Amazon App - No Value Retrieved for Credential
"No value was retrieved for $Event.Text1$."
4023001C
Amazon App - Certificate Binding with ELB Failure
"Failed to bind a certificate ($Event.Text1$) to the Elastic Load Balancer ($Event.Text2$:$Event.Value1$). Error:$Event.Data$"
4023001D
Amazon App - Config Clear Failure
"Failed to clear the value of $Event.Text1$ in Config."
4023001E
Amazon App - Generational Object Clean-up Failure
"Failed to clean up a generational object which resulted in $Event.Text1$."
4023001F
Amazon App - Config Write Failure
"Failed to write the value of $Event.Text2$ for $Event.Text1$ to Config."
40230020
Amazon App - Certificate Binding with ELB Success
"Successfully bound the certificate of $Event.Text1$ with the Elastic Load Balancer ($Event.Text2$:$Event.Value1$)."
40230021
Amazon App - Certificate Exists in AWS
"The certificate of $Event.Text1$ ($Event.Text2$) already exists in Amazon Web Services (AWS)."
40230022
Amazon App - Certificate Extraction Success
"Successfully extracted the certificate of $Event.Text1$ from Amazon Web Services (AWS)."
40230023
Amazon App - Key Extraction Not Supported
"Key extraction is not supported on $Event.Component$."
40230024
Amazon App - Certificate Name Not Provided
"Certificate name is required for $Event.Text1$."
40230025
Amazon App - Application Set-up Failure
"Failed to check the application setup. Status: $Event.Text1$."
40230026
Amazon App - Certificate Extraction Failure
"Failed to extract the certificate of $Event.Text1$ from Amazon Web Services (AWS). Error:$Event.Data$"
40230027
Amazon App - Certificate Extraction Error
"Error while extracting the certificate: $Event.Text2$. Additional data $Event.Data:String$."
40230028
Amazon App - Certificate Validation Error
"Error while validating the certificate: $Event.Text2$. Additional data $Event.Data:String$."
40230029
Amazon App - Missing Element in AWS Response
"'$Event.Text1$' is missing from the Amazon Web Services (AWS) response, which is required in order to process further."
4023002A
Amazon App - Certificate Binding with CF Success
"Successfully bound the certificate of $Event.Text1$ with the CloudFront Distribution of $Event.Text2$."
4023002B
Amazon App - Certificate Binding with CF Failure
"Failed to bind a certificate ($Event.Text1$) to the CloudFront Distribution of $Event.Text2$. Error:$Event.Data$"
4023002C
Amazon App - Get CF Distribution Config Failure
"Failed to get the configuration of CloudFront Distribution ($Event.Text1$) from Amazon Web Services (AWS). Error:$Event.Data$"
4023002D
Amazon App - Put CF Distribution Config Failure
"Failed to update the configuration of CloudFront Distribution ($Event.Text2$) with the certificate ($Event.Text1$) to Amazon Web Services (AWS). Error:$Event.Data$"
4023002E
Amazon App - CF Distribution Config Edit Failure
"Failed to edit the certificate information in the CloudFront Distribution Configuration ($Event.Data$)"
4023002F
Amazon App - Certificate Binding with CF Error
"Error while binding the certificate with the CloudFront Distribution. Additional data $Event.Data:String$."
40230030
Amazon App - Certificate Binding with CF Confirmation Failure
"Failed to confirm the binding of the certificate ($Event.Text1$) with the CloudFront Distribution ($Event.Text2$). Error:$Event.Data$"
40230031
Amazon App - Missing Attribute of Certificate
"The value for '$Event.Text1$' is missing from the certificate object ($Event.Text2$)."
40230032
Amazon App - Get Certificate from AWS Failure
"Failed to get the certificate ($Event.Text1$) from Amazon Web Services (AWS). Error:$Event.Data$"
3022
Definitions for events generated by the Amazon AWS Certificate Manager driver
30220001
Amazon CA - Credential Retrieval Failure
"Failed in retrieving the credential at $Event.Text1$. Error:$Event.Text2$"
30220002
Amazon CA - No Value Retrieved for Credential
"No value was retrieved for $Event.Text1$."
30220003
Amazon CA - CA Connection Validation Failure
"Failed in validating the connection between TPP and the CA. Error:$Event.Data$"
30220004
Amazon CA - CA Connection Validation Error
"Error in validating the connection between TPP and the CA. Error:$Event.Text2$"
30220005
Amazon CA - Domain Name Parsing Failure
"Failed in parsing the domain name from the CSR."
30220006
Amazon CA - Validation Domain Name Failure
"Failed in determining the validation domain for '$Event.Text1$'."
30220007
Amazon CA - Authorization Header Failure
"Failed in composing an authorization header."
30220008
Amazon CA - No Response Object Received
"No response object was received from the CA for '$Event.Text1$'."
30220009
Amazon CA - Response Object Parsing Failure
"Failed in parsing the response object for '$Event.Text1$'."
3022000A
Amazon CA - No Certificate ARN Received
"No Certificate ARN was returned from the CA."
3022000B
Amazon CA - Config Write Failure
"Failed in writing '$Event.Text1$' ($Event.Text2$) into Config."
3022000C
Amazon CA - Certificate Request Success
"Successfully requested the certificate from the CA ($Event.Text1$)."
3022000D
Amazon CA - Certificate Request Failure
"Failed in requesting a certificate for $Event.Text1$. Error:$Event.Data$"
3022000E
Amazon CA - Certificate Request Error
"Error in requesting a certificate. Error:$Event.Text2$"
3022000F
Amazon CA - No Certificate Retrieved
"No Certificate was retrieved from the CA for '$Event.Text1$'."
30220010
Amazon CA - Certificate Retrieval Success
"Successfully retrieved the certificate from the CA for '$Event.Text1$'."
30220011
Amazon CA - Certificate Retrieval Failure
"Failed in retrieving a certificate for $Event.Text1$. Error:$Event.Data$"
30220012
Amazon CA - Certificate Retrieval Error
"Error in retrieving a certificate. Error:$Event.Text2$"
30220013
Amazon CA - Config Clear Failure
"Failed in clearing the value of '$Event.Text1$' in Config."
30220014
Amazon CA - Missing Attribute
"The value of '$Event.Text1$' is missing."
30220015
Amazon CA - Config Remove Failure
"Failed in removing '$Even
View ArticleSummary
Beginning with TPP 17.1, a new troubleshooting tool called VSC (short for Venafi Support Center) has been included with the TPP installation. This tool is found in the ..\Venafi\Support directory. This tool is able to capture more complete exception information for better troubleshooting of problem situations. This tool is also available as a stand alone package (.msi) for getting new versions, or installing on older versions of TPP.
Solution
When you have a error with a TPP product where it is getting an exception (showing a stack trace) it is often not detailed enough to be useful, or some exceptions have been silently suppressed. In that case, you can use the VSC tool to capture all the exceptions that have happened in a process, and then send that information to Venafi Support to have the detail analyzed for troubleshooting. Steps to gather this information are:
1. Launch a command prompt as administrator, navigate to ..\Venafi\Support directory and launch VSC.exe, or in a Windows Explorer window navigate to ..\Venafi\Support directory and right-click on VSC.exe and select "Run as administrator". NOTE: Administrator privilege is required to see the processes and attach to them for capturing the exceptions, otherwise the "Applications and Processes" option will not appear.
2. In the Applications and Processes tab of the main window, find the process you want to monitor for exceptions. This will likely be one of these: Aperture, VEDAdmin, VPlatform, or LogServer. For this example, we will choose VPlatform. After clicking on the VPlatform line in the display to select and highlight it, click the Monitor (eyeglasses) icon in the command bar at the top of the screen. A new tab will open with details about the VPlatform process.
3 Click the Monitor tab in the main window where the process details for VPlatform are shown. A window showing exception details (empty at this point) will be shown.
4. Now perform the actions that cause the error situation. Return to VSC window, and now the refresh button in the command bar should be enabled. Click it to cause accumulated exception info to be displayed.
5. Click the export button in the command bar, and a file save dialog will appear. Select a location and file name to save the information to, and then send Venafi Support theresulting .xlsx file. This file contains information about your running instance of the process, including loaded dlls, and also all the captured exception stack trace data.
It is possible to monitor more than one process at once, just select the desired process names from the Application and Processed tab and follow the same steps as above. Exporting the captured exceptions will only export one process's information at a time.
View ArticleApplies to
Any version of Venafi
Symptom
During installation, on the Database configuration page, when you attempt to click "Next" you may be prompted with the following error:
"Could not validate the database as user XXXXXXX error: Logon failure: the user has not been granted the requested logon type at this computer"
Cause
This is caused when the account specified for the database connection doesn't have the right to run as a service on the local computer. Even if the Windows Service account is being used for the services, the account being used to connect to the remote SQL box also needs The Log on locally right.
NOTE: Even if the user has been added to the Local Admin group, this is generally not enough.
Resolution
There are a couple of ways to do this, but I've found the easiest way to fix this is to modify an existing service to use this account. Since at this stage of the installation the Venafi services are created but stopped, one of these would be pretty good to use.
Run the Services MSC
Select the Venafi Trust Protection Platform service and choose Properties. NOTE: If you don't use this service, picking one that is set to use the Local System Account is the best way to prevent problems on step 5 later!!
Select the Log On tab. The service will likely be configured to use the Local System Account. This is what we want to remain, but for now, change it to "This Account" and enter the user that failed in the error message. Then click OK
You should receive a prompt that the account has been granted the right to run as a service.
IMPORTANT - DON'T SKIP Now, switch the service back by going back into the properties for the service, Log On tab, and change it back to Local System Account, then click OK.
This should not change anything at all in the product or system, other than granting the appropriate rights to the service account you are attempting to use to connect to the database.
View ArticleKnowledgebase articles for developers: https://support.venafi.com/hc/en-us/sections/203604667-Venafi-API
Community forum for developers: https://support.venafi.com/hc/en-us/community/topics/200489827-Forums-API-Developer-Forum
View ArticleApplies to:
Any version of TPP since this is a Windows and .NET function.
Summary:
At times engineering will request a .NET trace to capture verbose logging from our processes and see the network behavior between Venafi and other "devices" or destinations. This would include things like your CA for a CSR request, or a Load Balancer you're trying to provision, or maybe a Unix server you're trying to do some onboard discovery of. MOST of the time when communicating with other devices we're making REST API calls, and for these, this .NET trace is perfect!
The following information comes from Microsoft, which we built this from:
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/how-to-configure-network-tracing
Additionally, we'll help you read your own if you choose, to advance your own troubleshooting efforts.
More Information:
Capturing the Trace
There are two possible uses for this:
Creating a "Default" or stand-alone generic file (attached) to watch traffic and code "in general".
Creating a "Specialized" trace for troubleshooting within our product (used rarely)
Normally, the first application is what's used.
IMPORTANT NOTE: Be sure to perform this on the server which will be actually performing the task! If you have multiple TPP servers, you may want to disable that specific role on others temporarily so that only THIS server can perform the task while you capture the problem. Otherwise, you'd have to load this up on each of the servers you have. and restart all the services.
The Default Trace
Download the attached "VPlatform.exe.config"
Place it into the [Programs Files]\Venafi\Platform folder.
Restart theVPlatform service when you are ready to re-create the error.
Reproduce the issue. This will create a file called "network.log" in [Programs Files]\Venafi\Platform with the socket trace data.
Remove or rename the "VPlatform.exe.config" file, and restart the service again to stop logging.First, this makes the log shorter and easier to read. Second, you don't want to fill the drive with useless logs!
The Specialized Trace
This is very similar to the process above, except you are modifying a file already present.
Download the Config_Add-in_Code.xml attached.
Copy the contents into the Web.config file located in the[Programs Files]\Venafi\Web\Admin folder. Be sure to place this between the initial tags (if you're not sure how, ask for help from support).
Restart theVPlatform service when you are ready to re-create the error.
Reproduce the issue. This will create a file called "network.log" in [Programs Files]\Venafi\Web\Admin with the socket trace data.
Remove the added contents from Web.config and restart the service again to stop logging.
Next Steps.
Be sure to include the standard Venafi logging (Default SQL Channel) that goes with this and possibly the IP addresses of the TPP server and the target server(s) when this is submitted to Support.
View ArticleApplies To:
All versions of Venafi Encryption Director and Venafi Trust Protection Platform
About:
When renewing and revoking certificates using the VeriSign / Symantec MPKI driver, you may encounter error messages that are passthroughs of VeriSign / Symantec MPKI errors. The following information below will help you know what the cause of the error message is so that you can resolve the issue.
More Information:
eECAS_WEAK_SIGNATURE_ALGORITHM = 0x482d,
- SHA1 validity check error: What error code do we get when we submit the SHA1 SSL requests with the validity more than 12/31/2016?
eECAS_DOMAIN_GTLD_NEED_REAUTH = 0x482e,- gTLD: What error code do we get when we cannot complete the re-authentication for domains with a newly-approved gTLD 30 days after the gTLD approval?
eECAS_NON_FQDN_COMMON_NAME = 0x4824 Per CA/B Forum baseline requirements, non-FQDN certs cannot exceed 11/1/2015. Examples: hostname, foo.cba (.cba is a pending gTLD)
eECAS_CANNOT_ENROLL_OVER_5Y_CERT = 0x4825, Currently the maximum cert validity is 4-yeareECAS_FRAUD_CHECK_OU_FAILED = 0x4826, OU misleading. See comments earliereECAS_ORG_NEED_REAUTH = 0x4827, Org re-auth past due. EV org has to go through re-authentication every 13 months; OV org has to go through re-authentication every 39 months.eECAS_DOMAIN_NEED_REAUTH = 0x482a, Domain re-auth past due. EV domain has to go through re-authentication every 13 months; OV domain has to go through re-authentication every 39 months.eECAS_MISSING_DEFAULT_ORG_ADDRESS = 0x482b, No org address was set to default, should not happeneECAS_KEYTYPE_SIGNALGORITHM_MISMATCH = 0x482c, signature algorithm does not match intended key type in the CSR (e.g. CSR has an ECC key, but the signature algorithm is sha1WithRSAEncryption)eCGI_ECC_KEY_LEN_NOT_SUPPORTED = 0x600E, only supports ECC keys with the named curve NIST P-256, aka secp256r1 or prime256v1, other ECC key sizes will get this error eCGI_DSA_PRIME_SUBPRIME_SIZE_NOT_SUPPORTED = 0x6013, only supports DSA keys with (2048, 256) as the bit lengths of the prime parameter pair (p, q), other DSA key sizes will get this erroreCGI_WEAK_PUBLIC_KEY = 0x600dRSA key size < 2048
Other errors that may occur in VICE2:
0x3a10: Invalid X509 certificate format.: an unsupported certificate format was submitted.0x4002: Internal QM Error. : Internal Database connection error.
0x3300 Certificate not ready for renewal: Normally symantec will only allow you to rewew a certificate if the cert is <=90 from expirary date.0x3301: Bad transaction id or parent cert not renewable.: User try to renew a certificate that is not yet ready for renew or the transaction id is wrong.0x3069: Challenge phrase mismatch: The challenge phrase submitted does not match the original one.
0x3111: Unsupported Product: User submitted a wrong product or requested cipher is not supported.0x30e8: CN or org does not match the original one.: the submitted CSR contains a common name or org that does not match the original one.0x1005: duplicate certificate: a certificate with the same common name exists already0x0194: Incorrect Signature Algorithm: The requested signature algorithm is not supported for the key type. i.e. an ECDSA is submitted for an RSA key.0x6000: parameter missing or incorrect: This is a general error code for missing or incorrect parameters. The reason will be in the response message. i.e. "CSR is missing. ", "Unsupported serverType" when no supported serverType could be found., "invalid transaction id",0x3063: Certificate not allowed: trying to issue a certificate that is not configured for the account.0x23df: No MDS Data Returned: internal connection lost or server not responding. this should be rare.0x3004: Invalid Account: The users mpki account associated with the certificate is not valid or not yet active.0x4101: Internal Error: internal server error, user should try again later. (Also check that State is spelled out)0x3101: Missing admin role: Your account does not the admin role required to access the webservice API.0x3085: Account does not have webservice feature.: Your account does not the the webservice role required to access the webservice API.0x9511: Corrupted CSR : the submitted CSR was mal-formed.0xa001: Public key format does not match.: The public key format does not match the original cert at certificate renewal or replacement. E.g. if you try to renew or replace an RSA cert with a DSA or ECC key based CSR.0x0143: Certificate End Date Error: You are trying to replace a certificate with validity end date exceeding the original cert. or the certificate end date is not valid.
0x3105: Organization name not matched: This literally means that you have entered an organization name that is not on the approved list of organizations in the CA (which is ultimately configured by Symantec/Digicert)
View ArticleCase Severities & Initial Response Goals
Severity 1 (Urgent) = Complete loss of functionality of the Licensed Software and all related services, resulting in a catastrophic business impact in which a service, system, or critical application is down, severely impacting production or profitability of Licensee.
INITIAL RESPONSE: Maximum of 2 hours
Severity 2 (High) = Detrimental business impact in which service, production, operations, or development deadlines are severely and negatively impacted, or where there will be a severe and negative impact on production or profitability of the Licensee.
INITIAL RESPONSE: Maximum of 4 hours
Severity 3 (Normal) = Inconvenient situation in which the Licensed Software is usable, but does not provide a function in the most convenient or expeditious manner, and the user suffers little or no significant impact.
INITIAL RESPONSE: Maximum of 8 hours
Severity 4 (Low) = Situation in which the use is affected in some way that is reasonably correctable by a documentation change or by a future, regular release from Venafi.
INITIAL RESPONSE: Maximum of next business day
View ArticleVenafi Trust Protection Platform version 19.2 introduces some significant enhancements across the product line.
IMPORTANT!Before upgrading to version 19.2, carefully review the topic, Important Considerations Before Upgrading to Venafi Platform 19.2.
