Skip to main content




Venafi Platform 19.4: What’s New

The Venafi Platform has been updated to version 19.4.


The 19.4 release includes improvements and upgrades to existing products supported by the platform: TLS, SSH Protect, Enterprise Mobility Protect, and Next-Gen Code Signing. A notable update is dynamic Active Directory integration which should ease administration of the Venafi Platform for many customers. 

A few of the 19.4 release highlights are listed below. For a link to the full release notes in the Knowledge Base, go here Venafi version 19.4 was available for all customers on December 2, 2019

SSL/TLS and Venafi Platform

1.    Dynamic Active Directory Integration

What Problem Does it Solve? 
In recent years, Active Directory implementations have changed from being mainly static to being increasingly dynamic, where Domain Controllers and Global Catalogs change frequently. The Venafi Platform now automatically identifies Active Directory servers to connect to rather than rely on an administrator specifying that information from a configuration console. 

How Does It Work? 
With the 19.4 release, Domain Controllers and Global Catalog servers are discovered and used dynamically on a per Venafi Platform server basis. Users no longer must specify these in the Active Directory connector configuration. 

What’s the Benefit? 
Easier administration of the Venafi Platform as Active Directory integration is now automatically responsive in dynamic Active Directory environments. This also eliminates unplanned downtime of Trust Protection Platform caused by frequent Active Directory updates. 

2.    Onboarding Teams Using Local Groups

What Problem Does It Solve?> 
Many Venafi customers have hundreds or thousands of teams that could benefit from using the Venafi Platform to protect machine identities. However, many have not fully onboarded them because of coordination required with their Identity Management organization to have each team represented by a group in Active Directory or LDAP. 

How Does It Work? 
This new feature enables Venafi Platform administrators to create a local group that contains AD or LDAP users, eliminating the need for a request to the Identity Management team. 

What’s the Benefit? 
Streamlines the onboarding process and makes it faster and easier to add new teams to the Venafi Platform. 

3.    HSM One-to-Many

What Problem Does It Solve? 
Customers using nCipher HSM currently face an architectural challenge. nCipher requires that for systems using the same certificate, each have a copy of the files representing the HSM-protected private key (application key token). While you can manually distribute these files or create custom scripts, many customers would like to automate this process. 

How Does It Work? 
Venafi TPP uses one of the Apache servers connected to the HSM to generate the private key, then export the files representing the private key, and store them in the Venafi database. For the remaining servers that need the same certificate, the platform provisions the same key files along with the certificate. 

What’s the Benefit? 
This new feature allows the same certificate to be automatically installed on multiple Apache servers that are using a nCipher HSM to protect their private key. 

4.    Updated Entrust Driver

What Problem Does This Solve? 
Entrust has recently moved from a SOAP-based API to a REST-based API. Some Venafi customers have received deprecation notices from Entrust about their continued use of the SOAP-based API. 

How Does It Work? 
Venafi TLS now uses only the REST-based API when interfacing with Entrust Certificate Services. The Entrust driver has also added support for enrolling code signing certificates using Venafi Next-Gen Code Signing. 

What’s the Benefit? 
Customers use the API supported by Entrust. 

5.    Delete Network Discovery Jobs by API

What Problem Does It Solve? 
There has never been a supported way to programmatically delete Network Discovery jobs. Existing WebSDK methods cannot remove job results data from the database. Over time, this orphaned data can lead to performance degradation and other operational problems with the platform.  For customers that are programmatically creating network discovery jobs, a supported method is required for deleting those jobs when no longer needed. 

How Does It Work? 
The 19.4 release includes a WebSDK method specifically for deleting Network Discovery jobs. 

What’s the Benefit? 
Customers can now properly and completely delete Network Discovery jobs. 

6.    Skip Emailing Reports with No Data

What Problem Does It Solve? 
For scheduled/recurring reports, sometimes the filters set for the report result in a report with no data. While some customers might want to see a report with no data for the positive confirmation (as opposed to the absence of a report), others would like to not receive reports with no data. 

How Does it Work? 
In 19.4, there is a new checkbox in Custom Report configuration. When checked, Venafi Trust Protection Platform will not send the report if there is no data in it. 

