Skip to main content

Venafi Platform 20.1: What’s New


The Venafi Platform was updated to version 20.1 on March 31, 2020. 

The 20.1 release includes improvements and upgrades to existing products supported by the platform: TLS, SSH Protect, Enterprise Mobility Protect, and Next-Gen Code Signing. A notable update is rolling upgrades for quarterly releases, which will allow customers to keep the Venafi Platform online as they perform an upgrade.  

While not part of the 20.1 release, Venafi recently received Common Criteria Certification for the 19.2 platform release. As in the past, Venafi will continue to certify every year. 

A few highlights from the Venafi 20.1 release are listed below. For the complete release notes, log in to 
http://docs.venafi.com.  

Venafi will host a live  webinar on April 28, 2020 to discuss several of the 20.1 updates. 
Registration is now open.

Trust Protection Platform Updates


1.    Rolling Upgrades for Quarterly Releases


What Problem Does it Solve?
For many customers, availability of the Venafi Trust Protection Platform is critical to their ongoing operations, especially customers leveraging the platform for DevOps or in enterprise application build pipelines. But having to take the Venafi Platform offline to perform a quarterly update has a negative impact and makes performing regular upgrades a challenge. 

How Does It Work?
Instead of taking everything down to perform an upgrade, with the help of load balancers, customers can take select Venafi servers offline during an upgrade while keeping the cluster online for critical processes, like requesting new TLS certificates over REST API. Also available is a new page that shows the progress of all upgrade tasks. Find this new page by clicking the "A" for Aperture at the top right of the screen, then click the "Upgrade Status" menu item in the left column.

What’s the Benefit?

High Availability – Customers can continuously leverage the Venafi Platform in their DevOps and enterprise build pipeline as upgrades are occurring. 



2.    Console Switcher


What Problem Does It Solve?
While Venafi is working to converge capabilities into a single UI, today Venafi users need to work with separate WebAdmin and Aperture consoles and need to re-authenticate whenever they switch between them. This takes times and can become annoying if users need to frequently move back-and-forth to access different capabilities.

How Does It Work?
There is a new dropdown in 20.1, available to users with a Master Admin role, that makes it easy to switch between Aperture and WebAdmin. Users can also switch modes without having to re-authenticate separately for each console.

What’s the Benefit?

Ease-of-Use – It is now faster and easier to move between consoles when needed. 


3.    REST API User Access Control


What Problem Does It Solve?
Prior to the 20.1 release, REST API users could execute any API method. Venafi administrators want to be able to limit user access to specific API methods and have visibility into the API methods that applications are using.

How Does It Work?
Venafi administrators can now enable precise API access using scopes and restrictions to the subset of methods that a caller needs using token authentication to the REST API. Token authentication provides additional benefits, including greater visibility into the systems integrating with the Venafi Platform.

What’s the Benefit?

Visibility and Automation – By allowing only enough API access to perform a required job, administrators get more control over API use and avoid needless exposure of all API methods to all API users.


4.    Common Criteria Certification and Section 508 Progress

In addition to the new capabilities available in 20.1, the Venafi Platform was also recently re-certified as Common Criteria Compliant (for the Venafi Platform 19.2 release) by the National Information Assurance Partnership (NIAP). Venafi has also made progress on Section 508 Compliance for the Venafi Platform. Section 508 is a United States federal law that mandates information technology used by the federal government be accessible to people with disabilities.

SSL/TLS


1.    Team Onboarding Automation


What Problem Does It Solve?
Many Venafi customers have hundreds or thousands of teams that could benefit from using the Venafi Platform. However, many have not fully onboarded them because of the steps needed to discover teams and their machine identity use cases, then create the folders, policies and permissions infrastructure needed for teams to make certificate and key requests.

How Does It Work?
In the 20.1 release, when Venafi administrators create a new local team for onboarding, the same actions they perform for onboarding every team member can be automated. Creating folders, setting permissions, and setting policy are all supported.

What’s the Benefit?

Automation – It is now faster and easier to onboard teams to the Venafi TLS and SSH products by automating steps that Venafi administrators have previously had to do manually. 

2.    HashiCorp Vault PKI Integration


What Problem Does It Solve?
Venafi Platform customers using HashiCorp Vault want to automate the creation of HashiCorp Vault intermediate CAs that chain up to enterprise trust anchors and centrally enforce certificate policy.

How Does it Work?
Using the REST API, the 20.1 release includes new HashiCorp Vault PKI integration for automating the enrollment and provisioning of subordinate CA certificates to Vault PKI paths as well as Vault PKI roles. This integration streamlines Vault deployments, automates subordinate CA certificate renewal and syncs authoritative Venafi policy with Vault PKI roles.

What’s the Benefit?