Venafi Next-Gen Code Signing New Product
Venafi Next-Gen Code Signing secures enterprise code signing processes by providing centralized key storage and policy enforcement while also reducing the burden on development teams.
Delivers enterprise-wide visibility of code signing activities
Enforces and automates code signing policies and certificate usage
Secures code signing private keys
Integrates with popular CAs, HSMs and software development tool chains
By combining visibility and intelligence with workflow automation and controls, Next-Gen Code Signing protects against unauthorized use of code signing certificates while providing an audit trail of all code signing activities.
Benefits include the following:
Eliminates risks from unsecured private keys and private key sprawl
Ensures code signing security with policy enforcement and reporting
Improves efficiency through distributed signing and automation of requests and approvals
Eliminates code signing delays
New interfaces are included to administer Venafi Next-Gen Code Signing:
Venafi Code Signing node in Venafi Configuration Console Code Signing Administrators use this node in Venafi Configuration Console to set global code signing defaults and restrictions. The Venafi Code Signing node can be run remotely as an MMC Snap-in.
New Role-Based Service UI Code Signing Project Owners, Administrators, and Key User Approvers use this interface in Aperture to request new projects, approve new projects, and approve use of code signing keys.
In addition, we are introducing a Cryptographic Service Provider (CSP) that can be installed on Windows workstations from which code will be signed. The Venafi CSP communicates over REST with the Trust Protection Platform server for authentication and code signing requests. In this release, Venafi Code Signingsupports RSA-based signing for both SHA1 and SHA256 hashes.
Venafi Code Signing is a separately licensed product. If youre upgrading from a previous version of Trust Protection Platform, see Enabling Venafi Code Signing after upgrading.
Venafi MMC Snap-in CollectionA new Snap-in collection is introduced that allows the new Venafi Code Signing and Venafi Event Viewer MMC snap-ins to be installed and run remotely. This is made possible by a new API Host Windows Service. This service is a WCF self-hosted web service used to run the Code Signing Admin and Event Viewer MMC snap-ins on the Trust Protection Platform server. See Venafi Windows services.
Venafi Platform
Amazon Web Services RDS MSSQL SupportFor customers hosting TPP in AWS, their RDS cloud Database Product is now supported for hosting the Venafi Trust Protection Platform. See Supported Databases in System Requirements.Note: Support for SQL 2012 and SQL 2014 will be deprecated in TPP 19.4. SQL 2016 SP1 will be the minimum version
Administrators Node The Administrators node adds the ability to assign additional Master Admin and Code Signing Administrator users from the Venafi Configuration Console. Assigning Code Signing Administrators requires a Venafi Next-Gen Code Signing license. See Administrators.
Identity Connector Configuration The Identity tree selector in WinAdmin has been moved to the Venafi Configuration Console (VCC). Active Directory and LDAP Identity connection wizards and configurations are now launched from the Connectors node in VCC. See Creating an Active Directory connection. See Creating an LDAP connection.
Rotate Active Directory and LDAP Service Credentials through CLILeveraging the TppConfiguration.exe utility, you can programmatically change the service password by leveraging the -identitypwd switch.
Venafi Event Viewer The Venafi Event Viewer node provides advanced logging/event viewing capabilities. This node can be run remotely as an MMC Snap-in. See Venafi Event Viewer.
Improved Management of MasterAdmin and WebSDK rolesWithin the Aperture Identities menu, Master Admins now have better visibility and management of Master Admin and WebSDK Roles through new filtering and bulk actions.
Attention RequiredThis node provides an overview of potential Trust Protection Platform configuration issues that should be addressed. See Attention Required.
SMTP Connector Configuration SMTP server defaults used for reporting and logging can be configured from the Connectors node in Venafi Configuration Console. Information related to this feature is under development. Until it is ready, you can see configuration information in Configure SMTP settings. This topic discusses SMTP in context of the Venafi Code Signing product, but the configuration is the same, even if youdon'thave Code Signing enabled.
Online Migration framework The new framework allows data migration while Trust Protection Platform services are running.
Update in how license usage and other telemetry are sent to Venafi We are always looking for ways to build better products for you, and to help you more effectively if you run into an issue. To that end, we collect telemetry to ensure your Venafi products are secure, perform as expected, and ultimately help you be more successful. This telemetry includes both technical and interaction data and is not personally identifiable information. When you entrust us with this information, it remains yours. We do not sell or otherwise provide your data to third parties for advertising or promotional purposes. Your privacy, your trust, and your success are paramount to us. For more information, please see the Venafi Privacy Policy.
Certificate Driver Integrations
Onboard Discovery support for Amazon Web Services and Azure Key Vault Certificates in AWS and Azure accounts can now be rapidly discovered along with all configuration necessary to validate and take control of their renewal lifecycle. See Creating a new Onboard Discovery job.
Support for Amazon Web Services cross-account access Trust Protection Platform can now use the AWS AssumeRole feature to access multiple AWS accounts using a single credential. This configuration lets you authenticate to a single AWS account and execute different types of workprovisioning, Onboard Discovery, and Cloud Instance Monitoringacross any other AWS accounts in which you've added the same cross-account role. See Authenticating to multiple AWS accounts using a single Amazon Credential.
Binding certificates to an Azure Key Vault application You can now configure Trust Protection Platform to bind your certificates to web applications automatically during provisioning so that you don't have to create the binding using other methods. See Creating an Azure Key Vault object in Trust Protection Platform.
Added support for provisioning ECC certificates using JKS driver This release adds support for provisioning centrally and remotely generated (non-HSM) elliptic curve certificates (ECC) to Java key stores.
Server Certificate
Outage Risks are highlighted in New Validation widgets on All Certificates Dashboard There are three new widgets available on the All Certificates dashboard, showing counts for protocol, end entity validation, and chain validation with colors to represent potential risks that require attention. You can click either the bubble or the legend to be taken to a filtered list of certificates that match that condition. See Chain Validation widget. See End Entity Validation widget. See Secure Protocols vs Insecure Protocols widget.
Improved Revocation Checking In previous versions of Trust Protection Platform, the revocation checking feature was not performant, and many customers were instructed to disable this feature for improved performance. In 19.2, revocation checking has been totally refactored, and this module is now recommended for customers of all environment sizes. Revocation checking is a feature that checks every certificate in inventory on a scheduled basis to see if the certificate has been listed on a Certificate Revocation List (CRL). If a CRL is not available for a certificate, it checks via OSCP. Notifications related to revocations will be sent to certificate owners so they can take any appropriate action, if necessary. See About Revocation Checking.
CRL and CDP checking Ensuring your certificate validation statuses match the status of the certificate on the CA is important. If a CRL expires or is unavailable, it can cause multiple system outages for all systems with certificates that rely on that CRL Distribution Point (CDP) for verification. Trust Protection Platform checks the CDPs on a scheduled basis to verify that the endpoint is active. If a CDP goes down, you need to take immediate action to prevent outages. The Trust Protection Platform Certificate Revocation List (CRL) Verification Service verifies CRLs to ensure that they are valid and available for revocation checking. If a CRL is within a configurable time-period prior to expiration, the service sends a notification to one or more administrators so that they can ensure it is updated. See Validating Certificate Revocation Lists.
New Validation Filter section Enhancements in 19.2 allow you to filter on protocol, end entity validation, and chain validation from the Certificate Inventory list. See SSL/TLS network validation.
TLS Endpoints Column in Aperture A new TLS Endpoints column in the Certificate inventory in Aperture has a drop-down that allows you to see all the TLS endpoints for a specific certificate, right from the inventory. This sub-table shows IP Address, port, enabled protocols, results of SSL/TLS validation and results of Chain validation for that endpoint. See Editing columns in the Certificate Inventory list.
Improved Filtering for Jobs ListIn addition to filtering on the job type, you can now filter on the job status and when the job last ran.
SSH
New Reports for SSH The SSH keyset details page now allows you to create a report of Authorized keys and Private keys, which data can then be exported to other BA tools for analysis. There is also a new Authorized Users custom report available in the Reports menu in Aperture. See Analyzing the SSH Authorized Users report
Highlight environment crossing in SSH keysets When you create or edit a device, you can now specify the environment that device is in (for example, development, testing, production, etc.). If a keyset has an authorized key in one environment and a private key in a different environment, Aperture will display a security warning on the keyset and it displays as a risk in the SSH key inventory. See Keyset details See SSH policy settings details
Enterprise Mobility Protect
Support for DigiCert CertCentral CA for user certificates You can now request and retrieve certificates for email protection or client authentication from DigiCert CertCentral CA. For more information, see Enterprise Mobility Protect: Supported platforms and requirements.
Support for Symantec MPKI via Adaptable CA for user certificates Youre able to request and retrieve certificates for email protection or client authentication from Symantec MPKI CA via the Adaptable CA script. For more information, see Using the sample Symantec Managed PKI Service PowerShell script.
Tag imported certificates based on their origin Certificate Import functionality is now enhanced with an option to "tag" certificates by their origin. Once certificates are tagged, the Administrator can see statistics like trends and total numbers on the User and Client Device Certificates dashboard. For more information, see Configuring a certificate import using Adaptable CA and Configuring a certificate import from a Microsoft CA.
TrustNet
Improved phishing certificate detection notifications Enterprise security operations teams can now receive notifications for potential phishing domains. Notifications are delivered directly to team members inboxes for quicker resolution of security incidents. For more information, see TrustNet dashboard graphs.
New TrustNet-specific certificate tags that leverage the placement rules engine Automated placement of certificates into the proper folders allows administrators to organize and sort the large numbers of relevant certificates found using TrustNets outside-in approach to global discovery. Because TrustNet can place certificates in the proper folders based on certificate attributes, this feature helps drive follow-up remediation actions. For more information, see Creating TrustNet placement rules.
Identify and filter all phishing certificates Enterprise security operations teams can now filter and view all phishing certificates in one place in Aperture. The Administrator can also generate automated placement of certificates into specific folders based on thePhishing_Certificate_Alltag. This allows administrators to organize and sort the large numbers of phishing-related certificates in order to perform bulk certificate actions. For more information, see Creating TrustNet placement rules.
API Integrations
Token Authentication for WebSDK (REST API)19.2 introduces a new mechanism (POST Authorize/OAuth) to get long lived API tokens that are used for making REST API calls. These new tokens have a longer lived validity (default 90 days) and can be used across all WebSDK enabled Venafi servers for better high availability of WebSDK services. To support Token Authentication, a new Authentication IIS service must be added in the Venafi Configuration Console after upgrade. To manage authentication to the Authentication server, a newRemote Access Tree is available. This view manages token and grant validity, as well as enabling different authentication methods (Password, Windows Integrated, and Certificate). See Setting up for Token Authentication. See 19.2 Important Considerations before enabling the Authentication Server in Venafi.
Credentials and Metadata interfaces added to Swagger specification You can now use Swagger to test development that reads and modifies Trust Protection Platform Credentials and Metadata (Custom Fields). See Trying out the Web SDK in Swagger.
GET and HEAD Certificates API self-signed certificate search filter A new attribute filter allows GET and HEAD Certificates API calls to include or exclude self-signed certificates from the response. See Certificates attribute filters.
GET and HEAD Certificates API wildcard search filter A new attribute filter allows GET and HEAD Certificates API calls to include or exclude certificates based on whether the certificate CN or DNS SANs are wildcards. See Certificates attribute filters.
GET Certificates/{guid}/PreviousVersions API provides certificate version information The new GET Certificates/{guid}/PreviousVersions API call returns details about previous versions of a certificate. See GET Certificates/{guid}/PreviousVersions.
GET and POST Certificates/Retrieve/{vaultid} APIs retrieve a certificate and other information The new GET and POST Certificates/Retrieve/{vaultid} API calls download a certificate based on the Vault ID optionally including private key and chain certificates. See GET Certificates/Retrieve/{vaultid} and POST Certificates/Retrieve/{vaultid}.
GET Log/{guid} to view log events for a specific objectPreviously available, this method is now added to documentation so callers can see the log events to any object they have view and read permissions to. See GET Log/{guid}.
Server Agent
Windows Server 2019 support The Venafi Server Agent is now supported on Windows Server 2019, in addition to the many existing supported platform. See Venafi Server Agent requirements listed under Server Agent and Enterprise Mobility Protect User Agent in System requirements for Venafi components.
iPlanet NSS database discovery support The Server Agent now supports the Network Security Services (NSS) database format used for Oracle iPlanet Web Server.
New Randomized delay helps minimize impact on server resources This new command-line options is designed to minimize the impact that the Server Agent might have when you've got many systems running the Server Agent but that need to be restarted simultaneously. Applying a check-in delay to those agents can help you avoid overloading the systems during the reboot. See Server Agent command line reference.
View ArticleIntroduction to SSH
The network protocol Secure Shell (SSH) provides a cryptographically secure connection between two hosts, enabling data communication, remote administration, and remote command execution. SSH is widely used as a replacement for less secure network communication protocols that were invented several decades agobefore many of todays security challenges. It provides privacy of data exchange and guarantees the integrity of the communication.
Devices using older protocols, such as Telnet and FTP, for example, communicate in clear text. The SSH protocol also provides authentication and authorization when establishing a secure connection, and can be used for tunneling of TCP/IP sessions.
Using SSH, organizations are able to protect themselves against attacks like IP & DNS spoofing and IP source routing, and securely control workloads running in cloud computing environments. SSH is used extensively in enterprise datacenters and in the cloud. By far, the largest percentage of SSH sessions is established automatically between systems.
How SSH works:
SSH establishes a secure tunnel between two entities, which are typically a client and a server. There are multiple authentication methods that can be chosen like public-key, hostbased or password. Before a client can authenticate a secure session, there needs to be setup.
First the client contacts the server where a decision is made on which SSH protocol version they will communicate. For SSH-1, the server provides the client with its public host key and server key. These are used by the client to encrypt the session key, which is sent to the server. The server uses the session key to establish the secure encrypted session.
In SSH-2 the client and server each create the same session key using Diffie-Hellman, as a result, neither the client nor the server can fully determine the session key, which provides protection against replay attacks. This is achieved by the server and client each generating the session key through the following procedure. Individually, using the same prime number, the client and server each generate a private key. They then generate their own public keys using the private key, the shared prime number and the same generator. The client and server share their public keys with each other. Both the client and server use the other parties public key and their own private key to generate a shared secret. As a result, the client and server each have the same shared secret without sending it across the network. The shared secret is used to create a session key that is used to establish the secure encrypted session.
User authentication can be achieved by public-key, host based or password. The most commonly implemented method is public-key authentication, which, for the purpose of this description, will be used. In this process the client sends the server the users public key. The server checks the authorized key file for the existence of the users public key and any restrictions associated with the key. If it is present, the server generates a random number encrypted with the users public key and returns it back to the client. The client then decrypts the random number with its private key, creates a hash of the number and returns it back to the server. The server also creates a hash of the same random number and checks if it corresponds with the hash received from the client. In the event it does, authentication is successful.
View ArticleSummary:
What is an SSL/TLS x.509 Certificate?
An SSL Certificate is a digital computer file that has two specific functions:
Authentication and Verification: The SSL Certificate has information about the authenticity of details around the identity of a host or site. When you click on the padlock displayed or check the trust mark the certificate chain details prove where the certificate is generated from.
Data Encryption: The SSL Certificate enables encryption, which means that the sensitive information exchanged via the web site cannot be intercepted and read by anyone other than the intended recipient.
An SSL Certificate is most reliable when issued by a trusted Certificate Authority (CA). The CA has to follow very strict rules and policies about who may or may not receive an SSL Certificate. So, when you have a valid SSL Certificate from a trusted CA, there is a higher degree of trust.
More Information:
How do I check a site for a valid secure connection?
A standard web site without SSL security displays HTTP at the beginning of the web site address in the browser address bar. This stands for Hypertext Transfer Protocol, and is the conventional way to transmit information over the Internet. However, a web site that is secured with an SSL Certificate will have HTTPS before the address. This stands for Hypertext Transfer Protocol Secure.
You will also see a padlock symbol on the top or bottom of the Internet browser.
You may also notice a trust mark displayed on the web site. This will display details of the certificate with all of the company information as verified and authenticated by the CA.
By clicking the closed padlock in the browser window, or certain SSL trust marks, you can see the authenticated organization name. In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns green when an Extended Validation (EV) SSL Certificate is detected. If the information does not match, or the certificate has expired, the browser displays an error message or warning.
What does the SSL connection process look like for a web page?
A browser requests a secure page.
The web server sends its public key with its certificate.
The browser checks that the certificate was issued by a trusted root authority or Certificate Authority and that the certificate is still valid and that the certificate is related to the site contacted.
The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
The web server sends back the requested html document and http data encrypted with the symmetric key.
The browser decrypts the http data and html document using the symmetric key and displays the information.
View ArticleApplies to:
16.1 to 18.2
NOTE: 18.3 and above moved this setting to Aperture:
https://support.venafi.com/hc/en-us/articles/360015721211-Info-What-s-New-in-Venafi-Trust-Protection-Platform-18-3
https://docs.venafi.com/Docs/18.3/TopNav/Content/Policies/r-certificate-policy-configuring-Aperture-tpp.php
Summary:
16.1 introduced the ability to disallow SAN types by policy
Options are:
Disallow SAN: DNS
Disallow SAN: Email
Disallow SAN: IPAddress
Disallow SAN: OtherName UPN
Disallow SAN: URI
**To enable the following functionality you will need to contact support to request that the support tab be unlocked, this will be achieved via a challenge respond code**
To enable this functionality go to policy level that you would like to apply to, go to the support tab, select the Policy Attributes tab and add attribute.
Now select X509 Certificate and then select the SAN type you would like to disallow and enter a "1" in the Value box.
More Information:
If a certificate is renewed which violates policy settings for the allowable SAN types it will go into error with an appropriate error.