What’s the Benefit? 
Customers have more control over report sharing in their organization. 

7.    VCert SDK Ruby Native Language Binding

What Problem Does It Solve? 
Customers integrating the Venafi Trust Protection Platform into Ruby environments had to use the Venafi REST API which increased complexity, rather than using a software development kit (SDK). 

How Does it Work? 
Venafi VCert SDK native language bindings abstract and simplify the Venafi REST API for certificate enrollment. The VCert SDK supported Go, Python and Java and now also supports Ruby (download from RubyGems). 

What’s the Benefit? 
The Venafi Trust Protection Platform certificate capabilities can now be easily included within DevOps applications where Ruby is used without the need to code against the Venafi REST API. 

For a link to the full release notes in the Knowledge Base, go here

SSH Protect

1.    CyberArk Application Access Manager (AAM) Integration

What Problem Does It Solve? 
When discovering SSH hosts and their access keys, Venafi SSH Protect requires access to a privileged account which can be both time consuming to provision and impose new risks when duplicating credentials. 

How Does It Work? 
The integration with CyberArk Application Access Manager (AAM) allows Venafi SSH Protect to leverage host credentials stored in CyberArk Enterprise Password Vault (EPV) and discover SSH hosts without configuring target host credentials. 

What’s the Benefit? 
This integration shortens time to value for Venafi SSH Protect removing the need to configure privileged credentials. (Credentials remain in CyberArk EPV.) 

2.    Real Time Event Notification for sshd_config Changes

What Problem Does It Solve? 
Privileged changes to remote access setup (i.e., sshd_config) include a high threat risk. Without notification, risk or security operations teams are blind to understand the full scope of activity behind these changes. 

How Does it Work? 
The “sshd_config notification” warns security operations teams immediately when changes are detected by Venafi SSH agent or agentless scans. 

What’s the Benefit? 
This event can be fed to SIEM and alerting systems, giving security operations teams the opportunity to review and correlate the change event for potential malicious change config activity. 

3.    Ability to Deny Multiple Authentication Failures

What Problem Does It Solve? 
When Venafi SSH Protect is provisioned with incorrect host credentials, multiple authentication failure events will be generated. These events can result in unnecessary workloads for security operations teams. 

How Does it Work? 
Users can now limit the number of authentication attempts. 

What’s the Benefit? 
This option reduces security operations workloads or potential threat management actions caused by SSH scan related authentication failures. 

4.    Enforce Policies to “Keyset as an Object”

What Problem Does It Solve? 
To act quickly and accurately, SSH keysets may need remediation based on unique enterprise context (related client, host, account, group). This requires focused workflow whereby the entire keyset is treated as an object that can be tagged with specific remediation policies. 

How Does it Work? 
By attaching a policy to a “keyset as an object”, all related keysets will inherit the policies and in-depth remediation can be enforced. Also, individual users (like SecOps members) do not have limited rights to change remediation policies applied to “keysets as an object”. 

What’s the Benefit? 
This approach helps in streamlining policy remediation process using highly focused automation workflow. 

5.    Device Inventory Searching by Status and Policy Filters

What Problem Does It Solve? 
When millions of keys are loaded in the SSH Protect inventory, security operations users need to be able to quick and easy filter individual or groups of devices. 

How Does it Work? 
SSH Protect user interface has been expanded with new status filter and filter folder. 

What’s the Benefit? 
The status filter and filter folders structure allow users to locate fast and effective SSH hosts and their related keysets. 

6.    Enhanced Scalability via Improved SQL Performance

What Problem Does It Solve? 
In extremely large environments, the Venafi Trust Protection Platform and SSH Protect database can be hit by performance degradations, resulting in slower automation jobs. 

How Does it Work? 
SSH Protect has been upgraded with several SQL updates to increase the query performance. 

What’s the Benefit? 
The SQL performance improvement allows users to scale SSH protect and support very large enterprise environments. 

