Skip to main content

 

 

Venafi Platform 20.2: What’s New

The Venafi Trust Protection Platform was updated to version 20.2 on June 30, 2020.

The 20.2 release includes multiple updates and enhancements, including many that offer increased intelligence and automation in Google Cloud and Microsoft Azure environments.   

This release also sees the introduction of several new and updated product names, including TLS Protect, CodeSign Protect and Endpoint Protect. These names, as well as SSH Protect, are intended to make it easier for customers using multiple Venafi products to identify where Venafi capabilities fit in protecting multiple machine identities. 

A few highlights from the 20.2 release are listed below. For the complete release notes, log in to
http://docs.venafi.com.   

Upcoming Webinar

Venafi will host a live webinar on July 22, 2020 to discuss several of the 20.2 updates. Registration is now open.

Trust Protection Platform Updates

1.    New and Updated Product Names

In the 20.2 release, we are introducing one new and several updated names for Venafi products. As you look to protect different types of machine identities, these products names should make it easier to identify which Venafi product can best help you. 

Venafi Trust Protection Platform products are:

  • CodeSign Protect – For securing the code signing process
  • Endpoint Protect – For simplifying the distribution and management of endpoint and user certificates
  • SSH Protect – For securing SSH keys and the machines they connect
  • TLS Protect – For providing visibility, intelligence and automation for TLS certificates

2.    Console Unification Progress

What Problem Does It Solve?
Today Venafi users need to work with separate WebAdmin and Aperture consoles. At times this leads to confusion about where to find specific capabilities. Venafi is committed to unifying the consoles, a project that will span multiple quarterly releases.

How Does It Work?
There are two console changes in the 20.2 release that will affect people who have a Venafi Master Admin role in Venafi. First, the top-level navigation in the Aperture and WebAdmin consoles is unified. You will see the same options in either console and as you select an option, you can immediately access it. This change affects the Master Admin role as that role is most likely to be using both WebAdmin and Aperture.

The second console change in 20.2 is the addition of options in the console switcher. The console switcher was introduced in the 20.1 release so users with a Master Admin role could easily navigate between WebAdmin and Aperture. In 20.2, the console switcher adds easy navigate to CodeSign Protect and to Venafi Platform details.

What’s the Benefit?

Ease-of-Use – It is now faster and easier to access capabilities and move between products and the Venafi Platform.

3.    Azure SQL Database Managed Instance Support

What Problem Does It Solve?
Before the 20.2 release, Venafi customers who wanted to host the Venafi Platform in Microsoft Azure did not have the option to use Azure SQL Database managed instance instead of SQL Server.

How Does It Work?
When installing the Venafi Platform in the Microsoft Azure cloud, using Azure SQL Database managed instance is now an available database option.

What’s the Benefit?

Flexibility – You now have more options when deploying the Venafi Platform in cloud environments.

4.    Team Onboarding Enhancements

What Problem Does It Solve?

Many Venafi customers have hundreds or thousands of teams that could benefit from using the Venafi Platform to protect machine identities. However, many have not fully onboarded them because of challenges in the onboarding process. Venafi has been making improvements to the onboarding experience in previous releases and will continue to do so in the future.

How Does it Work?
Team onboarding enhancements in the 20.2 release focuses on making it easier for individual Venafi users to create or request to join a team as well for team owners to approve or deny requests.

By default, all users with the Master Admin role can create a team. In addition, all users or select groups/individuals can be granted this ability as well.

What’s the Benefit?

Increased Efficiency – End users can self-service requests to join a team instead of having to contact an administrator, and the team owner can more quickly and easily approve or deny these requests.

Additional Trust Protection Platform Capabilities – See the release notes at https://docs.venafi.com for more detail on these capabilities as well as other new Venafi Platform features, including:

  • Creating an API application from a JSON data structure that specifies settings, including the scopes and restrictions required by the application.
  • Added support for Windows Server 2019 for hosting the Venafi Platform and support for Microsoft SQL Server 2019 for hosting the Venafi Platform database.

TLS Protect Updates

1.    Google Cloud CA Service Integration

What Problem Does It Solve?
Maintaining a private PKI on-premises can be burdensome and may require special administrative expertise.