E.G. Certificatewillnotbeprocessedbecausethereisasubjectalternativename(IPaddress)inuse. Thisfolderprohibitssubjectalternativename(IPaddress).
If they saw this error and they needed an exception made they would likely need to unlock the policy setting for Disallow SAN: IPAddress so that its only a suggested setting and then on their immediate policy where they need to allow an exception they would need to override the policy setting with Disallow SAN: IPAddress = 0. Then hit retry on their cert.
View ArticleApplies to: 18.x
Additional Information:
This is not best practice for rotating DPAPI keys. Typically used for troubleshooting purposes.
Steps:
Open up Registry Edit
Navigate to HKEY local machine\ software\venafi\platforms
Right click in the key entry window
Select new string value
Name the key Start Wizard (Make sure to include the space)
Hit Enter
Right click modify
Value of the string is FirstTime (No space)
Click okay
Open up VCC
VCC should run as if it is the first time running
In the VCC wizard, you will then be able to import the key when prompted
Done
View ArticleApplies to:
Certificate Discovery Scans (not including SSH discovery)
SSL/TLS
Discovery work will be broken into blocks to be picked up by the discovery engines. If Discovery zoning is employed discovery engines will pick up the work they are able to process in their assigned discovery zone. If no discovery zone's are defined the discovery engines will pick up the work randomly.
If the IP address is part of the server's subnet then an ARP request is performed to determine if the host actually exists on the network. If the ARP request fails then no TCP handshake will be attempted. If the ARP request succeeds then TPP will attempt a TCP handshake.
If the IP is not part of the server's subnet then the server will not perform and ARP request and will simply begin the TCP handshake.
After each successful test of an open TCP connection, the connection is reset and is remade before a two-way SSL handshake is attempted over the listening port.
The handshake process includes the client and server negotiating cipher suite and SSL/TLS protocol version, during which a single protocol version is agreed between TPP (the client) and endpoint (the server).
Certificate retrieval will only be made using the first successfully negotiated protocol, regardless of any other versions being supported on the endpoint.
Note that the certificate is provided in the SERVER HELLO, which occurs before the session key is exchanged.
SSL/TLS Negotiation:
Note this is different to the validation behaviour, where multiple connections over the five SSL\TLS protocol versions (SSL 2.0, 3.0, TLS 1.0, 1.1 and 1.2) are made to ascertain whats supported by the endpoint.
Q. Why could a wire trace enumerate a higher number of connections between a TPP engine and a single IP address over different ports e.g. 10 between TPP host and target server 10.10.10.1:443 and 20 to 10.10.10.2:443?
A. Because even though discovery only needs to successfully negotiate one protocol, it may require multiple attempts.
Some legacy servers are not able to complete the SSL Handshake when the client presents protocol options it doesnt understand so it is necessary to try again using a different set i.e. thats the reason discovery has the different protocol sets to try; so that if a client for example presents TLS 1.2 ciphers to a server that only understands SSL 3.0 and TLS 1.0, the server might reject the connection even when the client has included SSL 3.0 ciphers, too.
Protocol settings in Platforms determine which outgoing SSL/TLS protocol versions are supported for web services endpoints (such as the SOAP or REST APIs offered by CAs) and for Discovery.
Where a protocol (e.g. TPP outgoing on TLS 1.2) is not supported by the target OS, but that is the ONLY protocol enabled on the target, expected behaviour is that a two-way handshake will fail and a certificate will not be retrieved.
Note also, that in terms of on-the-wire analysis of data communications during network discovery, TPP makes use of .NET libraries, so some of the low-level connection behaviours are solely governed by Microsofts implementation decisions.
If the discovery engine is AD joined it will periodically generate standard AD/Windows protocol traffic (such as Ldap and Kerberos), as for example in the process of verifying its AD provider every 15 minutes.
However, this doesnt imply that a standalone TPP server - with only discovery enabled will not make similar calls.
As a member of the same TPP context, it shares dependencies (such as an AD provider), and since it leverages the same .NET code it can make the same calls e.g. the AD provider performing heartbeat checks.
That being said the actual discovery scan's are not reliant on the AD being available, should you decide to block AD traffic for Discovery only engines.
View ArticleSymptom:
When running Director Updater, no packages are listed.
Cause:
There are a number of possible causes for this issue:
Make sure that you are running the correct version of Director Updater for the version of Venafi Encryption Director you are using.
Director 6.0.1 -- Updater 1.7.0
Director 5.3.1 - 5.3.4 -- Updater 1.6.0
Director 5.3.0 -- Updater 1.5.0
Make sure that the update package is in the ...\Venafi\Packages folder.
Make sure that the update packages do not have a read-only flag on them.
Make sure that you have the correct patch for the version of Venafi Encryption Director that you are using.
The file name Discovery Field Test Patch 5.03.04.22734.vupkg indicates that this package is for version 5.3.4
If Director Updater is running on Windows Server 2008R2, you may need to run it by:
Clicking on Start -> All Programs -> Venafi
Right-click on Director Updater and click Run as administrator
Resolution:
Once the cause has been resolved, click the refresh button in Director Updater to display the package/s
View ArticleVenafi Trust Protection Platform version 19.3 introduces some significant enhancements across all product lines.
IMPORTANT!Before upgrading to version 19.3, carefully review Important Considerations Before Upgrading to Venafi Platform 19.3.
VenafiNext-GenCode Signing
ReportsDashboard & StatisticsA brand new view to gain viability into your code signing operations and projects. Some examples of what the new dashboard shows: You can see things like the Total number of signing operations vs recent signing operations -- as well as how signing operations are trending. You can see how many different users are submitting code signing requests.
Performance EnhancementsImprove performance for code signing operations. In some instances, you may see gains up to 90x faster. In our own build environment, average sign times went down from 9 seconds to 0.112 seconds.
Request in ProgressMessagecustomizationAbility for code signing administrators to customize the message returnedto a keyuser when the signing requestisn'tfulfilled.
Request Instance IdentificationAllowsCode Signing Administrators to determine which attributes of a signing request are used to match previous signing requests that are not yet fulfilled.
Updates to the Cryptographic Security Provider (CSP) UtilityAdded ability to check current grant validity and requesta new grant. Also added the ability to set Venafi Server URL valuesduringinstallation from the command line.
Venafi Platform
New message formats for Syslog Notification ChannelTheSyslogchannel driver now includes two new message formatsCommon Event Format (CEF) and JSONand can now support encrypted (TLS) connections to remote syslog servers. The legacy BSD format is still available. 37674343, 36321277, 37010374
Support for MS SQLServer 2017You can now use MS SQL Server 2017 for your database. Note: in 19.4 we plan to deprecate support for SQL Server 2012 and SQL Server 2014. Please begin to plan your upgrade to SQL Server 2016 or higher.
Azure Active Directory Domain Services and AWS managed Microsoft ADCompatibilityBoth cloud active directory providersare considered compatiblein workingwith the Venafi Platform Active Directory Identity Provider 37841362
Change Owner ofCustom ReportsIn previous versions, if the creator of a custom report was removed from the system, the custom reportwould break.A master admin can now view the owner of customreports andcan reassign a custom report to a new owner.
Adaptable Debug Option for Customer SupportSmall enhancement to all Adaptable drivers aimed at helping Customer Support more effectively assist customers needing help troubleshooting homegrown Adaptable scripts.
TLS Server Certificate
Big improvements toScanafiCertificate Network Discovery UtilityVersion 2.1 ofScanafiis included. It adds support for TLS 1.3, you can specify a list of custom ports, SNI is fully supported, and the mechanism for configuringScanafihas been updated. Note, this version ofScanafino longer supports scanning SSL 2.0 protocol, and removes the Vulnerability Scan from the Scanafi default behavior. 36533713, 36331555, 37144174, 37010083
Zip download of PEM certificate dataYou can now downloadyour PEM certificate, private key, and chain certificates as separate files inside of a zip archive. 36768793, 36270625
Additional filter for certificate inventoryThe certificate inventory in Aperture now includes an additional filter, allowing you to filter based on CA Template. 36270601
Display approvers of a pending workflowThe system has been enhanced so that certificate owners can see which approvers are assigned to a pending approval. This allows certificate owners to know who in their organization to contact if a certificate hasnt been approved.
CyberArk Integration EnhancementsYou can now configure Trust Protection Platform to authenticate to your SCIM server when setting up the CyberArk connector in the Venafi Configuration Console (VCC). And you can also now create theCyberArk username/password and the CyberArk password credential typesfrom within Aperture.
Command Injection for WorkflowIn previous versions, you could not have more than 1,000 characters in your command line injection. Due to improvements to how Workflow configurations are stored in the database, the is no longer a storage limit on the number of characters for command injection purposes.
Enhance Validation to not block provisioning on load balancersPreviously, when there were many applications on a device (common with load balancers), both onboard and network validation could delay certificate provisioning (installation).
Save Renewal Details button text clarifiedWhen changing renewal details for a certificate, previously the action button was titled Submit. This has been updated to Save Renewal Details to clarify what happens when a user clicks the button. (That is to say, the renewal isnotsubmitted for processing.) 37083121
Improved performance for importing certificates into WebAdmin
SSH
Support ED25519 (OpenSSH)The SSH product adds support for ED25519 (for OpenSSH) keys in addition to RSA, DSA, and the following ECDSA keys: P256, P348, P521.This is for both Agent and Agentless management options.
Encrypted Private Key managementYou can now take actions on encrypted private keys including adding or changing the keys passphrase and deleting the key from the inventory.
Apply policy to SSH keysetsTrust Protection Platform now allows you to apply policy settings and permissions to keysets independent of the devices on which those keysetsare stored. You can move a keysetinto a policy folder, where those permissions will override the permissions set on the device. You can also remove a keysetfrom all folders, reverting to device-level permissions.
Bulk Move of SSH keysetsYou can easily move multiple keysetsinto a folder using the Bulk Move button on the keyset inventory, allowing you to apply a subset of SSH policy values to the keyset.
Certificate Driverand DevOpsIntegrations
Updated Symantec DriverYou can enroll private SSL certificates (which allow non-fully-qualified hostnames) without syncing the CA template, or without ensuring all of the domains in the certificate are in the list of domains vetted by the CA. 36819535
Provision ECC to JKS backed by HSMYou can nowuseHSMwhenprovisioningelliptic curve cryptography (ECC)keystoajavakeystore(JKS).(Requires Venafi Advanced Key Protect product.)
Venafi Lambda functions enforce enterprise security policy foraAWS Private CABefore sending an enrollment request to a private Amazon CA, Venafi Lambda enforces Trust Protection policy settings. Lambda can retrieve certificate policy settings from Trust Protection Platform or Venafi Cloud.See https://github.com/Venafi/aws-private-ca-policy-venafi.
VenfafiSalt generates certificates viavCertVenafi Salt now usesvCertto generate certificates in accordance with policy settings. See https://github.com/Venafi/salt.
Server Agent
IIS Binding discovery and provisioningServer Agent can now set and discover IIS bindings. This feature introduces dependency on .NET. This dependency exists even on systems without IIS. 37709905
Spectremitigated agents for Windows and LinuxSecurity improvements.
Backup file permissions/ownershipDuring certificate provisioning Server Agent now sets theowner and permissions of the backup file underunix/linuxwhen setting owner and permissions to the key store for easier recovery if needed. 36491536
SupportED25519(OpenSSH) Support for the new SSH product capabilities via Server Agent.
Enterprise Mobility Protect
Support for Microsoft IntuneCustomers using Microsoft Intune for management of endpoints (like workstations and mobile devices) can now use Venafi Trust Protection Platform to manage all issued certificates in a single place. Microsoft Intune can configure endpoints to request certificates from Trust Protection Platform for different purposes like VPN, Wi-Fi, email, and other. Endpoints are requesting certificates via Simple Certificate Enrollment Protocol (SCEP). For each request, Trust Protection Platform performs additional request validation by Microsoft Intune.
Report for certificate withidentical attributesA new report to easily find miss-issued certificates with identical attributes is not available. Having more than one user or device certificate for the same purpose can create a threat vulnerability when left unmanaged. User and device certificates having identical certificate attributes (CN, SAN Email, SAN UPN, etc.) can now be identified with this new report. Administrators can configure which certificates to be included for comparison and apply comparison logic to match the customers needs.The report can be scheduled or ran manually and delivered in CSV or PDF format.
Simple Certificate Enrollment Protocol (SCEP) improvementsTrust Protection Platform can now use AES encryption algorithm to secure the payload when communicates with endpoints viaSimple Certificate Enrollment Protocol(SCEP). In addition, HTTP POST method is now supported when receiving certificate requests. For compatibility reasons, communication via HTTP GET and Triple DES encryption algorithm are still supported.
Web SDK
Custom Fieldson a Certificates/RequestIf a policy requires Custom Fields, a Certificates/Requestmust include the Custom Field value. See Certificates/Request. 36746239
Discovery/ImportJSONinput fileInstead of command line flagsfor Discovery/Import, you usea JSON input fileandtheScanafi provider or standalone mode.
Protocol filterTo find certificates that useSSL2, SSL3, TLS, TLS11, and TLS12 communication protocols, you can use GET and HEAD Certificates and the SslTlsProtocol filter.
TLSand Chain Validation filtersTo filter certificates by TLS and chain validation results, you can use GET and HEAD Certificates and the TlsValidationFailure and, ChainValidationFailure filters.
Swagger Log and Workflow modulesThe Log and Workflow Swagger modulesallow you to trytheWeb SDKLog and Workflowinterfacesin your test environment.
Move keysets toa policy folderSSH/MoveKeysetsToPolicycanassignkeysets toa policy folder.After the move,SSHpolicy settings, which are independent of devicepolicy,apply to the keysets.See SSH/MoveKeysetsToPolicy.htm.
Change a private key passphraseTochange akeysetpassphrase, you can use SSH/ChangePrivateKeyPassphrase.
View ArticleApplies to:
Upgrading to Venafi Trust Protection Platform 19.2.1
Summary:
Venafi Trust Protection Platform 19.2.1 introduces new functionality and several changes to existing functionality. Click here for a complete list of new features.
IMPORTANT! Before upgrading, read through this article carefully. Depending upon the version from which you're upgrading, several enhancements made over the past two years to Trust Protection Platform require that you take important steps, either before or immediately after upgrading.
CRITICAL! You MUST re-run the sample-grants.sql script after upgrading the database using the 19.2.1 upgrade script. This impacts multiple features and functionality.
Pay special attention to the list of features that have been deprecated, and to the list of features scheduled for deprecation.
For detailed upgrade steps, refer to the Readme.rtf document that is packaged with Venafi Trust Protection Platform 19.2.1 installation files.
Visit Venafi Product Life Cycle for more information about ship dates and when support for each version ends.
Delete any instances (engines) of Trust Protection Platform from the Platform tree in WebAdmin for any decommissioned Trust Protection Platform servers
A new migration framework has been implemented that can perform data migrations while services are running. Before you upgrade, delete any TPP server objects from the Platform tree in WebAdmin that have been decommissioned (but werent removed from the Platforms tree).
Keep in mind that for large and under-resourced environments, you might see slower performance from anywhere from a few minutes to a few hours. However, this depends on the size and resources of the environment while migrations continue. To see if your migrations are done, you can execute this script: select * from config_contains where attribute = 'Pending Migration Task'
If no results are returned, then all migrations are complete (assuming you have turned your Venafi services back on after you upgraded to 19.2).
Deprecation of Microsoft SQL 2008 R2
Before upgrading to Trust Protection Platform 17.4 or later, verify that the Microsoft SQL Server hosting the Trust Protection Platform database is running Microsoft SQL Server 2016 SP1 with the latest patches applied.
If your Venafi database has been upgraded from older versions of Microsoft SQL, also make sure that the database compatibility version is also updated. The minimum level required is 110, which is the level for SQL Server 2012 or higher. See Also: ALTER DATABASE (Transact-SQL) Compatibility Level Important Note for DB Version: Starting in 19.4, the minimum SQL version compatible with TPP will be Microsoft SQL 2016 SP1
For more information, see Error: "This Upgrade Is Not Allowed Due To An Incompatible Version Of SQL Server"
New Venafi Privacy Policy and changes to Telemetry collection
Starting in 19.2, the Venafi Platform now collects required telemetry data. This telemetry includes both technical and interaction data and is not personally identifiable information. For more information, please see the Venafi Privacy Policy.
POST Log REST API endpoint was updated to only support logging for custom eventIn previous versions of TPP before 19.2, any event, including those that are used by Venafi Product code, could be logged using the Rest API. If you have a REST API integration using the POST LOG endpoint, review it to ensure it is only submitting Event IDs that are within the decimal range of 16777216 - 43646975.
Reconfigure custom endpoints for CDP monitoring following upgrades
Because the CRL Distribution Point (CDP) Monitoring feature was completely rewritten for scalability, performance and usability, youll need to reconfigure any custom endpoints for CDP Monitoring following the upgrade to 19.2.
Enabling New Authentication Services allows any TPP user access to WebSDK
In order to take advantage of the new Token Authentication to WebSDK, you must enable the new Authentication Service. However, enabling the Authentication Service will enable any user who can authenticate to the Venafi Platform can get a token of any scope, even if they do not have the WebSDK role added to their account.
In future version of the platform, we plan to add entitlement controls over scopes so administrators can control which users can use which grouping of API endpoints.
New SSH policy violation feature requires post-install configuration A new attribute in 19.2 has been added to device settings for detecting SSH policy access violations across environments. To start seeing policy violations, you must configure your environment either on the SSH Policy level or on each SSH Device.
Improved Authorized Users report data enhancements could mean a larger database Because a new table has been to the database in 19.2, reports are calculated in the background, so you may not see all data immediately after upgrade. If there are a lot of SSH keys in the inventory, the report could potentially contain hundreds of millions of rows. Therefore, disc space should be considered for the potential increase in the size of the database.