Automation – This new integration makes it easy to use a DevOps-friendly process to get an intermediate CA that chains up to corporate PKI root certificates and meets corporate policy.

3.    Adaptable CA Driver Enhancement


What Problem Does It Solve?
Customers and Venafi Technology partners using the Adaptable CA driver find it cumbersome to hard code the network address and profile options in their Adaptable CA script.

How Does it Work?
The Adaptable CA driver is enhanced in 20.1 with standard fields that can be used to specify a service address and profile string. Customers and partners can use these fields to configure their CA settings using a Venafi console or API.

What’s the Benefit?

Integration – It is now easier for customers and partners to work with the Adaptable CA driver.

4.    CAPI Trust Store Enhancement


What Problem Does It Solve?
The enhancement gives customers the ability to choose the destination CAPI store. Prior to the 20.1 release, the only option available was the Trusted Root CAPI store. Beginning with the 20.1 release, customers can choose between the Trusted Root CAPI store, Trusted People CAPI store and the Trusted Devices CAPI Store.

How Does it Work?
The CAPI Trust Store driver now includes an additional drop-down through which users can select the destination CAPI store. 

What’s the Benefit?

Integration – Customers can now select which is the destination CAPI store for the CAPI Trust Store certificates.

DevOps


1.    VCert Client SDK and CLI – Custom Field Support


What Problem Does It Solve?
Application developers want to be able to easily provide Custom Field data programmatically (e.g., a department identifier or cost center number) when requesting certificates using Venafi DevOps integrations.

How Does It Work?
The 20.1 release includes custom field support for VCert client SDK and CLI. Customers can have their DevOps software specify custom field metadata that is important but unique to their environment when requesting certificates. 

What’s the Benefit?

Automation – Easier and deeper integration of Venafi with DevOps practices and tools.

2.    VCert Client SDK and CLI – Certificate Installation Tracking


What Problem Does It Solve?
Application developers want to be able to provide certificate installation details programmatically (e.g., where certificates are installed and what enterprise applications are using them) when requesting certificates using Venafi DevOps integrations.

How Does it Work?
The 20.1 release includes certificate installation tracking support for VCert client SDK and CLI. Customers can have their DevOps software specify installation data that is important but unique to their environment when requesting certificates.

What’s the Benefit?

Reduce Outage Risk – Delivers visibility and intelligence into where certificates are installed, if they can be validated, and where they are used by applications.

SSH Protect


1.    NIST 800-53r4 Based Reporting


What Problem Does It Solve?
Many risk and security teams struggle when it comes to compliance reporting or preparing for an audit. Mapping controls to functional capabilities requires both deep technical and regulatory expertise.

How Does It Work?
Compliance regulations like SOX 404, HIPAA, GLBA or PCI often rely on the NIST 800-53r4 control framework as a baseline. By using the Aperture NIST Control filter, users can find and report on key sets by NIST Control Number.

What’s the Benefit?

Reduce Audit Failures – This new feature enables users to quickly pass their compliance and audit needs by applying NIST-based intelligence to the existing Venafi Platform key set inventory.

2.    CyberArk SCIM Integration


What Problem Does It Solve?
PAM tools help organizations provide secure privileged access to critical assets and meet compliance requirements by managing and monitoring all aspects of privileged accounts and access including SSH keys. However, provisioning manually generated admin SSH keys in the CyberArk PAM platform may require time and effort, especially when dealing with rapidly changing IT infrastructures.

How Does it Work?
The “Venafi CyberArk SCIM” integration now enables automated onboarding of SSH Protect discovered SSH private keys (home directory located) from Venafi into CyberArk Vault.

What’s the Benefit?

Ease-of-Use – CyberArk users can now centrally manage “admin owned” private SSH keys, whether used for interactive as well as service accounts, from CyberArk Vault.

3.    Token-Based API Authentication


What Problem Does It Solve?
APIs are necessary for integrating, automating and managing SSH keys through their lifecycle. However, just as interactive session, regular API sessions require authentication and re-authentication which can be hard to configure at the remote connected services.

How Does it Work?
The new API  token acts like an electronic key that lets you access the  API. The Venafi Platform also determines which resources the API integration has access to.

What’s the Benefit?

Automation – The new token-based API integration simplifies configuration of scripting, leading to improved ROI from API-based automation efforts. Additionally, the impact on platform performance is reduced as continuous re-authentication can increase substantially system load. Token-based API integration can also be used by administrators to limit individual integration capabilities and permissions.

4.    ED25519 Support for Putty keys


What Problem Does It Solve?
SSH sessions and the critical information they transport are always a target for adversaries. New computational capabilities allow attackers to decrypt sessions via MITM attacks. Policy and compliance mandates also put new guidelines on what key sizes and may enforce ED25519 key algorithms.