How Does It Work?
With the 20.2 release, Google Cloud customers with early access to the Google Cloud CA Service can get private trust certificates issued by a private CA they control, hosted in the Google Cloud. The new CA driver automates the enrollment and revocation of private trust certificates from their Google Cloud CA Service.

What’s the Benefit?

Increased Efficiency – Venafi customers using Google Cloud can save time and money setting up their private PKI infrastructure. 

2.    Google Cloud Load Balancer Certificate Lifecycle Automation

What Problem Does It Solve?
Load balancers are critical client-facing infrastructure that require certificates to secure communications. Without monitoring or automated renewal, the risk of outages is high.

How Does it Work?
Via a new application driver, you can now automate the provisioning and validation of certificates issued by any CA to the load balancers you are using in Google Cloud.

What’s the Benefit?

No Outages – Automating the lifecycle of certificates needed by Google Cloud load balancers will reduce or eliminate outages caused by those certificates.

3.    Increased Intelligence for Microsoft Azure Onboard Discovery

What Problem Does It Solve?
Before the 20.2 release, Microsoft Azure Onboard Discovery would discover certificates in the Azure Key Vault but it did not identify if those certificates were being used by Azure WebApps.

How Does it Work?
In 20.2, the Microsoft Azure Onboard Discovery capability is extended. It can now discover certificates in Key Vault(s) used by WebApps and populate the relevant field in the Azure Key Vaults in the Venafi Platform. It can also discover certificates used by WebApps that are not in Key Vault(s) but have access to them, providing intelligence into certificates that you might want to move into a Key Vault.

What’s the Benefit?

Intelligence – This additional information makes it easy to identify WebApps associated with Azure Key Vault and then take the appropriate action to protect their certificates.

4.    Entrust Security Manager CA and Managed PKI Service Integration

What Problem Does It Solve?
Many Venafi customers are also customers of Entrust Security Manager and Entrust Managed PKI customers, and would like an out-of-the-box integration for their private CA.

How Does it Work?
The 20.2 release includes a new CA driver to connect the Venafi Platform with Entrust Security Manager and Manage PKI service to automate enrollment and revocation of private trust certificates. The new driver connects using the Entrust CA Gateway. This integration is result of partnership between Entrust and Venafi. 

What’s the Benefit?

Ease-of-Use – The new driver makes it easy to connect with and work with private trust certificates in Entrust Security Manager and Managed PKI service.

Additional TLS Protect Capabilities – See the release notes at https://docs.venafi.com for more detail on these capabilities as well as other new TLS Protect features, including:

  • Ability to perform network validation on hosts that are running TLS 1.3.
  • Enhancement to the NetScaler driver so that it can discover and provision certificates to a non-default location on the filesystem of the appliance.
  • Updated CAPI driver to support provisioning and Onboard Discovery of elliptic curve certificates (previously support was limited to RSA certificates).
  • Update Apache driver to support provisioning of elliptic curve certificates (previously support was limited to RSA certificates). Support will be limited to central and remote generation and to SafeNet Luna HSM device but without support for nCipher HSM.

SSH Protect

1.   Authorized Key Tags 

What Problem Does It Solve?
When Security teams are reviewing the SSH keys in their organization, it can be difficult for them to determine the application that’s using the key or the owner responsible for the SSH keys. To do so requires logging into the devices manually to see the comment at the end of the entries from Authorized Keys files, which can be time consuming.

How Does It Work?
SSH discovery scans now include comments from Authorized Keys files, so Venafi web interface displays them in the results of the scan. Administrators can now also filter SSH keys by Authorized Keys comments.  

What’s the Benefit?

Increased Efficiency – Security teams no longer have to spend time manually logging into servers to determine the application or owner of SSH keys, they can now use the discovery scan to easily understand and then assign the SSH keys to the right application/business owners and move them under the policy folders to monitor them for compliance.

CodeSign Protect

1.    REST APIs & SDK

What Problem Does It Solve?
Modern software development methodologies such as DevOps require build automation and this requires access to APIs. In addition, large enterprises may want to automatically configure CodeSign Protect in a programmatic way and/or integrate it with their own code signing tools and signatures.

How Does It Work?
Administrative and Client REST APIs as well as an SDK are now provided as part of CodeSign Protect.

What’s the Benefit?

Automation – Customers can now easily automate and scale their use of CodeSign Protect by using REST APIs and an SDK. In addition, they can now integrate CodeSign Protect into the signing tools of their choice.