Passing the WebSDK API key via URL query string The Trust Protection Platform WebSDK has historically permitted the post-authentication API key to be passed to REST methods in two different ways: as a query string parameter (i.e. ?apikey=) or as an HTTP header (i.e. X-Venafi-Api-Key). Since its introduction in 14.1, the HTTP header approach has been recommended over the query string because the latter exposes the cleartext API key value in the IIS logs of the Venafi server.Since this poses a security risk the option will no longer be supported as of 19.1.
Missing issuers and chains following the upgrade
When upgrading to 19.2, youll see root certificates automatically added to the Roots tree. Youwon'tbe able to delete roots that are the only valid issuer of a certificate in the roots tree or policy tree.
Certificate Revocation Monitor Service Module is disabled by default for revocation monitoring and CDP endpoint monitoring
When you upgrade, the Certificate Revocation Monitor service module is installed but not enabled. Certificate revocation monitoring and CDP endpoint monitoring will not work unless this service module is enabled on at least one engine. You can do this in Venafi Configuration Console (VCC):
In VCC:
Open the Product node and look for Certificate Revocation Monitor in the Component list.
In the Actions panel, click Enable.
If you are using an Answer XML file for automated deployments or to upgrade from 18.x to 19.1 or later, you need to update your Answer XML file to include enabling Certificate Revocation Monitor.
Trust Protection Platform 19.1 and later requires .NET Framework 4.7.2
Before upgrading to Trust Protection Platform 19.1 or later, make sure the .NET Framework is updated to 4.7.2. You can download the offline .NET 4.7.2 installer for Windows Server 2012 R2 and Windows Server 2016 here.
Venafi User Agent for Windows (AJ) version 19.1 and later requires .NET Framework 4.6.1 or higher
If you are using the Enterprise Mobility Protect User Agent for Windows (sometimes referred to as AJ), you should ensure that workstations have .NET Framework 4.6.1 or installed before deploying the 19.1 or later version of the User Agent. This change is required to take advantage of important security enhancements of the more updated .NET framework. This does not prevent you from upgrading servers to 19.1 or later.
Aperture Certificate Request Wizard no longer supports User Provided CSRs when Management Type is set to Provisioning
This applies to customers who have management type locked to Provisioning but also use user provided CSRs. As part of our efforts to improve automatic certificate installation (provisioning) we have made many significant changes that make the process easier. This has necessitated changes to the certificate flow so that users get a different experience when management type is set to Enrollment vs Provisioning. If you have management type locked to Provisioning your end users will no longer be able to upload User Provided CSRs (which can't be provisioned anyway) in 19.1 or later. If your users need to be able to enroll certificates with user provided CSRs you will want to either remove the policy lock for Provisioning Management Type or change the policy value to Enrollment.
Custom SSH email notifications might need to be modified on upgrade to 19.1 or later in order to function
Custom SSH email notification rules might need to be updated manually or their macros will not work when Trust Protection Platform is upgraded to 19.1 or later.
If you have copied and modified the SSH Email template channel called Email to Key Owner - SSH you will need to modify the macro of your custom email channel(s).
There are 3 locations on the plaintext version of the message where you need to replace $Event.Value1$ with $Event.Text1$
There are 3 additional locations on the HTML message version where you need to replace $Event.Value1$ with $Event.Text1$
If you are only using the read-only templates for SSH email notifications, then no action is needed.
To update the custom SSH email notifications:
Launch the Windows Administration Console (WinAdmin).
Navigate to the Logging Tree.
Expand the Channels Container.
Locate your custom SSH channel that was copied from Email to Key Owner - SSH.
Update the necessary macro strings in the Plaintext Message and HTML message tabs, replacing $Event.Value1$with $Event.Text1$ (6 locations total unless there were further modifications).
Auto Layout Manager Service Module is disabled by default for placement jobs
When you upgrade, the Auto Layout Manager service module is installed but not enabled. Device and Certificate Placement jobs won't function unless Auto Layout Manager is enabled on at least one engine in the cluster. You can do this in WebAdmin or in Venafi Configuration Console (VCC):
In WebAdmin:
After installation, launch WebAdmin and navigate to the Platform tree.
Expand the engines on which you want to enable AutoLayout Manager and click Auto Layout Manager.
Uncheck the Disable this Module option and click Save.
In VCC:
Open the Product node and look for Automatic Layout Manager in the Component list.
In the Actions panel, click Enable.
If you are using an Answer XML file for automated deployments or to upgrade from 18.x to 19.1 or later, you need to update your Answer XML file to include enabling Automatic Layout Manager.
Permissions changed for placement rules for non-master admins
Any permissions for placement rules given to non-master admins prior to upgrading to version 19.1 or later must be given again following the upgrade.
Permissions for placement rules are now managed only in Aperture (in Configuration > Placement Rules).
Database administrators may need to re-index the database after upgrading to 19.1 or later
If youre upgrading from 18.4 to 19.1 or later, there are several upgrade stages in the SQL script that delete attributes that are no longer needed by Venafi Platform. Deletion of rows can cause the fragmentation of database indexes. If you already have a regularly scheduled index defragmentation plan in place, then no action is needed. However, if you do you not regularly defragment Venafi Platform indexes and are noticing a performance decrease after upgrading to 19.1 or later, it is recommended that you work with your DBA to defragment your Venafi Platform database.
Enrollment of certificates with domain components is not allowed by default
Version 19.1 or later offers full-feature support for certificates with domain components. When you upgrade to 19.1 or later, policy for allowing domain components on certificates is disabled by default. Therefore, if your users are uploading user-provided CSRs with domain component attributes, you must update your policy settings to allow domain components for those folders in Aperture (only).
Last SSL/TLS validation results removed upon upgrade
Version 19.1 or later introduces new dedicated validation tables in the database for SSL/TLS validation results. Existing validation results are not migrated to the new validation tables. For certificates that have validation enabled, Trust Protection Platform will re-populate SSL/TLS validation results after the next daily validation.
SSL/TLS validation results can no longer be read with POST Config/Read via REST API
If you are using Config WebSDK to read validation results, you will need to update to new WebSDK calls in 19.1 2 to continue to read validation data. The new REST API endpoint is:
GET Certificates/{guid}/ValidationResults
All Adaptable scripts will be blocked from working until they are re-saved in the web UI
To increase the security of the Venafi Platform, the system now securely stores the last known good hash of all the Adaptable PowerShell scripts. This prevents unauthorized edits of the adaptable scripts by Windows Server Administrators from being automatically executed by the Venafi Platform. Therefore, on upgrade, all adaptable scripts will stop processing.
NOTE If you are upgrading from version 18.4, this change only applies to Adaptable Workflow. This is because all other Adaptable solutions were updated in 18.4.
After upgrading to version 19.2, but before restarting the Venafi Platform Windows services, do the following:
Confirm that the correct (and the exact same) version of the script is on all Venafi servers in the cluster.
Using either WebAdmin or Aperture (depending on the feature), re-open the screen where you specify the Adaptable PowerShell script, and then re-save the page.
Start the Venafi Platform Windows services.
New updates to Adaptable solutions need to be manually replicated on all servers in the cluster and will also require administrator acknowledgement whenever the associated PowerShell script changes.
For more information, see: Protecting against unapproved changes to Adaptable scripts.
Special 19.2 upgrade steps for Server Agent for Windows using Agent Upgrade work
NOTE These instructions also apply if you are upgrading to server agent 19.1 or later directly from a version of server agent 18.1 or older
NOTE If you upgrade your Venafi Server Agents by re-deploying the MSI then you can skip this section.
Microsoft Visual C++ 2013 Redistributable end-of-mainstream support occured on April 9, 2019. Venafi Server Agent for Windows versions 18.3 and newer already include the Microsoft Visual C++ 2017 runtime, but versions 18.2 and older do not.
To upgrade your Server Agents running on Windows from version 18.1 or older to version 18.2 or later, you must do one of the following:
Upgrade your Venafi Platform Server to version 18.2, 18.3, or 18.4 first. Then upgrade your Venafi Server Agents (on Windows) using Agent Upgrade work in Aperture. Once the agents are upgraded to 18.2, 18.3, or 18.4 and have reported back to the Venafi Platform server as upgraded, you can upgrade your Venafi Platform servers to version 19.1 or later and proceed to upgrade the Server Agents (on Windows) to 19.1 or later (with the Server Agent version being less or equal to the Trust Protection Platform server version) using Agent Upgrade work. NOTE The Agent Upgrade Configuration feature upgrades Server Agents to match the current version of your Trust Protection Platform server. If your Trust Protection Platform server is already at version 19.1 or later, then you must use the following method to upgrade your Windows-based Server Agents.
After upgrading your Venafi Trust Protection Platform server to version 19.1 or later, use the Server Agent for Windows installation file to upgrade the agents to 19.1 or later. The agent installation file can be deployed manually or by using automated tools such as SCM, Puppet, etc.
References:
https://docs.microsoft.com/en-us/visualstudio/productinfo/vs-servicing-vs
https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20Studio%202013
Server Agent clears internal event log store (Events.sq3) when you upgrade to 19.1 or later
During the upgrade to Server Agent 19.1 or later, the agent's internal events log is cleared. This applies to Server Agent on all operating systems. The logs will begin to accumulate again after a successful upgrade to 19.1 or later. This does not affect events that are written to SysLog or Windows Events.
Potential longer upgrade time if upgrading from 18.3 or earlier
Due to the re-write of the work queue framework, existing queued actions against certificates and keys must be migrated to the new framework. If there is a significant amount of pending actions in the system at the time of upgrade, you might experience longer than normal upgrade times. For example, if you have 20,000 queued actions when you upgrade, the upgrade time will take approximately five minutes longer to make the migration.
If you are upgrading from version 18.2 or earlier, significant changes made in Trust Protection Platform affect how the database stores vaults and references to objects. These changes require a migration of how data is stored in the database. Depending on the size of your database, and the configuration of AlwaysOn, you can expect the SQL migration scripts to take from 10 to 25 minutes longer than usual for larger deployments.
Unix/Linux Server Agent now setting file permissions on installed certificate keystores
Previous versions of the Venafi Platform and Server Agent did not honor permission configuration of certificate keystores when installed by the Server Agent.
Starting with version 18.4, these permission configurations for certificate installation for Unix/Linux agents will be honored. Therefore, you should verify that the permissions that you have in place are correct.
Your users can now request additional SAN types in Aperture
In previous versions of Venafi Platform, Aperture only supported DNS SANs to be requested on a certificate. Beginning with 18.3, in addition to DNS SANs, Aperture now supports IP, URI, UPN, and email SAN types. If you don't want your users to be able to request these types of SANs, or if you are concerned that they might be confused by the new options, visit your Certificate Policy settings in Aperture to disable the use of specific SAN types.
SSH Self-Service Keys feature replaces External Key feature
Beginning with version 18.3, the new Self-Service Keys feature has replaced the External Keys feature. Therefore, after upgrading, you can no longer create external keys. Instead, create self-service keys. This is typically done when you're resolving orphaned keys or when you have a user with a device that is not in the Trust Protection Platform inventory. After upgrading, you'll have the option of migrating each external key to a self-service key (from the Keyset Details page in Aperture).
User Portal now shows the current version of certificates
Beginning in version 18.3, your users can now request and download certificates, including previous versions, directly from the portal. In addition, the user experience has been improved through significant visual enhancements.
NOTE Because of these enhancements, some of the product terminology has been updated; so if you have customized the terminology or styles in your implementation of the User Portal, you should revisit and update your customization to match these changes. For more information, visit https://support.venafi.com/hc/en-us/articles/228093008.
Amazon integrations updated to leverage new credential type
Prior to the 18.3 release, password credentials were used to configure different Amazon integrations, such as Certificate Authority, Provisioning Driver, and AWS EC2 Instance Monitoring. During the upgrade from 18.2 or earlier, these integrations are migrated automatically so that they leverage the new Amazon credential type. However, if you have any WebSDK integrations that automate creating or editing these types of objects in Trust Protection Platform, you'll need to update your WebSDK integration. This is because these integrations now require the use of the Amazon Credential type in order to support ADFS SAML authentication into Amazon Web Services.
Permissions updated for running Server Agent on Linux/Unix
The permissions that the Server Agent installs with have been updated. Specifically, user and group permissions have been updated so that they are set to 0 (where in some places they were previously set to 5). Therefore, if you'd had non-root users interacting with the Server Agent previous to upgrading from 18.2 or earlier, then you might need to revisit their sudo permissions after the latest version of the Server Agent is installed.
System must provide iconv functionality for Server Agents running on Linux
In previous versions, Server Agent implemented its own iconv functionality. Beginning with Venafi Platform version 18.3, Server Agent requires that your system libc provides the iconv functionality. You should make sure that iconv is available before upgrading either Trust Protection Platform or Server Agent. Current versions of glibc (The GNU C Library) provide the required functionality. The required files should be installed as part of the glibc package.
Workflow approval logs
Beginning with release 18.2, permissions were added and are now required in order to see the approval and rejection logs in WebAdmin. On upgrade, only Master Admins will have permission to see the log. If there are approvers or other users that should see these special log views, you will need to give those users and groups view/read permissions.
Workflow approver update interval has been modified
In versions 18.1 or earlier of the Venafi Platform, if the approvers for a workflow changed for an existing workflow ticket, the ticket would be deleted and recreated so that the updated approver could act on the workflow ticket. In order to improve the scalability and stability of the platform when there are many outstanding workflow tickets requiring approval, the interval for updating existing tickets has changed from 1 minute to 4 hours. Therefore, if the approver changes, it will take Venafi Platform approximately 4 hours to respond to updates regarding who the approvers are for existing workflow tickets.
Referrer and origin checking
To enhance the security of the web consoles, both Aperture and WebAdmin have been enhanced to check that the referrer or the origin in the HTTP headers is not null. In addition to not being null, if either has a non-null value, then the fully qualified domain name must match the fully qualified domain name of the Venafi Platform server hosting the web console. Some corporate proxies are configured to remove or modify the referrer and/or origin from the HTTP header. Some users may install browser plugin/extensions that also remove/modify the referrer/origin. After upgrade, users or organizations in these situations will experience issues with the web UI consoles.
If you are getting a 403 Forbidden error in either Aperture or WebAdmin, then your organization or specific user likely has a browser plugin or corporate proxy that is stripping out both referrer and origin information from HTTP headers. For information on how to troubleshoot this issue, visit:
https://docs.venafi.com/Docs/18.2/TopNav/Content/Aperture/tr-aperture-tpp.php
WebSDK integrations for Disabled and In Error
In order to optimize performance for certain certificate queries, Disabled and In Error were promoted from being attributes within the config_contains tables to permanent columns within the config_objects table. Even though all parts of the product, including WebSDK, were updated to ensure that this was a safe change, it is highly recommended that customers spend more time testing their WebSDK integrations in lower environments before upgrading to production in 18.2.
Master admins permissions changed
Beginning with version 18.2, Master Admins can no longer have their permissions accidentally or intentionally removed at certain locations in the Policy tree. This change occurred because of the number of customers unintentionally making changes to the permissions of Master Admin accounts that resulted in a call to a Venafi Support Engineering in order to reverse the problem. Adding extra permissions to Master Admins causes considerable slowdowns for Aperture, WebAdmin, and Custom Reports created by that user. By completely removing the ability to change Master Admins permissions in subsets of the tree, all Master Admins will see an increased performance benefit. It is important to note that when managing permissions, it is still possible to add Master Admins to the permissions control for a specific object and its children, but those permissions assignments will be ignored.
AWS certificate installation/provisioning driver changes it default provisioning behavior
Beginning with version 18.2, the default behavior of the Amazon Web Services certificate installation and provisioning driver changed in the way that it provisions non-Amazon issued certificates. By default, certificates are now provisioned to the Amazon Certificate Manager (ACM) store instead of the IAM store. However, you can still provision certificates to the IAM store if you modify the Provision To setting.
Generally, Venafi does not change default behavior because it can create issues; however, in order to align Venafi Platform functionality with Amazon's own recommendations, an exception was made:
ACM is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. Certificates provided by ACM are free and automatically renew. You can use ACM to manage server certificates from the console or programmatically. For more information about using ACM, see the AWS Certificate Manager User Guide.
Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
Supported/compatible browsers changed
In order to bring greater parity between the web browsers supported by Venafi and the web browsers used by Venafi customers, we have updated support for Googles Chrome browser from compatible to supported.
In addition, we have changed support of Mozilla Firefox from supported to compatible, and beginning with Venafi Platform version 18.2, we had updated the already compatible Firefox ESR version to Firefox ESR 60 and ESR 68.
Server Agent: Remote Mount Point Scanning
In previous versions of the Server Agent, NFS and CIFS mount points on Windows and *NIX operating systems were always scanned, even when not configured to do so. Beginning with Trust Protection Platform 18.2, Server Agent properly honors the agent certificate discovery work configuration as to whether to scan NFS and CIFS mount points or not. In addition, specific detection has been added for file systems mounted via NTFS junction points and their scanning is controlled via the same expanded option. If you use Server Agent to do certificate discovery, you should review your work definition with regards to the configuration of the scanned systems.
NOTE The *NIX portion of this fix was introduced in the 18.1 version of the Server Agent. The Windows portion of the fix was introduced in the 18.2 version of the Server Agent.
18.2 User Agent for macOS and Windows requires Venafi Platform 18.2 or later
While our general rule is that the Venafi Platform must be the same version or newer than the User Agent, we are specifically calling it out this release because of the overhaul done in this specific version. With the introduction of macOS and non-domain joined windows support, new APIs were introduced that require a Venafi Platform 18.2 or higher server for successful communication. Older versions of User Agent will still function with a Venafi Platform 18.2 server.
