Trust Protection Platform components
The following is a list of components that are available for selection in Venafi Configuration Console. Any component that is not selected during installation can be enabled later in the configuration console.
Some components can't be added to your system. For example, if IIS is not installed, or if you don't have a valid license for a specific product, related components won't be available.
Filtering the table
You can use the search box to filter the table contents, OR click one of the Product buttons to see its related components. (These features don't work together.)
Component |
Answer file key |
Products |
Description |
---|---|---|---|
Acme |
TLS Protect, Client Protect |
Provides certificate automation via an Automated Certificate Management Environment (ACME). An HTTPS server is set up and configured to automatically obtain a browser-trusted certificate without any human intervention. A certificate management agent runs on the web server. IMPORTANT Venafi's implementation of the ACME protocol was designed and tested for use with the following clients: certbot, win-acme, and acme.sh. If you're using a different client, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by Venafi's integration with the certbot and win-acme clients. |
|
Authentication Server |
AuthServer |
Platform |
Provides authentication for REST access for web components. |
AutoLayout |
Platform |
Enables Placement Job feature, allowing you to reconcile duplicates and organize certificates and devices in folders based on placement rules. If this feature is installed during installation of Venafi Trust Protection Platform, it can be enabled or disabled either in the Venafi Configuration Console, or in Policy Tree on the Platforms tree. If you have multiple servers in your cluster, you may want to enable this feature on some, but not all, of the servers in the cluster for performance reasons. That would enable one server to be running the placement jobs feature without impacting the performance of other servers in the cluster. |
|
BulkProvisioning |
TLS Protect |
Provisions keys and certificates to one or more devices simultaneously. |
|
CAImport |
TLS Protect, Client Protect |
Automatically imports certificates from supported Certificate Authorities. | |
Certificates |
TLS Protect, Client Protect, CodeSign Protect |
Provides certificate lifecycle management. Responsible for certificate-related tasks such as expiration notifications, issuance, renewal and revocation, and for provisioning of certificates to devices. |
|
Revocation |
TLS Protect, Client Protect |
Provides the ability for Trust Protection Platform to provide CRL Distribution Point monitoring. Monitors the revocation status of all certificates in inventory at least daily. Allows you to do an on-demand revocation check for an individual certificate in either Aperture or Policy Tree. Monitors OCSP and CDP endpoint validity. This component does not control your ability to revoke certificates; this component adds the ability to monitor for revocations and to monitor CDP and OCSP endpoints. IMPORTANT Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring. When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access. If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints. CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree. |
|
Client |
Platform |
Enables communication between agents and Trust Protection Platform. |
|
CloudMonitoring |
TLS Protect |
The Cloud Instance Monitoring feature finds stale certificates by using cloud service provider APIs to identify certificates that were issued for instances that have since been terminated. It also automatically initiates retirement actions to keep the Trust Protection Platform certificate inventory as up-to-date as possible. |
|
ClientDistribution |
CodeSign Protect |
Enables a web page that provides helpful scripting information and links for downloading CodeSign Protect clients. You can access the page by adding https://TPP-Server-Name/csc For more information, see Using the CodeSign Protect Client Downloads page. |
|
Code Signing Key Server |
KeyServer |
CodeSign Protect |
Provides functionality to set up a GPG key server to store GPG public keys and make them publicly available through a RESTful HTTP request. For more information, see GPG public key server . |
Enrollment over Secure Transport Service |
EstService |
TLS Protect, Client Protect |
This service provides certificate enrollment capability for devices via the Enrollment over Secure Transport (EST) protocol. For more information on EST, see Certificate enrollment via EST protocol. |
HsmBackend |
CodeSign Protect |
Provides virtual HSM capability within Trust Protection Platform for code signing. This allows Venafi CodeSign Protect clients to request signing operations using private code signing keys that are managed by Trust Protection Platform. |
|
Key Lifecycle and Monitoring |
KeyManager |
CodeSign Protect, SSH Protect |
Provides key lifecycle management. Responsible for tasks such creating new keys and monitoring key expiration. This component is required for GPG and .NET CodeSign Protect Environments, as well as for SSH Protect. |
Kubernetes Discovery Manager | JSSDiscovery | TLS Protect |
Provides a way to monitor TLS certificates used on clusters managed by Venafi TLS Protect for Kubernetes. With the Kubernetes discovery feature, administrators can create new discovery jobs which import certificates from all Kubernetes clusters registered to Venafi TLS Protect for Kubernetes. |
Scep |
TLS Protect, Client Protect |
Enables devices to use the SCEP protocol to request certificates from Trust Protection Platform. You would want to enable this feature if you have SCEP-enabled devices or applications and you want those devices and applications to be able to get certificates directly from Trust Protection Platform. This feature is frequently used with mobile-device management solutions. For more information on configuring Network Device Enrollment, see Certificate enrollment via SCEP protocol of the Venafi Trust Protection Platform Certificate Management Guide. |
|
Discovery |
Platform |
Runs the Network Discovery surveys configured in your system’s Discovery objects. During a Network Discovery, the Discovery server scans designated IPv4 address ranges and ports to identify SSL certificates. For more information on discovering network certificates, see Discovering certificates and keys. |
|
Monitoring |
Platform |
Monitors SSH key and credential objects for expiration and generates expiration notifications. For more information on logging and event notifications, see Notification and logging overview. |
|
OBDDiscovery |
TLS Protect |
Configuring onboard discovery jobs lets you automate the process of provisioning by adding devices to one or more specific policies. You then have control over the placement of discovered certificates without having to manually update jobs or reorganize certificates after they've been discovered. |
|
Reporting |
Platform |
Generates and distributes pre-defined and custom reports. |
|
SSHCertificates |
SSH Protect |
Allow you to use SSH Protect to manage SSH Certificates. |
|
SSH |
SSH Protect |
Secures and protect SSH keys and systems through discovery, reporting, policy enforcement, and remediation. |
|
TimeStampService |
CodeSign Protect |
Provides an RFC 3161-compliant time stamping service for code signing. This service allows you to use either your own time stamping certificate or to specify a list of time stamping proxies. Once configured, you can then specify Trust Protection Platform as your time stamping server. |
|
Validation |
TLS Protect, Client Protect |
Runs the network and onboard validation processes. Network validation verifies a certificate or key is installed on the target system, then determines if the correct certificate is being used. For more information on validating certificates and applications, see SSL/TLS network validation. |
|
Web Console |
WebConsole |
Platform |
Web-based management interface. Installs both Policy Tree and Aperture. At least two Venafi servers needs to have Web Console enabled. If Web Console is configured on two different servers, you can disable this component. Server requirements for Web Console are outlined in Web Server Roles (Venafi web services enabled). |
WebSDK |
Platform |
Extend your custom environments by integrating them with Venafi solutions using the Venafi Web SDK code library. For more information, see DevOps and Automation. |