For a link to the full release notes in the Knowledge Base, go here

Enterprise Mobility Protect (EMP)

1.    For Microsoft Intune, Added Certificate Client Authentication and Performance Improvements.

Shifting from client secret (or password), Venafi Trust Protection Platform can now use certificates to authenticate its requests to Microsoft Intune. 

What Problem Does it Solve? 
For the Venafi Platform to request validation of an endpoint’s password through Microsoft Intune, it needs to first authenticate with Intune. Prior to this latest release, client secret needed to be used by the platform to perform its authentication with Intune. Using client secret is less optimal than using a certificate – both not as secure and the validation process with Intune can be less efficient when provisioning user and client device certificates (S/MIME, VPN, NAC, etc.). 

How Does it Work? 
The process for the Venafi Platform to perform validation when provisioning user and device certificates through Intune remains unchanged. To perform this, the platform needs to first authenticate with Intune – this release enables a certificate to be used instead of a client secret. 

What’s the Benefit? 
Using a certificate when the Venafi Platform authenticates with Intune enables asymmetric cryptography, strengthening the security over using a client secret. In addition, performance is optimized resulting in endpoints receiving certificate requests five times faster using SCEP protocol. 

For a link to the full release notes in the Knowledge Base, go here

Next-Gen Code Signing

1.    PKCS#11 Support

What Problem Does it Solve? 
Most enterprises build software on a variety of operating systems like Windows, Linux, and macOS using a variety of software packaging methods (e.g. .jar, .rpm, .gz), a variety of software development tools, and a variety of code signing utilities (e.g. pkcs11-tool, jarsigner, OpenSSL, OSSLSIgnCode, GPG, Debsign, rpm, APKSigner, etc). Providing the same level of code signing process security across these complex, heterogenous environments can be extremely difficult for PKI and InfoSec teams. 

How Does it Work? 
Venafi Next-Gen Code Signing implements PKCS#11, enabling a variety of native code signing utilities to integrate directly with Venafi Next-Gen Code Signing. 

What is the Benefit? 
There are benefits to the people who are responsible for signing code, to the PKI team, to auditors, and InfoSec. First, those signing code continue to use the same code signing tools that they have always used. This level of transparency does not require them to change their automated build scripts or know where actual private code signing keys are stored or how to access them. For the PKI team, issuing code signing certificates in these complex, heterogeneous environments becomes as simple as supporting a single environment. For the InfoSec team, assurance that all private keys, no matter what development environment is used, are securely stored and the process for accessing them is clearly defined and enforced. Auditors can view all code signing activities, key usage, approvals from a single place even in complex, heterogenous development environments. 

2.    Importing Code Signing Keys & Certificates

What Problem Does It Solve? 
Just as software development environments are complex for an enterprise, code signing certificates may have been issued by a variety of Certificate Authorities, over a period of time, and stored in many different locations (such as a variety of HSMs, build servers, or developer computers). This causes private key sprawl and limits the visibility of code signing credentials for the InfoSec team, creating an insecure code signing environment. 

How Does it Work? 
Venafi Next-Gen Code Signing integrates with HSMs where existing private code signing keys are stored. In addition, existing p12/pfx key/certificates can be uploaded into Next-Gen Code Signing. 

What’s the Benefit? 
This capability helps on-board new Venafi Next-Gen Code Signing customers more quickly because they can now easily import and/or utilize existing code signing credentials. By bringing these credentials into the Venafi Trust Protection Platform, companies reduce private key sprawl, improve code signing security, and provide full centralized visibility to the InfoSec teams. 

3.    Restricting Environment Usage to Selective Groups

What Problem Does It Solve? 
PKI administrators can define code signing project templates (environments) that define aspects like which certificate authority to use and which certificates are available for use. In previous versions of NGCS, these environments were visible to all groups using NGCS and there was no way to restrict the usage to a selective group. 

How Does it Work? 
PKI administrators can now specify which group(s) are authorized to access specific NGCS environments. 

What’s the Benefit? 
This gives the code signing administrator additional control around who can use a particular public Certificate Authority. In addition, it increases security of the code signing process by restricting environment usage for specific projects only. 

For a link to the full release notes in the Knowledge Base, go here.

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more