Deprecation of Windows Server 2008 R2
With the release of Trust Protection Platform 17.4, support for Windows Server 2008 R2 was removed. Trust Protection Platform 18.1 and 18.2 take advantage of new functionality available in Windows Server 2012 and 2016. Therefore, you can no longer install Trust Protection Platform on Windows Server 2008 R2. You must upgrade or replace your Windows systems with Windows 2012 R2 or Windows 2016 servers before attempting to upgrade to Trust Protection Platform 18.1 or 18.2.
Venafi Advanced Key Protect required for HSM Remote Key Generation
If you have been provisioning certificates with keys remotely generated in a Gemalto SafeNet HSM and want to continue doing so, you must enable Advanced Key Protect after upgrading to Trust Protection Platform 18.1 or later.
Upgrade process - Windows Services
Beginning with version 18.1 Venafi Platform includes a new and enhanced install and upgrade process. Following an upgrade, the new installer does not start Venafi Windows Services automatically. Instead, use the new Venafi Configuration Console on the Product node to start and stop services.
https://support.venafi.com/hc/en-us/articles/115001662292
Upgrade process - Windows Authentication to SQL Server
In previous versions of Trust Protection Platform, when using Windows Authentication for communicating with the Venafi MSSQL Server, the Windows user who performed the Trust Protection Platform upgrade was also required to have appropriate permissions for database access. However, starting with Trust Protection Platform 18.1, this is no longer true. This is because the newly enhanced installation and upgrade process allows database communication to be proxied through the database credentials specified at installation.
Server Agent: RPM files are now signed
Starting with Server Agent 18.1, Server Agent RPM files are now signed with an RPM V4 signature. In order to properly validate the RPM files before installation or upgrade, import the Venafi RPM signing key before installation/upgrade. Validation of RPM V4 signatures might fail on versions of RHEL that are earlier than 6.0. In addition, if you customize the RPM, the signature will no longer be valid.
Oracle Access Manager/SSO Authentication Refactor
Where Trust Protection Platform is configured to authenticate via custom header attributes, Oracle Access Manager integration was refactored in 17.4 and renamed Pass-through Authentication. If you are integrating with Oracle Access Manager, Siteminder, or any other Single-Sign-On solution that integrates via custom HTTP headers, you will need to update your configuration before the integration will work on 17.4.
For more information, see Pass-Through Authentication For SSO Updated In 17.4.
DigiCert CA platform support
The DigiCert integration driver was updated in 17.3 to support CertCentral. It no longer supports the legacy Enterprise platform. If you are currently using the Enterprise platform, please coordinate with DigiCert to migrate to the new CertCentral platform before upgrading to 18.2 or later.
DataPower integration support
The DataPower integration driver was updated in 17.3 to support the new REST interface available on newer versions of DataPower. If you are using older versions that support the legacy SSH Command Line Interface (CLI), consider upgrading so that you can take advantage of new functionality in the integration. Legacy versions using SSH CLI are expected to continue to work but are no longer actively tested.
Deprecated functionality:
Click here for the latest KB listing deprecated functionality in the current and past versions of Trust Protection Platform: https://support.venafi.com/hc/en-us/articles/115001578651
Functionality scheduled for deprecation in future releases:
Click here for the latest KB article on features scheduled for deprecation in future releases of Trust Protection Platform:
View ArticleApplies to:
Upgrading to Venafi Trust Protection Platform 19.3.
Summary:
Venafi Trust Protection Platform 19.3 introduces new functionality and several changes to existing functionality. Click here for a complete list of new features.
IMPORTANT! Before upgrading, read through this article carefully. Depending upon the version from which you're upgrading, several enhancements made over the past two years to Trust Protection Platform require that you take important steps, either before or immediately after upgrading.
CRITICAL! You MUST re-run the sample-grants.sql script after upgrading the database using the 19.3 upgrade script. This impacts multiple features and functionality.
Pay special attention to the list of features that have been deprecated, and to the list of features scheduled for deprecation.
For detailed upgrade steps, refer to the Readme.rtf document that is packaged with Venafi Trust Protection Platform 19.3 installation files.
Visit Venafi Product Life Cycle for more information about ship dates and when support for each version ends.
API/DevOps Integrations: Custom Fields for Certificates/Request Update the POST Certificates/Request method to allow callers to specify Custom Field values at the same time as they request a certificate. Upgrade issue due to starting to enforce required Custom Fields.)
SSH: Keyset-based Policies Ability to assign keysets to specific policy. Enforce policy values based on keyset policy. * DB change
Venafi Server Agent on Windows Beginning with version 19.3, Venafi Server Agent is dependent on .NET 4.0 or later for proper operation on Microsoft Windows operating systems. Please ensure .NET 4.0 or later is installed on the system PRIOR to upgrading your Venafi Server Agents on Windows OS devices, or the agent will cease to function.
Venafi Server Agent operations with CAPI keystores Beginning with version 19.3, the Venafi Server Agent will obey IIS server bindings settings when provisioning CAPI certificates. These settings were ignored in prior versions. In case the IIS settings on such CAPI application objects were configured with incorrect data prior to the upgrade, that data will be used when performing new installation from these application objects unless corrected.
Venafi Server Agent on Unix/Linux backup file ownership/permissions When installing certificates to keystores on Unix/Linux and the option to set file ownership and permissions is set, the backup keystore file will be created with the same owner and permissions set to the newly installed keystore. Prior versions always kept the backup file owner as the user under which the server agent was running.
Changes in Workflow In 19.3 we changed how workflow configuration objects are stored. Before the rule was stored in a way that limited command injection to 1000 characters. Now there is no theoretical limit (However, we tested in house with 10,000 characters). Because of these changes to how workflow objects are saved:
If you have a custom workflow VSE (Venafi Software Extension) from our Professional Services team, you will want to have your workflow driver migrated to an Adaptable Workflow script BEFORE upgrading to 19.3
If you are using REST API to create workflow objects (not common), then you will need to update your scripts upon upgrading to 19.3 to store the workflow rule attribute in a secret store vault instead of a config attribute.
Delete any instances (engines) of Trust Protection Platform from the Platform tree in WebAdmin for any decommissioned Trust Protection Platform servers A new migration framework has been implemented that can perform data migrations while services are running. Before you upgrade, delete any TPP server objects from the Platform tree in WebAdmin that have been decommissioned (but werent removed from the Platforms tree).
Keep in mind that for large and under-resourced environments, you might see slower performance from anywhere from a few minutes to a few hours. However, this depends on the size and resources of the environment while migrations continue. To see if your migrations are done, you can execute this script: select * from config_contains where attribute = 'Pending Migration Task'
If no results are returned, then all migrations are complete (assuming you have turned your services back on after you upgraded to 19.2).
New Venafi Privacy Policy and changes to Telemetry collection Starting in 19.2, the Venafi Platform now collects required telemetry data. This telemetry includes both technical and interaction data and is not personally identifiable information. For more information, please see the Venafi Privacy Policy.
POST Log REST API endpoint was updated to only support logging for custom eventIn previous versions of TPP before 19.2, any event, including those that are used by Venafi Product code, could be logged using the Rest API. If you have a REST API integration using the POST LOG endpoint, review it to ensure it is only submitting Event IDs that are within the decimal range of 16777216 - 43646975.
Reconfigure custom endpoints for CDP monitoring following upgrades Because the CRL Distribution Point (CDP) Monitoring feature was completely rewritten for scalability, performance and usability, youll need to reconfigure any custom endpoints for CDP Monitoring following the upgrade to 19.2.
Enabling New Authentication Services allows any TPP user access to WebSDK In order to take advantage of the new Token Authentication to WebSDK, you must enable the new Authentication Service. However, enabling the Authentication Service will enable any user who can authenticate to the Venafi Platform can get a token of any scope, even if they do not have the WebSDK role added to their account.
In future version of the platform, we plan to add entitlement controls over scopes so administrators can control which users can use which grouping of API endpoints.
New SSH policy violation feature requires post-install configuration A new attribute in 19.2 has been added to device settings for detecting SSH policy access violations across environments. To start seeing policy violations, you must configure your environment either on the SSH Policy level or on each SSH Device.
Improved Authorized Users report data enhancements could mean a larger database Because a new table has been to the database in 19.2, reports are calculated in the background, so you may not see all data immediately after upgrade. If there are a lot of SSH keys in the inventory, the report could potentially contain hundreds of millions of rows. Therefore, disc space should be considered for the potential increase in the size of the database.
Passing the WebSDK API key via URL query string The Trust Protection Platform WebSDK has historically permitted the post-authentication API key to be passed to REST methods in two different ways: as a query string parameter (i.e. ?apikey=) or as an HTTP header (i.e. X-Venafi-Api-Key). Since its introduction in 14.1, the HTTP header approach has been recommended over the query string because the latter exposes the cleartext API key value in the IIS logs of the Venafi server.Since this poses a security risk the option will no longer be supported as of 19.1.
Missing issuers and chains following the upgrade Whenupgrading to 19.2, youll see root certificates automatically added to the Roots tree. Youwon'tbe able to delete roots that are the only valid issuer of a certificate in the roots tree or policy tree.
Certificate Revocation Monitor Service Module is disabled by default for revocation monitoring and CDP endpoint monitoring When you upgrade, the Certificate Revocation Monitor service module is installed but not enabled. Certificate revocation monitoring and CDP endpoint monitoring will not work unless this service module is enabled on at least one engine. You can do this in Venafi Configuration Console (VCC):
In VCC:
Open the Product node and look for Certificate Revocation Monitor in the Component list.
In the Actions panel, click Enable.
If you are using an Answer XML file for automated deployments or to upgrade from 18.x to 19.1 or later, you need to update your Answer XML file to include enabling Certificate Revocation Monitor.
Trust Protection Platform 19.1 and later requires .NET Framework 4.7.2
Before upgrading to Trust Protection Platform 19.1 or later, make sure the .NET Framework is updated to 4.7.2. You can download the offline .NET 4.7.2 installer for Windows Server 2012 R2 and Windows Server 2016 here.
Venafi User Agent for Windows (AJ) version 19.1 and later requires .NET Framework 4.6.1 or higher
If you are using the Enterprise Mobility Protect User Agent for Windows (sometimes referred to as AJ), you should ensure that workstations have .NET Framework 4.6.1 or installed before deploying the 19.1 or later version of the User Agent. This change is required to take advantage of important security enhancements of the more updated .NET framework. This does not prevent you from upgrading servers to 19.1 or later.
Aperture Certificate Request Wizard no longer supports User Provided CSRs when Management Type is set to Provisioning
This applies to customers who have management type locked to Provisioning but also use user provided CSRs. As part of our efforts to improve automatic certificate installation (provisioning) we have made many significant changes that make the process easier. This has necessitated changes to the certificate flow so that users get a different experience when management type is set to Enrollment vs Provisioning. If you have management type locked to Provisioning your end users will no longer be able to upload User Provided CSRs (which can't be provisioned anyway) in 19.1 or later. If your users need to be able to enroll certificates with user provided CSRs you will want to either remove the policy lock for Provisioning Management Type or change the policy value to Enrollment.
Custom SSH email notifications might need to be modified on upgrade to 19.1 or later in order to function
Custom SSH email notification rules might need to be updated manually or their macros will not work when Trust Protection Platform is upgraded to 19.1 or later.
If you have copied and modified the SSH Email template channel called Email to Key Owner - SSH you will need to modify the macro of your custom email channel(s).
There are 3 locations on the plaintext version of the message where you need to replace $Event.Value1$ with $Event.Text1$
There are 3 additional locations on the HTML message version where you need to replace $Event.Value1$ with $Event.Text1$
If you are only using the read-only templates for SSH email notifications, then no action is needed.
To update the custom SSH email notifications:
Launch the Windows Administration Console (WinAdmin).
Navigate to the Logging Tree.
Expand the Channels Container.
Locate your custom SSH channel that was copied from Email to Key Owner - SSH.
Update the necessary macro strings in the Plaintext Message and HTML message tabs, replacing $Event.Value1$ with $Event.Text1$ (6 locations total unless there were further modifications).
Auto Layout Manager Service Module is disabled by default for placement jobs When you upgrade, the Auto Layout Manager service module is installed but not enabled. Device and Certificate Placement jobs won't function unless Auto Layout Manager is enabled on at least one engine in the cluster. You can do this in WebAdmin or in Venafi Configuration Console (VCC):
In WebAdmin:
After installation, launch WebAdmin and navigate to the Platform tree.
Expand the engines on which you want to enable AutoLayout Manager and click Auto Layout Manager.
Uncheck the Disable this Module option and click Save.
In VCC:
Open the Product node and look for Automatic Layout Manager in the Component list.
In the Actions panel, click Enable.
If you are using an Answer XML file for automated deployments or to upgrade from 18.x to 19.1 or later, you need to update your Answer XML file to include enabling Automatic Layout Manager.
Permissions changed for placement rules for non-master admins Any permissions for placement rules given to non-master admins prior to upgrading to version 19.1 or later must be given again following the upgrade.
Permissions for placement rules are now managed only in Aperture (in Configuration > Placement Rules).
Database administrators may need to re-index the database after upgrading to 19.1 or later If youre upgrading from 18.4 to 19.1 or later, there are several upgrade stages in the SQL script that delete attributes that are no longer needed by Venafi Platform. Deletion of rows can cause the fragmentation of database indexes. If you already have a regularly scheduled index defragmentation plan in place, then no action is needed. However, if you do you not regularly defragment Venafi Platform indexes and are noticing a performance decrease after upgrading to 19.1 or later, it is recommended that you work with your DBA to defragment your Venafi Platform database.
Enrollment of certificates with domain components is not allowed by default Version 19.1 or later offers full-feature support for certificates with domain components. When you upgrade to 19.1 or later, policy for allowing domain components on certificates is disabled by default. Therefore, if your users are uploading user-provided CSRs with domain component attributes, you must update your policy settings to allow domain components for those folders in Aperture (only).
Last SSL/TLS validation results removed upon upgrade Version 19.1 or later introduces new dedicated validation tables in the database for SSL/TLS validation results. Existing validation results are not migrated to the new validation tables. For certificates that have validation enabled, Trust Protection Platform will re-populate SSL/TLS validation results after the next daily validation.
SSL/TLS validation results can no longer be read with POST Config/Read via REST API If you are using Config WebSDK to read validation results, you will need to update to new WebSDK calls in 19.1 2 to continue to read validation data. The new REST API endpoint is:
GET Certificates/{guid}/ValidationResults
All Adaptable scripts will be blocked from working until they are re-saved in the web UI To increase the security of the Venafi Platform, the system now securely stores the last known good hash of all the Adaptable PowerShell scripts. This prevents unauthorized edits of the adaptable scripts by Windows Server Administrators from being automatically executed by the Venafi Platform. Therefore, on upgrade, all adaptable scripts will stop processing.
NOTE: If you are upgrading from version 18.4, this change only applies to Adaptable Workflow. This is because all other Adaptable solutions were updated in 18.4.
After upgrading to version 19.2, but before restarting the Venafi Platform Windows services, do the following:
Confirm that the correct (and the exact same) version of the script is on all Venafi servers in the cluster.
Using either WebAdmin or Aperture (depending on the feature), re-open the screen where you specify the Adaptable PowerShell script, and then re-save the page.
Start the Venafi Platform Windows services.
New updates to Adaptable solutions need to be manually replicated on all servers in the cluster and will also require administrator acknowledgement whenever the associated PowerShell script changes.
For more information, see: Protecting against unapproved changes to Adaptable scripts.
Special 19.1 or newer upgrade steps for Server Agent for Windows using Agent Upgrade work
NOTE: These instructions also apply if you are upgrading to server agent 19.1 or later directly from a version of server agent 18.1 or older
NOTE: If you upgrade your Venafi Server Agents by re-deploying the MSI then you can skip this section.
Microsoft Visual C++ 2013 Redistributable end-of-mainstream support occured on April 9, 2019. Venafi Server Agent for Windows versions 18.3 and newer already include the Microsoft Visual C++ 2017 runtime in preparation for the upgrade, but versions 18.1 and older do not.
To upgrade your Server Agents running on Windows from version 18.1 or older to version 19.1 or newer you must do one of the following:
Upgrade your Venafi Platform Server to the desired version. Install the Venafi Server Agent upgrade Package version 18.2, 18.3 or 18.4 in your Venafi Platform server before proceeding. Then upgrade your Venafi Server Agents (on Windows) using Agent Upgrade work in Aperture. Once the agents are upgraded to 18.2, 18.3, or 18.4 and have reported back to the Venafi Platform server as upgraded, you can upgrade your Venafi Server Agent upgrade package inside your Venafi Platform servers to version 19.1 or later and proceed to upgrade the Server Agents (on Windows) to 19.1 or later using Agent Upgrade work. NOTE The Agent Upgrade Configuration feature upgrades Server Agents to match the current version of the Venafi Server Agent upgrade package installed on your Trust Protection Platform server. If your Trust Protection Platform server already have Venafi Server Agent upgrade package at version 19.1 or later, then you must use the method below to upgrade your Windows-based Server Agents.
After upgrading both your Venafi Trust Protection Platform server and Venafi Server Agent upgrade package to version 19.1 or later, use the Server Agent for Windows installation file to upgrade any exiting Venafi Server Agents on version 18.1 or older to version 19.1 or later. The agent installation file can be deployed manually or by using automated tools such as SCM, Puppet, etc. References:
https://docs.microsoft.com/en-us/visualstudio/productinfo/vs-servicing-vs
https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20Studio%202013
Server Agent clears internal event log store (Events.sq3) when you upgrade to 19.1 or later During the upgrade to Server Agent 19.2 (or later; from a version 19.4 or older), the agent's internal events log is cleared. This applies to Server Agent on all operating systems. The logs will begin to accumulate again after a successful upgrade to 19.2. This does not affect events that are written to SysLog or Windows Events.