2.    Pre-Approval Workflows

What Problem Does It Solve?
Modern software development methodologies such as DevOps depend on build automation. Waiting for a manual approval for a code signing operation can disrupt the DevOps workflow.

How Does it Work?
A REST API can be used to request a pre-approval of a code signing operation. It specifies specific parameters (such as user, time, etc), and if those conditions are met, an approval is granted for the code signing operation to occur.

What’s the Benefit?

Automation – CodeSign Protect now provides another option for granting approval of a code signing operation that is more aligned with the needs of DevOps workflows.

3.    Signing Approval – Ticketing Approval API

What Problem Does It Solve?
Many large enterprises utilize a centralized ticketing system, such as ServiceNow. Even though the Venafi UI provides the ability to grant code signing approvals, some customers would like for this to be done through a third-party ticketing system.

How Does it Work?
A REST API can be used to get a list of approval requests, approving a code signing operation or denying it.

What’s the Benefit?

Automation – Customers that want a single pane of glass ticketing system can now handle code signing approval requests through a third-party tool.

4.    Key-based signing, such as GPG

What Problem Does It Solve?
Several applications/packages such as RPM, Debian, Docker rely on GPG for code signing. Earlier implementations of CodeSign Protect didn't support GPG.

How Does it Work?
CodeSign Protect implements GPG to enhance the security of all GPG tools such as gpg, rpm, Debian signer, etc. 

What’s the Benefit?

Flexibility – Customers using gpg or any signing tool leveraging gpg such rpm signing, Debian signing, Docker signing, GIT signing typically struggle with machine identity protection and key management such as private key security, auditing, compliance, workflow approvals, scalability, centralization, certification lifecycle as well as automaton. With this release, customers can now leverage CodeSign Protect to enable signing with all gpg tools and packages mentioned above while benefiting from world class security provided CodeSign Protect.

5.    New Signing Algorithm – ECC ED25519

What Problem Does It Solve?
Customers need newer, more secure and faster signing algorithms, specifically the ECC ED25519 standard.

How Does it Work?
It is available as an option in CodeSign Protect. 

What’s the Benefit?

Security & Performance – ED25519 which has several attractive features including 1) small key sizes, 2) small signature, 3) high level security, 4) fast key generation, 5) fast signing, 6) fast signature verification, 7) collision resilience, 8) Not covered by any known patent – unlike many of the other EC curves.

6.    Signing .NET Assemblies 

What Problem Does It Solve?
A strong name signature is an identity mechanism in the .NET Framework for identifying assemblies. Signing an assembly provides a unique identity. Strong naming is used to prevent assembly conflicts. Customers have the need to protect private keys used to sign assemblies as well as provide auditing, workflow and overall take advantage of CodeSign Protect capabilities.

How Does it Work?
Signing a .NET assembly provides a unique identity.  

What’s the Benefit?

Security – Strong naming ensures uniqueness of assemblies and eliminates conflicts. When an assembly is strong-named, it creates a unique identity based on the name and assembly version number, and it can help prevent assembly conflicts. It ensures no one is able to produce subsequent version of the assemblies. Venafi enables strong naming for assemblies while taking advantage of all CodeSign Protect benefits such as private key protection, auditing, approval workflows.

Ecosystem Partner Updates

While separate from the Venafi 20.2 release, several Venafi Ecosystem Partners have recently introduced products and updates that might complement your current use of the Venafi Platform and products.   

These include:   

  • Venafi and F5 BIG-IQ v7.1 Available 
    This F5 and Venafi integrated solution automates management of machine identities to increase security of machine communications. BIG-IQ—which delivers a centralized view into all BIG-IPs in one’s environment— orchestrates management of certificates and keys, reducing time spent ensuring security across connected devices and practically eliminating human error.  
  • Venafi Metrics for DataDog
    DataDog is used by Site Reliability Engineers to monitor the health of the services throughout an organization. This integration provides out-of-the-box metrics and dashboards within DataDog for Venafi Trust Protection Platform. (Github
  • Venafi Integrations with Chef Habitat, Chef Infra and ShuttleOps 
    Whether using Chef Infra, Chef Habitat, or ShuttleOps, there is now a frictionless way to achieve full end-to-end application automation solutions that meet the needs of Application Development, Operations, and Security teams. 
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more