Trust Protection Platform components

The following is a list of components that are available for selection in Venafi Configuration Console. Any component that is not selected during installation can be enabled later in the configuration console.

Some components can't be added to your system. For example, if IIS is not installed, or if you don't have a valid license for a specific product, related components won't be available.

Filtering the table

You can use the search box to filter the table contents, OR click one of the Product buttons to see its related components. (These features don't work together.)

Component

Answer file key

Products

Description

ACME Service

Acme

TLS Protect, Client Protect

Provides certificate automation via an Automated Certificate Management Environment (ACME). An HTTPS server is set up and configured to automatically obtain a browser-trusted certificate without any human intervention. A certificate management agent runs on the web server.

IMPORTANT  Venafi's implementation of the ACME protocol was designed and tested for use with the following clients: certbot, win-acme, and acme.sh. If you're using a different client, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by Venafi's integration with the certbot and win-acme clients.

Authentication Server

AuthServer

Platform

Provides authentication for REST access for web components.

Automatic Layout Manager

AutoLayout

Platform

Enables Placement Job feature, allowing you to reconcile duplicates and organize certificates and devices in folders based on placement rules.

If this feature is installed during installation of Venafi Trust Protection Platform, it can be enabled or disabled either in the Venafi Configuration Console, or in Policy Tree on the Platforms tree.

If you have multiple servers in your cluster, you may want to enable this feature on some, but not all, of the servers in the cluster for performance reasons. That would enable one server to be running the placement jobs feature without impacting the performance of other servers in the cluster.

Bulk Provisioning Manager

BulkProvisioning

TLS Protect

Provisions keys and certificates to one or more devices simultaneously.

CA Import

CAImport

TLS Protect, Client Protect

Automatically imports certificates from supported Certificate Authorities.

Certificate Lifecycle and Monitoring

Certificates

TLS Protect, Client Protect, CodeSign Protect

Provides certificate lifecycle management. Responsible for certificate-related tasks such as expiration notifications, issuance, renewal and revocation, and for provisioning of certificates to devices.

Certificate Revocation Monitoring

Revocation

TLS Protect, Client Protect

Provides the ability for Trust Protection Platform to provide CRL Distribution Point monitoring. Monitors the revocation status of all certificates in inventory at least daily. Allows you to do an on-demand revocation check for an individual certificate in either Aperture or Policy Tree. Monitors OCSP and CDP endpoint validity. This component does not control your ability to revoke certificates; this component adds the ability to monitor for revocations and to monitor CDP and OCSP endpoints.

IMPORTANT  Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring.

When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access.

If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints.

CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.

Client REST

Client

Platform

Enables communication between agents and Trust Protection Platform.

Cloud Instance Monitoring

CloudMonitoring

TLS Protect

The Cloud Instance Monitoring feature finds stale certificates by using cloud service provider APIs to identify certificates that were issued for instances that have since been terminated. It also automatically initiates retirement actions to keep the Trust Protection Platform certificate inventory as up-to-date as possible.

Code Signing Client Distribution

ClientDistribution

CodeSign Protect

Enables a web page that provides helpful scripting information and links for downloading CodeSign Protect clients. You can access the page by adding /csc to your Trust Protection Platform URL, such as:

https://TPP-Server-Name/csc

For more information, see Using the CodeSign Protect Client Downloads page.

Code Signing Key Server

KeyServer

CodeSign Protect

Provides functionality to set up a GPG key server to store GPG public keys and make them publicly available through a RESTful HTTP request.

For more information, see GPG public key server .

Enrollment over Secure Transport Service

EstService

TLS Protect, Client Protect

This service provides certificate enrollment capability for devices via the Enrollment over Secure Transport (EST) protocol.

For more information on EST, see Certificate enrollment via EST protocol.

HSM Backend

HsmBackend

CodeSign Protect

Provides virtual HSM capability within Trust Protection Platform for code signing. This allows Venafi CodeSign Protect clients to request signing operations using private code signing keys that are managed by Trust Protection Platform.

Key Lifecycle and Monitoring

KeyManager

CodeSign Protect, SSH Protect

Provides key lifecycle management. Responsible for tasks such creating new keys and monitoring key expiration. This component is required for GPG and .NET CodeSign Protect Environments, as well as for SSH Protect.

Kubernetes Discovery Manager JSSDiscovery TLS Protect

Provides a way to monitor TLS certificates used on clusters managed by Venafi TLS Protect for Kubernetes.

With the Kubernetes discovery feature, administrators can create new discovery jobs which import certificates from all Kubernetes clusters registered to Venafi TLS Protect for Kubernetes.

Network Device Enrollment

Scep

TLS Protect, Client Protect

Enables devices to use the SCEP protocol to request certificates from Trust Protection Platform.

You would want to enable this feature if you have SCEP-enabled devices or applications and you want those devices and applications to be able to get certificates directly from Trust Protection Platform. This feature is frequently used with mobile-device management solutions.

For more information on configuring Network Device Enrollment, see Certificate enrollment via SCEP protocol of the Venafi Trust Protection Platform Certificate Management Guide.

Network Discovery

Discovery

Platform

Runs the Network Discovery surveys configured in your system’s Discovery objects. During a Network Discovery, the Discovery server scans designated IPv4 address ranges and ports to identify SSL certificates.

For more information on discovering network certificates, see Discovering certificates and keys.

Object Monitoring

Monitoring

Platform

Monitors SSH key and credential objects for expiration and generates expiration notifications.

For more information on logging and event notifications, see Notification and logging overview.

Onboard Discovery Manager

OBDDiscovery

TLS Protect

Configuring onboard discovery jobs lets you automate the process of provisioning by adding devices to one or more specific policies. You then have control over the placement of discovered certificates without having to manually update jobs or reorganize certificates after they've been discovered.

Reporting

Reporting

Platform

Generates and distributes pre-defined and custom reports.

SSH Certificate Lifecycle and Monitoring

SSHCertificates

SSH Protect

Allow you to use SSH Protect to manage SSH Certificates.

SSH Key Detection and Remediation

SSH

SSH Protect

Secures and protect SSH keys and systems through discovery, reporting, policy enforcement, and remediation.

Time Stamp Service

TimeStampService

CodeSign Protect

Provides an RFC 3161-compliant time stamping service for code signing. This service allows you to use either your own time stamping certificate or to specify a list of time stamping proxies. Once configured, you can then specify Trust Protection Platform as your time stamping server.

Validation

Validation

TLS Protect, Client Protect

Runs the network and onboard validation processes.

Network validation verifies a certificate or key is installed on the target system, then determines if the correct certificate is being used.

For more information on validating certificates and applications, see SSL/TLS network validation.

Web Console

WebConsole

Platform

Web-based management interface. Installs both Policy Tree and Aperture.

At least two Venafi servers needs to have Web Console enabled. If Web Console is configured on two different servers, you can disable this component.

Server requirements for Web Console are outlined in Web Server Roles (Venafi web services enabled).

Web SDK

WebSDK

Platform

Extend your custom environments by integrating them with Venafi solutions using the Venafi Web SDK code library.

For more information, see DevOps and Automation.