Potential longer upgrade time if upgrading from 18.3 or earlier Due to the re-write of the work queue framework, existing queued actions against certificates and keys must be migrated to the new framework. If there is a significant amount of pending actions in the system at the time of upgrade, you might experience longer than normal upgrade times. For example, if you have 20,000 queued actions when you upgrade, the upgrade time will take approximately five minutes longer to make the migration.
If you are upgrading from version 18.2 or earlier, significant changes made in Trust Protection Platform affect how the database stores vaults and references to objects. These changes require a migration of how data is stored in the database. Depending on the size of your database, and the configuration of AlwaysOn, you can expect the SQL migration scripts to take from 10 to 25 minutes longer than usual for larger deployments.
Unix/Linux Server Agent now setting file permissions on installed certificate keystores Previous versions of the Venafi Platform and Server Agent did not honor permission configuration of certificate keystores when installed by the Server Agent.
Starting with version 18.4, these permission configurations for certificate installation for Unix/Linux agents will be honored. Therefore, you should verify that the permissions that you have in place are correct.
Your users can now request additional SAN types in Aperture In previous versions of Venafi Platform, Aperture only supported DNS SANs to be requested on a certificate. Beginning with 18.3, in addition to DNS SANs, Aperture now supports IP, URI, UPN, and email SAN types. If you don't want your users to be able to request these types of SANs, or if you are concerned that they might be confused by the new options, visit your Certificate Policy settings in Aperture to disable the use of specific SAN types.
SSH Self-Service Keys feature replaces External Key feature Beginning with version 18.3, the new Self-Service Keys feature has replaced the External Keys feature. Therefore, after upgrading, you can no longer create external keys. Instead, create self-service keys. This is typically done when you're resolving orphaned keys or when you have a user with a device that is not in the Trust Protection Platform inventory. After upgrading, you'll have the option of migrating each external key to a self-service key (from the Keyset Details page in Aperture).
User Portal now shows the current version of certificates Beginning in version 18.3, your users can now request and download certificates, including previous versions, directly from the portal. In addition, the user experience has been improved through significant visual enhancements.
NOTE Because of these enhancements, some of the product terminology has been updated; so if you have customized the terminology or styles in your implementation of the User Portal, you should revisit and update your customization to match these changes. For more information, visit https://support.venafi.com/hc/en-us/articles/228093008.
Amazon integrations updated to leverage new credential type Prior to the 18.3 release, password credentials were used to configure different Amazon integrations, such as Certificate Authority, Provisioning Driver, and AWS EC2 Instance Monitoring. During the upgrade from 18.2 or earlier, these integrations are migrated automatically so that they leverage the new Amazon credential type. However, if you have any WebSDK integrations that automate creating or editing these types of objects in Trust Protection Platform, you'll need to update your WebSDK integration. This is because these integrations now require the use of the Amazon Credential type in order to support ADFS SAML authentication into Amazon Web Services.
Permissions updated for running Server Agent on Linux/Unix The permissions that the Server Agent installs with have been updated. Specifically, user and group permissions have been updated so that they are set to 0 (where in some places they were previously set to 5). Therefore, if you'd had non-root users interacting with the Server Agent previous to upgrading from 18.2 or earlier, then you might need to revisit their sudo permissions after the latest version of the Server Agent is installed.
System must provide iconv functionality for Server Agents running on Linux In previous versions, Server Agent implemented its own iconv functionality. Beginning with Venafi Platform version 18.3, Server Agent requires that your system libc provides the iconv functionality. You should make sure that iconv is available before upgrading either Trust Protection Platform or Server Agent. Current versions of glibc (The GNU C Library) provide the required functionality. The required files should be installed as part of the glibc package.
Workflow approval logs Beginning with release 18.2, permissions were added and are now required in order to see the approval and rejection logs in WebAdmin. On upgrade, only Master Admins will have permission to see the log. If there are approvers or other users that should see these special log views, you will need to give those users and groups view/read permissions.
Workflow approver update interval has been modified In versions 18.1 or earlier of the Venafi Platform, if the approvers for a workflow changed for an existing workflow ticket, the ticket would be deleted and recreated so that the updated approver could act on the workflow ticket. In order to improve the scalability and stability of the platform when there are many outstanding workflow tickets requiring approval, the interval for updating existing tickets has changed from 1 minute to 4 hours. Therefore, if the approver changes, it will take Venafi Platform approximately 4 hours to respond to updates regarding who the approvers are for existing workflow tickets.
Referrer and origin checking To enhance the security of the web consoles, both Aperture and WebAdmin have been enhanced to check that the referrer or the origin in the HTTP headers is not null. In addition to not being null, if either has a non-null value, then the fully qualified domain name must match the fully qualified domain name of the Venafi Platform server hosting the web console. Some corporate proxies are configured to remove or modify the referrer and/or origin from the HTTP header. Some users may install browser plugin/extensions that also remove/modify the referrer/origin. After upgrade, users or organizations in these situations will experience issues with the web UI consoles.
If you are getting a 403 Forbidden error in either Aperture or WebAdmin, then your organization or specific user likely has a browser plugin or corporate proxy that is stripping out both referrer and origin information from HTTP headers. For information on how to troubleshoot this issue, visit:
https://docs.venafi.com/Docs/18.2/TopNav/Content/Aperture/tr-aperture-tpp.php
WebSDK integrations for Disabled and In Error In order to optimize performance for certain certificate queries, Disabled and In Error were promoted from being attributes within the config_contains tables to permanent columns within the config_objects table. Even though all parts of the product, including WebSDK, were updated to ensure that this was a safe change, it is highly recommended that customers spend more time testing their WebSDK integrations in lower environments before upgrading to production in 18.2.
Master admins permissions changed Beginning with version 18.2, Master Admins can no longer have their permissions accidentally or intentionally removed at certain locations in the Policy tree. This change occurred because of the number of customers unintentionally making changes to the permissions of Master Admin accounts that resulted in a call to a Venafi Support Engineering in order to reverse the problem. Adding extra permissions to Master Admins causes considerable slowdowns for Aperture, WebAdmin, and Custom Reports created by that user. By completely removing the ability to change Master Admins permissions in subsets of the tree, all Master Admins will see an increased performance benefit. It is important to note that when managing permissions, it is still possible to add Master Admins to the permissions control for a specific object and its children, but those permissions assignments will be ignored.
AWS certificate installation/provisioning driver changes it default provisioning behavior Beginning with version 18.2, the default behavior of the Amazon Web Services certificate installation and provisioning driver changed in the way that it provisions non-Amazon issued certificates. By default, certificates are now provisioned to the Amazon Certificate Manager (ACM) store instead of the IAM store. However, you can still provision certificates to the IAM store if you modify the Provision To setting.
Generally, Venafi does not change default behavior because it can create issues; however, in order to align Venafi Platform functionality with Amazon's own recommendations, an exception was made:
ACM is the preferred tool to provision, manage, and deploy your server certificates. With ACM you can request a certificate or deploy an existing ACM or external certificate to AWS resources. Certificates provided by ACM are free and automatically renew. You can use ACM to manage server certificates from the console or programmatically. For more information about using ACM, see the AWS Certificate Manager User Guide.
Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
Supported/compatible browsers changed In order to bring greater parity between the web browsers supported by Venafi and the web browsers used by Venafi customers, we have updated support for Googles Chrome browser from compatible to supported.
In addition, we have changed support of Mozilla Firefox from supported to compatible, and beginning with Venafi Platform version 18.2, we had updated the already compatible Firefox ESR version to Firefox ESR 60 and ESR 68.
Server Agent: Remote Mount Point Scanning In previous versions of the Server Agent, NFS and CIFS mount points on Windows and *NIX operating systems were always scanned, even when not configured to do so. Beginning with Trust Protection Platform 18.2, Server Agent properly honors the agent certificate discovery work configuration as to whether to scan NFS and CIFS mount points or not. In addition, specific detection has been added for file systems mounted via NTFS junction points and their scanning is controlled via the same expanded option. If you use Server Agent to do certificate discovery, you should review your work definition with regards to the configuration of the scanned systems.
NOTE: The *NIX portion of this fix was introduced in the 18.1 version of the Server Agent. The Windows portion of the fix was introduced in the 18.2 version of the Server Agent.
18.2 User Agent for macOS and Windows requires Venafi Platform 18.2 or later While our general rule is that the Venafi Platform must be the same version or newer than the User Agent, we are specifically calling it out this release because of the overhaul done in this specific version. With the introduction of macOS and non-domain joined windows support, new APIs were introduced that require a Venafi Platform 18.2 or higher server for successful communication. Older versions of User Agent will still function with a Venafi Platform 18.2 server.
Deprecation of Windows Server 2008 R2 With the release of Trust Protection Platform 17.4, support for Windows Server 2008 R2 was removed. Trust Protection Platform 18.1 and 18.2 take advantage of new functionality available in Windows Server 2012 and 2016. Therefore, you can no longer install Trust Protection Platform on Windows Server 2008 R2. You must upgrade or replace your Windows systems with Windows 2012 R2 or Windows 2016 servers before attempting to upgrade to Trust Protection Platform 18.1 or 18.2.
Deprecation of Microsoft SQL 2008 R2 Before upgrading to Trust Protection Platform 17.4 or later, verify that the Microsoft SQL Server hosting the Trust Protection Platform database is running Microsoft SQL Server 2012 SP2, 2014, or 2016 with the latest patches applied.
Important Note: Starting in 19.4, the minimum SQL version compatible with TPP will be Microsoft SQL 2016 SP1
For more information, see Error: "This Upgrade Is Not Allowed Due To An Incompatible Version Of SQL Server"
Venafi Advanced Key Protect required for HSM Remote Key Generation If you have been provisioning certificates with keys remotely generated in a Gemalto SafeNet HSM and want to continue doing so, you must enable Advanced Key Protect after upgrading to Trust Protection Platform 18.1 or later.
Upgrade process - Windows Services Beginning with version 18.1 Venafi Platform includes a new and enhanced install and upgrade process. Following an upgrade, the new installer does not start Venafi Windows Services automatically. Instead, use the new Venafi Configuration Console on the Product node to start and stop services.
Upgrade process - Windows Authentication to SQL Server In previous versions of Trust Protection Platform, when using Windows Authentication for communicating with the Venafi MSSQL Server, the Windows user who performed the Trust Protection Platform upgrade was also required to have appropriate permissions for database access. However, starting with Trust Protection Platform 18.1, this is no longer true. This is because the newly enhanced installation and upgrade process allows database communication to be proxied through the database credentials specified at installation.
Server Agent: RPM files are now signed Starting with Server Agent 18.1, Server Agent RPM files are now signed with an RPM V4 signature. In order to properly validate the RPM files before installation or upgrade, import the Venafi RPM signing key before installation/upgrade. Validation of RPM V4 signatures might fail on versions of RHEL that are earlier than 6.0. In addition, if you customize the RPM, the signature will no longer be valid.
Deprecated functionality:
Click here for the latest KB listing deprecated functionality in the current and past versions of Trust Protection Platform. https://support.venafi.com/hc/en-us/articles/115001578651
Functionality scheduled for deprecation in future releases:
Click here for the latest KB article on features scheduled for deprecation in future releases of Trust Protection Platform. https://support.venafi.com/hc/en-us/articles/115001662292
View ArticleSummary
This article contains a current list of features that have been removed from shipping versions of Trust Protection Platform.
Applies To:
All versions of Trust Protection Platform. More details below.
See Also:
For a list of features that are scheduled for deprecation in upcoming releases, see https://support.venafi.com/hc/en-us/articles/115001662292.
Venafi Platform 19.3
POST Credentials/RenameContainer Web SDK Method
POST Credentials/RenameContainer is deprecated. Instead, use Config/RenameObject because it has identical functionality and it is more commonly used. This change can help eliminate customer confusion and simplify support of the API.
Venafi Platform 19.2
Layer 7 Certificate Installation DriverVenafi's technology partnership ended when Computer Associates acquired Layer 7 in 2013. There is insufficient market demand for this integration. Customers using Venafi to integrate with Layer 7 should work with CA Technologies or a third-party resource to implement an Adaptable integration with Layer 7 load balancers.
IIS 6 Certificate Installation DriverMicrosoft's extended support for Windows Server 2003 ended in July 2015. Since the CAPI driver is the recommended and compatible method for provisioning to all newer versions of Windows, the IIS 6 driver has been removed from Venafi Platform.
Server Agent Windows 32-bit SupportDue to Microsoft's deprecation of 32-bit operating systems for its server line, Venafi no longer ships the 32-bit version of the Windows Installer and Venafi Update Packages.
Venafi Platform 19.1
.NET Framework updateInstallation of Microsoft .NET Framework version 4.7 will be required on Venafi Platform servers.
User Agent for Windows will require .NET Framework version 4.6.1User Agent for Enterprise Mobility Protect will require installation of Microsoft .NET Framework version 4.6.1 on all Windows devices where it is installed.
Agent Support forSolarisStarting in 19.1, the Server Agent will only support Solaris 10 and newer. Support for Solaris 8 and 9 will be deprecated.
Network Discovery Placement PreviewThe Network Discovery Placement Preview feature will be removed from Aperture. After its removal, Network discovery will work more like agent and TrustNet discovery. When discovered, items automatically appear in the Policy tree.
Custom Permissions and Containers for Placement RulesPlacement Rules have been migrated off of the Discovery Tree in WebAdmin. While permissions for Placement Rules are now managed in Aperture, you can give users either permissions to all placement rules or no placement rules. There is no longer support to give users permissions to some placement rules but not others. Also, Placement Rules could previously be placed in sub folders within the Discovery Tree. Now all Placement Rules are on a flat list.
Passing the WebSDK API key via URL query stringThe Trust Protection Platform WebSDK has historically permitted the post-authentication API key to be passed to REST methods in two different ways, as a query string parameter (i.e. ?apikey=) or as an HTTP header (i.e. X-Venafi-Api-Key). Since its introduction in 14.1, the HTTP header approach has been recommended over the query string because the latter exposes the cleartext API key value in the IIS logs of the Venafi server. Since this poses a security risk the option will no longer be supported.
Certain Validation Columns no longer Available in WebAdmin Policy View ExportDue to the refactor of Validation Storage, the following columns:SSL/TLS Validation Results andChain Validation Results are no longer available to be included in the export of the Certificate Policy View. In 19.2 there are plans to add dashboards to improve visibility into validation results.
Venafi Platform 18.4
Cisco ACE Certificate Installation DriverCisco announced the end-of-life of this product in late 2013. Ciscos official end-of-support is January 2019.
POST Config/RemoveAttributeValues POST Config/RemoveAttributeValues will be removed as a supported method. If misused, this API call can be catastrophically destructive. Config/RemoveAttributeValues was removed from product documentation in 18.3 and will be completely removed in 18.4. Instead, please use a similar API call, such asPOST Config/ClearAttribute.
Venafi Platform 18.3
Network Discovery Jobs in Web AdminNetwork Discovery job configuration was removed from the Web Administration console. Beginning in 18.2, you will need to use Aperture for all Network Discovery jobs. Enhanced configuration options for Network Discovery have been available in Aperture since version 14.3.
Onboard Discovery will be moved from Web Admin to ApertureOnboard discovery for F5, NetScaler, and DataPower will only be available in Aperture. These onboard discovery options are no longer available in the Web Administration Console.
Server Agent Support for SuSE/SLES 10Long Term Service Pack Support for SuSE/SLES 10 SP4 ended on 31 July 2016. In 18.1, support for SLES 12 was added so we dropped support for SusE/SLES 10 in 18.3
F5 Provisioning/Installation Support for F5 version 10.xThis has been considered a legacy platform for several years and the vendor has ended support in December 2016. Discontinuing support will allow for removing complexity in coding, usability, testing and support.
GSK Provisioning & Certificate Installation Support for JKS and PKCS#12IBM Dropped support for the JKS format when they released GSK 8.0 in 2010. The GSK driver support for JKS and PKC#12 depends upon the software utilities hosted on the remote device which has proven problematic. Venafi's JKS and PKCS#12 drivers are better suited to handle these use cases because they support central generation of the keystone and now support all of the use cases the GSK driver once uniquely supported.
GSK Storage TypesThe JCEKS, JKS, and PKCS#12 Storage Types for GSK Application objects have been discontinued in 18.3. Only the Certificate Management Services (CMS) Storage Type is supported.
Venafi Platform 18.2
Server Agent Support for RedHat Enterprise Linux 4.xIn order to improve Venafi build processes, support for RHEL 4.x was dropped. This is because RHEL 4.x cannot support the improvements made to Venafi build processes.RHEL 4 was released in 2005 and the last kernel update was in 2011.
Master Admin Permissions RevocationTrust Protection Platform no longer allows master administrators to have permissions revoked anywhere within the product tree. Any additional permissions assigned or removed are ignored.
Automatic configuration of Microsoft Outlook 2007In 18.1, Enterprise Mobility Protect User Agent was able to automatically configure Microsoft Outlook 2007 with the latest user certificate. Microsoft officially announced the end of extended support of Office 2007. Therefore, when you upgrade to Trust Protection Platform 18.2, Enterprise Mobility Protect User Agent no longer supports automated configuration of Outlook 2007.
Venafi Platform 18.1
Server Agent No Longer Supports Apache Driver
The Apache driver is not supported with Server Agent provisioning mode after 18.1. Instead, you can use Agentless certificate installation.
User Portal No Longer Supports Local Key Generation in Internet ExplorerModern browsers have either deprecated or plan to deprecate support for key and CSR generation within the browser. The current method for Internet Explorer requires ActiveX controls and the lowering of IE security settings to run. Because of this, the User Portal will only support service generated private keys and CSRs for requesting certificates.
Symmetric Key Manager ProductThe Symmetric Key Manager component has been removed from the available components list of the installer. Symmetric key management has not been a focus of our short- or long-term roadmap for several years.