How Does it Work?
Venafi SSH Protect 20.1 now supports ED25519 for Putty Clients. 

What’s the Benefit?

Automation – Standardize implementation of ED25519 across all enterprise entities and protect critical sessions.

Enterprise Mobility Protect (EMP)

Certificate Lifecycle Management for Endpoints

1.    Support of Enrollment over Secure Transport (EST) protocol


What Problem Does It Solve?
EST is an IETF Standard (
see RFC 7030) that is becoming adopted, especially in IoT and network device scenarios because it is considered more functional and secure than SCEP.

How Does It Work?
The Venafi Platform can be configured to handle certificate requests on behalf of the CA from various devices such as routers, switches and Wi-Fi access points over the EST protocol. Venafi Administrators can group devices that need the same type of certificate based on network attributes like IP or hostname or certificate request attributes like Common Name or Organization.

What’s the Benefit?

Visibility and Intelligence – extending support for the EST protocol, applying organizational PKI policies and enabling Venafi Administrators to report on which devices have requested certificates based on details like IP or Common Name.

Next-Gen Code Signing (NGCS)


1.    New NGCS Admin API


What Problem Does It Solve?
Customers who rely on automated build scripts to automate code signing configuration, such as in DevOps or when accessing a proprietary code signing tool, need a robust API.

How Does It Work?
A new API enables customers to be able to automate code signing system configuration and provisioning especially in ephemeral environments.

What’s the Benefit?

Automation – Flexible automation to configure/manipulate/change projects and environments; code signing configuration

2.    Support for Elliptic Curve Cryptography (ECC)


What Problem Does It Solve?
Customers want the ability to use faster code signing algorithms without sacrificing security and performance. Elliptic Curve Cryptography (ECC) supports that.   

How Does it Work?
ECC brings the same level of cryptographic strength compared to existing algorithms such as RSA but with smaller key sizes. This allows for achieving higher security, faster processing with low computational requirement. Smaller key size makes ECC an attractive choice for all applications and more importantly for high performing applications, mobile devices, IoT, and especially small devices with low storage and light processing resources. ECCP256, ECCP384, and ECCP521 are supported.

What’s the Benefit?

Performance – Compared to larger RSA key sizes, customers can get same level of security and performance with a smaller key and lower computational resources needed.  

3.    Enhanced Logging Data


What Problem Does It Solve?
Customers need detailed logging to provide information for audits and reporting related to code signing activities.

How Does it Work?
With enhanced logging, customers will have better visibility into code signing activities. They will be able to more easily trace back every code signing action including who signed, what was signed, who approved and what was approved.  Enhanced and enriched logging along with data correlation simplifies the effort to achieve better analytics, forensics and make more sense of code signing activities.

What’s the Benefit?

Visibility – This feature provides customers with enhanced visibility into code signing with more granular details about code signing activities.

4.    Support Code Signing in Ephemeral Environments


What Problem Does It Solve?
Customers need to be able to sign code in ephemeral containers (e.g. Docker) running headless Windows Server Core.

How Does it Work?
NGCS CSP/KSP now works for ephemeral environments running Windows Server Core. 

What’s the Benefit?

Increased Flexibility & Security – Build machines can now be ephemeral, or short-lived, to shorten the attack vector window.

4.    Support for DigiCert Extended Validation (EV) Code Signing Certificates


What Problem Does It Solve?
Prior to this release, customers using DigiCert as their CA could only use non-EV code signing certs with NGCS.

How Does it Work?
Customers will need an attestation letter sent to DigiCert assuring that the EV private key is hardware protected (HSM).

What’s the Benefit?

Security – Customers can now use DigiCert EV certificates with NGCS.

Ecosystem Partner Updates


While separate from the Venafi 20.1 release, several Venafi Ecosystem Partners have recently introduced products and updates that might complement your current use of the Venafi Platform and products.   

These include:   

  • Detect Encrypted Threats with Gigamon 
    • The inability to decrypt traffic at vital ingress and egress points poses great risk to an organization. Invalid or expired machine identities allow threats to go undetected. Organizations can leverage the Venafi Platform to manage the lifecycle of machine identities in use by Gigamon giving them the ability to detect threats that are hiding in encrypted traffic. 
  • Manage Machine Identities in Pivotal Cloud Foundry 
    • Available as both an Adaptable Application driver as well as a GO app using VCert, protecting machine identities within Pivotal Cloud Foundry has never been easier. 
  • Extended HSM Support 
    • In addition to integrations with Hardware Security Modules from nCipher and Thales, Venafi now supports FutureX, Utimaco, and Atos, delivering your organization the highest level of key security. 
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more