Comodo Certificate Authority Driver - Web Host Reseller (legacy)According to Comodo, all customers have been (or are) in the process of being migrated to the newer Comodo Certificate Manager (CCM) platform. Therefore, the legacy CA driver has been removed.
Entrust Security Manager Certificate Authority DriverThis native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.
Symantec Local Hosting Kit (LHK) Certificate Authority DriverThis native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.
Keynectis Sequoia Certificate Authority DriverThis native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.
SSH TrustMapSSH TrustMap has been removed. You can get the textual information provided by TrustMap in other areas of the product user interface. We are evaluating requirements and exploring other models that will provide a graphical view of SSH trust relationships in a future version of the product.
Log View Read Only CredentialsIn previous versions of Trust Protection Platform, there were separate credentials that could be entered specifically for viewing logs in WebAdmin and WinAdmin. This feature was not used widely by customers and during a refactor to allow for each Trust Protection Platform server to have it's own database connection configuration (some Trust Protection Platform servers can now have WinAuth while other others have SQL Auth), this feature was dropped.
TrustNet Dashboard Widget "New Locations" SliceIn 18.1 TrustNet features in TPP have been updated, during the update, the "New Locations" Slice has been removed from the trustnet Dashboard widget
TrustNet Dashboard Widget "Duplicate Name" Slice and Inventory FilterIn 18.1, TrustNet features in Trust Protection Platform has been updated. During the update, the "Duplicate Name" Slice has been removed from the TrustNet Dashboard widget. Also, the Duplicate Name filter has been removed from the TrustNet filter on the Certificate Inventory page.
Venafi Platform 17.4
Microsoft SQL Server 2008 R2Venafi Trust Protection Platform no longer works with Microsoft SQL Server 2008 R2. Please upgrade to a recently patched version of Microsoft SQL 2012 R2, 2014, or 2016 prior to installing Trust Protection Platform 17.4 or higher.
See Also: Error: "This Upgrade Is Not Allowed Due To An Incompatible Version Of SQL Server"
Microsoft Windows Server 2008 R2Microsoft Windows Server 2008 R2 is no longer a supported version to run Venafi Trust Protection Platform 17.4 or higher. Before upgrading your Trust Protection Platform environment, you should have new Windows servers available on which to install Trust Protection Platform so that you can replace existing Servers running older versions of Venafi software. Currently supported versions of Windows Server are:Microsoft Windows 2016 Server (server with user interface) andMicrosoft Windows 2012 Server R2 (server with user interface).
Venafi Server Agent no longer supportsWindows Server 2003In order for the Venafi Server Agent to update it's runtime libraries, support for Windows Server 2003 had to be dropped. The 17.4 version of the Server Agent will not run on Windows Server 2003. Please upgrade your Windows Servers 2003 to newer versions of the Microsoft Server Operating System in order to continue to have the Venafi Agent installed on those systems.
Venafi Platform 17.3
Transition IBM DataPower Driver interface from SSH to RESTThis driver has been transitioned from SSH CLI to a REST API. DataPower versions prior to 7.2 will no longer be supported; however, they should still be compatible. Versions being targeted for support are XI52 7.2 and IDG 7.5.
Transition DigiCert CA Driver from Enterprise to CertCentral APIThe DigiCert CA driver has been migrated from the legacy Enterprise API to the current CertCentral API. You will need to have your account migrated. DigiCert has stated that they are available to help customerswith the migration.
Venafi Platform 17.2
Supported Firefox version UpdateSupported web browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 52. The latest version of Google Chrome is still categorized as a compatible browser.Devices removed from Aperture Folder treeDevices have beenremoved from the Aperture Folder tree so that only Folders are visible. This was done to enhance performance and usability. Devices are still accessible to SSH customers in the Aperture Inventory menu.
Inventory > Devices top navigation menu. Agent Discovery of Root CertificatesIn order to increase performance of Server Agent Certificate Discovery, Trust Protection Platform no longer stores data where it was found for root and intermediate certificates. In previous versions, partial information on where the Root certificate was discovered was available from the Support tab.
IBM GSK Driver Support for GSK version 6.0The GSK Certificate Installation Driver no longer supports version 6.0. Version 6.0 reached end-of-life in September 2013.
Java Key Store (JKS)Driver Support for Java version 1.4 or 1.5The Java Key Store (JKS) Certificate Installation Driver no longer supports Java versions 1.4 or 1.5. These versions reached their end-of-life in October 2008 and October 2009, respectively.
Venafi Platform 17.1
Brocade ApplicationDriverThe BrocadeApplication Driver used for certificate installations is no longer available.
Verizon SureServer Certificate AuthorityDriverThe Verizon SureServer Certificate Authority Driverused for certificate enrollmentsis no longer available.
Oracle DB supportOracle is no longer supported. For more information refer to: https://support.venafi.com/hc/en-us/articles/227567188
Canned CA Trust ReportThe canned CA Trust Report found in the Web Administration Console has been removed.
Web Admin Licensing Status DashboardThis functionality has been migrated to Aperture and is now visible on the new System Status dashboard.
Venafi Support ToolThe Venafi Support Tool is removed. It has been replaced by a new utility called the Venafi Support Center.
Venafi Platform 16.4
VED Client UI PortalThe undocumented and unsupported UI Portal component has been removed. This change should not affect any customers.
z/OS CA driverThe z/OS CA driver has been removed from Trust Protection Platform. This integration is outdated and the Adaptable CA driver provides a better alternative.
Venafi Platform 16.3
SSH non-recursive discoverySSH Key Discovery no longer supports performing non-recursive scans. The ability to scan "just this folder" and exclude all sub-folders is no longer available.
Aperture certificate status Revocation Approval RequiredThe Certificate Status of Revocation Approval Required has been replaced with Pending My Approval.
Venafi Server Agent has deprecatedsupport for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC)Venafi Trust Protection Platform no longer includes an agent installer for HP-UX PA-RISC. This does not affect our support for HP-UX onItanium Processors (HP-UX IA). Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005. We have deprecated support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.
Fore more information about the deprecation of PA-RISC, visit: https://support.venafi.com/hc/en-us/articles/218241207
Aperture License dashboard widget and filterThe License dashboard widget and certificate list License filter have been removed from the Aperture console. If this filter was used in a saved Custom Report, the report willbe updated to remove this filter. Licensing information canbe retrieved using the in-product Licensing Report found in the Web Administration Console.
View ArticleInfo:
Aperture shows information about a certificate in way of a banner across the top of a certificate in Aperture. Among other alerts this contains a section for Unapproved Issuer banner.
This shows us that the this certificate under management that have been issued by an Unapproved CA. This article describes how to configure Approved CAs.
More Info:
The Approved CAs are configured in WebAdmin. The setting can be found under Settings > Certificate tab on the root of Policy tree. You will select which root orintermediate certificate should be listed as an "Approved" issuer. You will be making this selection out of the available roots in the Roots Tree. If your intermediate or root certificates are not in the selection, you can add them by going to the roots tree and click "Add"
View ArticleApplies To:
Venafi Trust Protection Platform (TPP)
TrustNet
Venafi Cloud
VCert
Definition of a Support Case
A Support Case is defined as assistance with one issue, problem, or question relating to the use or installation of a Venafi product, regardless of the number of communications required.
Our Support Queue is monitored by our teams 24/7. Please submit tickets for help. A phone call will be picked up by the team or allow you to leave a voicemail that will generate a ticket for us. If they can't answer they will call back or check for your ticket.
The best way to get help is to open a support case. If you feel you are not getting the help you need, please say so. You can comment on the case, open a new case, or request a phone call.
How to open or view a Support Case
A Support Case can be opened via the following methods:
online at: support.venafi.com
email to [email protected]
Venafi Customer Support phone numbers for urgent issues only (see our Severity Levels document ) - ask for Customer Support or press option '2':1-801-676-69001-877-266-5159 Toll-Free0134 440 4040 from inside the U.K. (02) 8007 4179 from inside Australia
If it is Urgent and you can't get help, please call the Senior Director of Support at:
801-676-6926 This number calls the desk and cell phone.
For some helpful hints on your support cases, see our Getting the Most out of your Support Cases doc.
FYI - in December, 2015 a change was made to the Venafi support portal. Now to submit a new case or to see your cases:
Step 1: Log InStep 2: Click on your name in the upper right cornerStep 3: Click on "My Activities"
Authorized Contacts
Venafi Enterprise Maintenance allows4 authorized contactsto open support cases
Support Hours & Initial Response Commitments
Venafi Support is available 24X7X365. After submitting a new Support Case, you will receive a response within the following guidelines:
Severity 1 (Urgent) = Complete loss of functionality of the Licensed Software and all related services, resulting in a catastrophic business impact in which a service, system, or critical application is down, severely impacting production or profitability of Licensee.
INITIAL RESPONSE: Maximum of 2 hours
Severity 2 (High) = Detrimental business impact in which service, production, operations, or development deadlines are severely and negatively impacted, or where there will be a severe and negative impact on production or profitability of the Licensee.INITIAL RESPONSE: Maximum of 4 hours
Severity 3 (Normal) =Inconvenient situation in which the Licensed Software is usable, but does not provide a function in the most convenient or expeditious manner, and the user suffers little or no significant impact.INITIAL RESPONSE: Maximum of 8 hours
Severity 4 (Low) = Situation in which the use is affected in some way that is reasonably correctable by a documentation change or by a future, regular release from Venafi.INITIAL RESPONSE: Maximum of next business day
Issue Swarming (Issue Escalation)
1. If you feel the urgency, attention, or skill is lacking for your issue's needs, simply state it in your case and ask for additional help.
2. In the circumstance a difficult issue arises and we are not sure how to fix it, we use a swarming tactic.
Your support tech will engage with the rest of the Support team (Swarm)
Next as needed the Support team will Engage with Engineering
Next as needed the Support and Engineering teams will engage with QA and PM
3. If a third party vendor issue may be contributing to the Venafi issue, we are happy to engage in a call with them and the customer in order to shortcut to a resolution. Often times it may be required that the customer initiate the communication with the third party to help us all work together.
We are committed to getting issues resolved and have the Venafi organization behind us to swarm a complex issue where needed to get to a resolution.
View ArticleAPPLIES TO: All Versions
SUMMARY:
This article covers the steps required to bulk export certificates from Sectigo, followed by the instructions necessary to import those certificates into the Venafi Trust Protection Platform database.
NOTE:For the purposes of the instructions in this article, it is assumed that you have the necessary credentials to access Sectigo Certificate Manager ("SCM").
OVERVIEW
The bulk import process follows these high-level steps. Details for each step are documented below.
Download certificates report from the Sectigo Certificate Manager
Import certificates into Venafi Trust Protection Platform
DOWNLOAD CERTIFICATE REPORT FROM SECTIGO CERTIFICATE MANAGER
From a browser, access theSectigo Certificate Managerusing your provided URL.
From the SCM Dashboard screen, select Reports from the tabs area.
https://support.venafi.com/hc/en-us/articles/360031200711-Importing-Certificates-from-Sectigo
From the Reports screen, select SSL Certificatesfrom the .
In the SSL cert report details, select the filters and date ranges for which a report will be generated. Expired and revoked certificates importing to TPP is not supported and if including these certificates in the report, they will not impact the import process for issued certificates. ClickGenerate Reportto download.
The provided report will be a CSV file containing details of all the certificates that meet the criteria selected. This report should be uploaded to the TPP server that will process the CSV.
IMPORT CERTIFICATES INTO VENAFI TRUST PROTECTION PLATFORM
With the feature release of the Adaptable CA driver in version 19.1, the Trust Protection Platform is able to integrate with a multitude of Certificate Authorities and perform various functions utilizing API/SDK endpoints and custom PowerShell scripts. For instructions on importing certificates to TPP, please use the following link:
View ArticleAffected versions:
Entrust.NET Driver
Symptom:
Post CSR failed with error: Web Service Error - (ID:######) Unable to validate the certificate signing request (CSR). Please contact Entrust Certificate Services for support. (Error ID: GEN010)
Cause:
This error is typically been seen by customers when a CN (Common Name) and/or SAN (Subject Alternate Name) Domain is not recognized by Entrust. This is typically from a typo in the domain name in the SAN or if Entrust do not have that domain currently configured in the system.
This generic error message is being relayed from Entrust directly and is not a Venafi error message. It is possible that another required field in the CSR is incorrect, Venafi attempts to give better error messages on other fields that are more specific, or will pass on the error from Entrust if it is specific.
Fix:
Make sure that the domain is set up properly in the Entrust portal and that the CN and all SANs domain names are correctly spelled before submitting the CSR for signing.
This can also be accomplished by using Domain white-listing in the policy for these certificates. To find out more about domain white-listing please look here:
https://docs.venafi.com/Docs/18.4/TopNav/Content/Policies/r-policy-object-cert-settings.php?Highlight=domain%20white%20listing
Also check that all other fields have been correctly configured.
View ArticleScanafi 2.1 is live and available for download
What is Scanafi?
Scanafi is a lightweight utility that enables you to scan hosts on your internal network for SSL/TLS certificates and potential vulnerabilities.
Scanafi performs network discoveries for certificates on port 443 (default) or a set of well-known ports via SSL/TLS and STARTTLS handshakes. It is available as a single executable file for Windows, Linux, and MacOS operating systems.
What's New in this version?
Ability to scan TLS 1.3 protocol: Scanafi 2.1 can now scan a server if the server has TLS 1.3 implemented.
Multi-port support: You can now specify a list of ports (multi-ports) in the Scanafi config file that you want Scanafi to scan for certificates.
SNI support: Server Name Indication (SNI) allows the server to safely host multiple TLS certificates for multiple sites, all under a single IP address. It adds the hostname of the server (website) to the TLS handshake as an extension in the CLIENT HELLO message. Scanafi can now scan TLS certificates on multiple sites hosted by a single SNI-configured server.
Setting parameters: Scanafi2.1 is now configured using a JSON configuration file instead of command-line arguments. The JSON configuration file includes credentials to connect to TPP and Condor servers for certificate data upload. Multiple inputs can be specified in the configuration file, allowing you to scan multiple subnets in a single setting.
Additionally as part of Scanafi 2.1.0.1 we have removed the support for SSL v2 scanning.
Where can I download Scanafi?
To download Scanafi 2.1, visit our Download Portal.
Where is the documentation?
Documentation is available here.
View ArticleApplies To:
Venafi Trust Protection Platform 18.2 and prior versions
Info:
Venafi Trust Protection Platforms (TPP) has the ability to work as a SCEP server. This feature is referred to as Network Device Enrollment (NDE). This article describes the steps to setup and configure TPP and SSCEP a command line SCEP client to work together.
First, Configure TPP for SCEP:
Configure NDE on TPP side in WebAdmin:
1. Create Password object to use for SCEP requests2. Go to Platform Tree to configure NDE settings3. Select Engine or root of Platform tree and go to "Network Device Enrollemnt" > Settings4. Configure settings:
Enable "SCEP Reply Delay"Default Challenge Password = Password for requests to useDefault Certificate Container = Where to create cert objectsDefault Certificate Authority = What CA Template to useRA Certificate = Certificate used for Registration Authority (cert that was issued by CA we are going to use)
5. Save settings and restart IIS
Then, Validate it's working:
There are two tools for validating SCEP. The recommended tool is VisualScep, found here along with a PDF showing you how to use it.:
Visual SCEP Tool
-------------------------------------------
A 3rd party command line tool is called SSCEP, found here
SSCEP Tool (3rd party)
After unpacking this tool on a system that has access to the TPP SCEP server, you can run the following requests to test it, substituting your TPP server in the commands where appropriate:
Generate a request providing a Common Name and the Challenge Password when prompted by openssl:
openssl.exe req -config scep.cnf -new -key priv.key -out test.csr
Retrieve the CA and RA certificates from your SECP/NDES:
sscep.exe getca -u http://venafiserver.local/vedscep/ -c ca.crt
Enroll a new certificate and make sure to specify the correct RA (-c flag) (there may be more than one returned, so validate which is appropriate)
sscep.exe enroll -u http://venafiserver.local/vedscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0
If things work, the certificate is stored in test.crt
Troubleshooting
What to look at when things aren't working?
Check the Engine object logs in Platform tree for "Network Device Enrollment" errors or Default SQL Channel logs
Check to see if the Certificate object got created- Did creating and retrieving the cert take too long?- Was there an issue during cert enroliment?- Are you able to create a cert in the console in that folder with that CA without SCEP?
Check that the RA Cert is correct
Check that CA Template has root/intermediate certs configured
Check SCEP server url and that it is http (not https)
Double check that challenge password in CSR is correct:openssl req -in test.csr -noout -text
Check that the vedscep URL (http://venafiserver.local/vedscep/) works with a browser. It should return "Bad Request...."
Another possible resource can be found here:
NDES/SCEP Windows Test Tool
View ArticleApplies To
All versions of TPP, at least up to 19.2
Symptom
When the binding for port 80 is removed in IIS some components of Venafi stop functioning.
Affected components include:
Agent check-in (fails to start at all. When running in interactive mode, you literally see no activity)
WebSDK (Receive 500 error during authentication and you don't get an API key)
SCEP/NDES
Cause
Despite the fact the the clients in these components are not sending any traffic over port 80 to the Venafi TPP server the web.config for the API of these components requires port 80 to be open. There is, however, a modification that can be made to the web.config files for the affected components which will allow the binding to be removed.
NOTE: Removal of this binding MAY stop other unrelated processes. For instance, SCEP clients often only support HTTP. Additionally, if a CRL is actually STORED on the TPP server, then a CRL check may fail, since CRL's are only published for LDAP and HTTP.
Resolution
There are two resolutions to this. The recommended resolution is to leave port 80 bound or add it back in. The other is to follow these steps to allow us to ignore that it's missing as follows:
Edit the following Web.config files:
<TPPInstallPath>\Venafi\Web\Client\Web.config
<TPPInstallPath>\Venafi\Web\WebSDK\Web.config
<TPPInstallPath>\Venafi\Web\VScep\Web.config
By adding the following clause right after <system.serviceModel> in each file.
<bindings> <webHttpBinding> <binding> <security mode="Transport" /> </binding> </webHttpBinding> </bindings>
Restart IIS (e.g. IISReset)
View ArticleSummary:
Venafi Security Administrator(VSA18) Product Training
VSA 18 is a two day instructor led certification course that combs through the Venafi Trust Protection Platform (TPP) product. There is also an option to add a 3rd day of training which is an add-on that goes over Agent and SSH.
VSA18 covers the following for TPP product:
Install
Configuration
Maintaining the platform
Product components
How to support end-users
Product security best practices
More Information:
VSA18 two day course is intended to cover the topics specific to the Certificate product. The optional third day is used to cover Venafi Agent and/or SSH product.
Course intended for:
PKI Administrators
Enterprise Security Officers
IT professionals who are responsible for supporting the Venafi platform
After completing the class students will be able to:
Install the Venafi platform and configure core services.
Integrate with LDAP or Active Directory
Use the different Consoles
Configure custom notification rules and SMTP templates
Build initial certificate inventory
Enroll and Provision certificates
Configure, Install and run Venafi Agent (if 3rd day is included)
Discoverand Remediate SSH Keys (if 3rd day is included)
VSA18 Certification Requirements:
Take approved VSA18 course
Pass proctored VSA18 exam by 80%
Class Format:
Detailed product discussion
Examples and screenshots from the product
Robust, hands on lab environment hosted in Amazon EC2 Cloud
Scheduled topics:
Day 1
Intro to the Venafi Trust Protection Platform (TPP)
Requirements, Database Setup, and Installation
Additional Venafi Servers
Post-Install Configurations
Policy tree and policy settings
Logging and Notifications
Building a Certificate Inventory
Workflows
Day 2
Monitoring
Enrollment
Provisioning
Permissions
Upgrading Venafi TPP
Reporting
Additional Features
Day 3 (Agent/SSH product)
Agent Overview
Agent Preparation for Deployment
Agent Deployment
Agent Certificate Work
SSH Product Overview
Agentless SSH
Configuring SSH Work
SSH Policy
SSH Remediation
View ArticleSummary:
Venafi Security Administrator(VSA19) Product Training
VSA 19 is a two day instructor led certification course that combs through the Venafi Trust Protection Platform (TPP) product. There is also an option to add a 3rd day of training which is an add-on that goes over Agent and SSH.
VSA19 covers the following for TPP product:
Install
Configuration
Maintaining the platform
Product components
How to support end-users
Product security best practices
More Information:
VSA19 two day course is intended to cover the topics specific to the Certificate product. The optional third day is used to cover Venafi Agent and/or SSH product.
Course intended for:
PKI Administrators
Enterprise Security Officers
IT professionals who are responsible for supporting the Venafi platform
After completing the class students will be able to:
Install the Venafi platform and configure core services.
Integrate with LDAP or Active Directory
Use the different Consoles
Configure custom notification rules and SMTP templates
Build initial certificate inventory
Enroll and Provision certificates
Configure, Install and run Venafi Agent (if 3rd day is included)
Discoverand Remediate SSH Keys (if 3rd day is included)
VSA19 Certification Requirements:
Take approved VSA19 course
Pass proctored VSA19 exam by 80%
Class Format:
Detailed product discussion
Examples and screenshots from the product
Robust, hands on lab environment hosted in Amazon EC2 Cloud
Scheduled topics:
Day 1
Intro to the Venafi Trust Protection Platform (TPP)
Requirements, Database Setup, and Installation
Additional Venafi Servers
Post-Install Configurations
Policy tree and policy settings
Logging and Notifications
Building a Certificate Inventory
Workflows
Day 2
Monitoring
Enrollment
Provisioning
Permissions
Upgrading Venafi TPP
Reporting
Additional Features
Day 3 (Agent/SSH product)
Agent Overview
Agent Preparation for Deployment
Agent Deployment
Agent Certificate Work
SSH Product Overview
Agentless SSH
Configuring SSH Work
SSH Policy
SSH Remediation
View ArticleSummary:
Occasionally we provide online training to large groups of people to help train end users some basic day to day functions. This is a four hour course that is online instructor led with discussion and labs. There is also a short test afterwards to verify dissemination of information.
Venafi Security Professional 18 (VSP18) covers the following:
Introduction to Aperture & Enrolling a Certificate
Policy & Workflow
Lost & Found, Installation, Validation, & More
Reporting
More Info:
This class typically holds around 50 people. We hold this class as needed. If you would like to get involved in one you can look for the VSP18 Open Enrollment class on our site (if there is one scheduled).
https://training.venafi.com
View ArticleApplies to:
Venafi Trust Protection Platform 16.2 and newer
Symptom:
When performing the log expiration command, a simple delete statement against the log table is performed. This could be inefficient if you already have a high number of events logged.
Resolution:
By splitting the delete job into several small batches, the transaction log file will not grow without control.
The below SQL query will create a loop which will delete 1000 events per iteration. This can be change upon your requirements.
The @DeleteLogOlderThan defined on row 6 of the example script must match your desired date. In the attachedexample, the @DeleteLogOlderThan is 'Dec 4, 2011 12:00AM', which meansevents created before this date and time (GMT)will be deleted.
WARNING: To perform this operation, you must have direct access to the Venafi Trust Protection PlatformDatabase and read / write permissions against it. This will permanently delete events from the database.
Script for Microsoft SQL:
View ArticleInfo:
Venafi Trust Protection Platform can integrate with Active Directory (AD) to allow users to utilize existing domain accounts for login and notification purposes. This article covers ports used by the AD Identity Provider.
More Info:
Port
Use
88
Kerberos
135
TCP for RPC, EPM (Replication)
389
TCP, UDP for LDAP (Directory, Replication, User and Computer Authentication, Group Policy, Trusts)
445
TCP, UDP for SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc (Replication, User and Computer Authentication, Group Policy, Trusts)
636
TCP, UDP for LDAP SSL (Directory, Replication, User and Computer Authentication, Group Policy, Trusts)
3268
LDAP GC (Directory, Replication, User and Computer Authentication, Group Policy, Trusts)
3269
LDAP GC SSL (Directory, Replication, User and Computer Authentication, Group Policy, Trusts)
49152-65536
TCP Dynamic for RPC
The utilized Microsoft libraries use dynamic ports. Bellow are link from Microsoft regarding configuring a firewall for domains and trusts.
- Active Directory and Active Directory Domain Services Port Requirements
- How to configure a firewall for domains and trusts
View ArticleBackground:
Since version 17.1, Venafi has collected analytics and other telemetry from the Venafi Trust Protection Platform.
Q:What has changed in how and what Venafi collects over the Versions of TPP?
A: The following Table Represents the high level changes:
Version
What Changed
TPP 17.1
Added the option at installation/upgrade to email Venafi the License report and the Usage Statistics Report
TPP 17.3
Emailing of the License Report was no longer optional
Venafi enabled the optional collection of user behavior within the Web User Interface (ex: what pages were visited and what screen elements were clicked on)
Venafi enabled the optional collection of TPP version, Environment Type organization name, and the TPP roles/permissions of users who logged in
TPP 18.1
The Usage Statistics Report was updated to include the company name and environment type
The Usage Statistics Report was updated to include additional details on usage of Advanced Key Protect
TPP 19.2
Venafi Telemetry collection was no longer optional
The Usage statistics report is sent to Venafi via TLS instead of SMTP (email)
Venafi published a data privacy policy for TPP at: https://docs.venafi.com/Docs/current/TopNav/Content/r-privacy-policy.php
Note: An issue was identified where telemetry collection would cause performance issues in WebAdmin on systems that did not have internet access. This issues has been fixed in 19.2 and is being included in all future patches for previous releases.
Q: What are the advantages of automatically sending the usage data and Licensing report to Venafi?
A: Collecting aggregate statistics helps us to improve software, prioritize work based on features that customers are actively using, and troubleshoot issues. We do not expose any sensitive information received from you. In addition, you will be freed from manual tasks such as license usage upload.
Uploading the data will increase the chances of Venafi Customer Support predicting issues before they have significant impact and proactively reaching out, avoiding deprecation of features that are actively used.
Q: How does my providing this new Usage Report and web analytics tracking data to Venafi benefit me?
A: The data that you share with Venafi will directly influence the evolution of the platform in ways that will better serve your organizational needs and will result in benefits such as:
New Venafi patch alerts for your specific version of Venafi Trust Protection Platform
Venafi is able to proactively fix critical bugs and performance problems that are affecting customers without them needing to be reporting through customer support (coming soon)
Real-time security notifications that allow you to reduce security risk
Interactive help and training guidance to help you improve use of the Venafi Platform (coming soon)
New and enhanced features based on behavioral data of users
Accelerated ROI with recommended Venafi Platform features and use cases
Increased Venafi Platform knowledge with contextual, guided training alerts
Increased ability to meaningfully influence development of the Venafi Platform based on aggregated, real life usage analytics
Q: What is the exact data that is being collected and sent?
A: Usage data can broken down to the following categories:
License Report (the actual license report generated in the WebAdmin Reports Tree)
Usage Report (the actual usage report generated in the WebAdmin reports Tree. The full list of information that is being sent is available here. You'll be required to sign in first.)
User telemetry on how the Web Interfaces are used (ex: what features are most used, what features are users having the most difficult time being successful with, etc)
Metadata about the TPP Deployment (how old is the installation, what version it is on, the Company Name the deployment is registered to, the type of deployment)
Metadata about the TPP user (what roles do they have, what is their Aperture menu structure, what browser is used)
You can always review the data that is being sent in the two reports by downloading the report from the Web Administration console.
Q: How secure is the data upload?
A: Starting in 19.2, the usage report is automatically sent over TLS 1.2 to venafi.com.
In older versions of TPP, the the data was being sent as an email attachment to [email protected]. If you have concerns about the reports being emailed we recommend upgraded to TPP 19.2 or higher
Q: Is Internet access from the Trust Protection Platform host to the Venafi site required?
A: No, the telemetry is gathered from the web browser of the users leveraging WebAdmin and Aperture (similar to how Google Analytics runs, if you are familiar with that product) and is sent encrypted over TLS 1.2 to venafi.com from the desktops and laptops of users.
In older versions of TPP, the data was sent via email using the email settings in the reporting module of TPP, but these emails are no longer necessary.
Q: What specific telemetryis gathered about user's behavior in WebAdmin and Aperture?
A: The telemetry feature collects the URL of the page visited, and information about where on a page a user clicks.The telemetry feature does not collect any user-entered text or information within form fields in your application. The names of fields, buttons, and other elements within the page are captured with the application data which makes for easier tracking, but no user-supplied information is included.
Q: What configuration do I need to enable data upload?
A: As of 19.2, no configuration is necessary.
Q: Does Venafi have a Data Privacy Policy?
A: Yes, it is available here. Authentication is required.
Sample Usage ReportMore details on the usage report are available.
View ArticleApplies To:
19.1 and forward
Summary:
When attempting to connect to the WebSDK site (e.g. https://localhost/vedsdk ) you may encounter an error on the swagger page that reads:
Failed to load API definitionsErrors: Fetch errorNot Found /vedsdk/docs/swagger.yaml
Cause:
This is caused by a new method of presenting the VEDSDK docs in 19.1 where there is also an option to test and experiment with code from within the web page.
This page uses CORS to include content from another location, not just the default location.
If a proxy server or other device does not support CORS, this page will fail to load.
Resolution:
Connecting directly to the TPP site (bypassing Proxy servers) generally works because most browsers support CORS naively. For example, one should test this from the TPP server directly using Local Host to see if the problem still persists or not.
Optimally, correcting PROXY servers to support this is ideal. To determine how to correct the PROXY server, please contact the proxy manufacturer.
View ArticleSummary:
This article will shows how to enable or disable debug logging on yourVenafi Trust Protection Platform server. These steps need to be run from each server that the Venafi Trust Protection Platform software was installed on.
**NOTE: Enabling debug logging will increase the amount of data that is written to the log table in the database. Venafi recommends only enabling debug logging as needed to troubleshoot an issue then resetting the debug logging to its original state.
More Information:
Trust Protection Platform 14.x and newer:
To enable debug logging:
Open WebAdmin
Go to the Platform Tree
Click on your Server object that you want to enable debugging on
Check the Log Debug box
How to: ExportEvents
To disable debug logging:
Open WebAdmin
Go to the Platform Tree
Click on your Server object that you want to disable debugging on
Uncheck the Log Debug box
Give the change 5 minutes to take effect
Director versions 6.1.1 to Director 11:
To enable debug logging:
Open WinAdmin
Go to the Platform Tree
Click on your Server object that you want to enable debugging on
Check the Log Debug box
Restart Services
To disable debug logging:
Open WinAdmin
Go to the Platform Tree
Click on your Server object that you want to disable debugging on
Uncheck the Log Debug box
Give the change 5 minutes to take effect
Director versions 6.1.0 and older:
To enable debug logging:
Create a dword named LogDebug in the registry under HKLM/Software/Venafi/Platform
Set the value to 1
Restart the Venafi Encryption Director and Venafi Log Server services.
To disable debug logging:
Set the valueof the LogDebug entry to 0
Restart the Venafi Encryption Director and Venafi Log Server services.
Related Articles:
How to: View Events
How to: Filter Events
View ArticleThis KB article has moved and is available here: https://support.venafi.com/hc/en-us/articles/115004062728
View ArticleAbout
This article will cover the obtaining and extracting of a network capture and how to look for some basic settings for at a glance troubleshooting. More in depth testing will be in another articlefound here:
- Reference url to the furthering handshake troubleshooting
Venafi Filters
ip.addr==IP address - Will find IP's listed in either Source or Destination column
ip.src==Source IP - Requests coming from this IP address will be displayed
ip.dst==Destination IP - Requests going to this IP address will be displayed
tcp.port==443 - Filter traffic to one port
Operators to use with Venafi
&& - And (Port==443 and (&&) IP address==192.168.1.1)
|| - OR (Port==443 and (&&) Ip address==192.168.1.1 or (||) IP address==192.168.1.2)
== - Equals (Port==443)
There are many more operators, these are the ones usually used when troubleshooting Venafi
Examples (In this example I use some Ip's to show you the syntax, make sure you put your own in):
tcp.port==443 && ip.addr==192.168.0.1
ip.src==192.168.132.151 && ip.dst==192.168.132.1
In the examples above you can filter the output to a conversation between two servers, or get all of the traffic on a port for a specific IP address. The filters can be continued beyond this point for furtherAreas to look for useful data
Client Hello:
-Secure Socket Layer
-Record Layer
-Version
--Handshake Protocol
--Cipher Suites
--Extensions: Server Name
--Server Name Indication Extensions
---Server Name
Server Hello:
-Secure Socket Layer
-Record Layer
-Version
--Handshake Protocol: Server Hello
--Cipher Suites
--Handshake Protocol: Certificate
---Certificate (Common name here)
Troubleshooting a Protocol related handshake failure can be done by comparing the list of Ciphers in the Cipher suite.
Look in the Client Hello cipher suite
Look in the Server Hello cipher suite
If there is not a common cipher between the two lists, a handshake error will occur
If it fails it will end the connection shortly after
Because of this it will be a shorter range of packets to look through. Look below for instructions on how to "Follow TCP Stream"
Extracting certificates
Follow Server Hello (Wireshark Section (B.) to Certificate (Common name here))
Right click Certificate
Click "Export Selected Packet Bytes"
Save the file as "Certificate.der" or any filename with .der
You will have the certificate and the chain in the file
Opening the certificate and going to Details, all certificate details are available
Follow TCP Stream
Once you find a Client Hello right click a TCP packet
Select the Option for "Follow TCP Stream"
The filter will change to match the Stream identifier
Exporting the pcap capture file
After running the capture click the file menu option
Select Save As
Once the file is saved, it can be opened and viewed using the wireshark interface
View ArticleSymptom:
SCEP requests to Venafi are failing. The Default SQL Channel logs show following:
Network Device Enrollment - Failed to parse CSR
Failed to extract the subject from the received CSR
Network Device Enrollment - Failed to unwrap inner PKCS7
Failed to properly decode the inner PKCS#7 envelope in the received SCEP data
Cause:
1. Typically this is caused by the payload sent to Venafi SCEP being encrypted to the wrong certificate as configured in the RA Certificate settings in Venafi.
2. This may also be caused by Key Usage being set to "Digital Signature"
Resolution:
Item 1 Resolution:
Ensure that the certificate settings on the system sending the SCEP request matches those configured in the RA settings within Venafi (see graphic below).
Item 2 Resolution:
Modify the Key Usage to:"Digital Signature, Key Encipherment".and try again.
More info:
Example on how to configure Venafi SCEP:
https://support.venafi.com/hc/en-us/articles/215914547
How to determine what cert is being used in the request:
(NOTE: This will only work if the payload plus IIS log data is less than 4096 bytes, which is the maximum length for a single IIS log entry. Otherwise, the payload will be truncated.)
Extract the payload from IIS logs
Use following Powershell script to decode the URL formatted payload
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null$encode = 'MIAGCSq...AAAA'$b64 = [System.Web.HttpUtility]::UrlDecode($Encode) $filename = 'C:\temp\filetolookat.p7b'$bytes = [Convert]::FromBase64String($b64)[IO.File]::WriteAllBytes($filename, $bytes)
3. View the file with certutil command:
certutil.exe -dump $filename
Find the "Recipient Info" section:
Recipient Info[0]:CMSG_KEY_TRANS_RECIPIENT(1)CERT_ID_ISSUER_SERIAL_NUMBER(1)Serial Number: 187fdfgg2Issuer: CN=Venafi Root CA
Compare the Serial Number of the certificate used to encrypt the payload to what is configured in Venafi SCEP RA settings:
View Article
