Installing using the Venafi Configuration Console wizard

The Venafi Configuration Console wizard walks you through the installation of Venafi Trust Protection Platform on your server. Installation refers to both:

  • Installing and connecting to a clean database
  • Installing and connecting to an existing database

To Install Venafi Trust Protection Platform using the Windows installer

  1. Log in to the Windows server where you want to install Trust Protection Platform.
  2. Locate and extract the Trust Protection Platform zip file(s) to a staging directory.

  1. From an elevated command prompt, change your directory to the extracted zip folder and enter the following command:

    VenafiTPPInstall-24.1.x.msi

  2. When the Welcome window appears, click Next.

  3. Read the terms stated in the License Agreement window. If you agree, select I accept the terms in the license agreement, and then click Next.

  1. In the Destination Location window, click Next to accept the default location or click Change to change the destination folder or drive letter.

    The default destination folder is:

    C:\Program Files\Venafi\

  2. In the Ready to Install the Venafi Trust Protection Platform window, click Install to start the installation.

    The installation may take a few minutes.

    NOTE  Because Venafi Platform 24.1 was developed on Visual Studio 2019, it includes updated Visual Studio runtime libraries. If you have other applications running on the Windows server that also rely on the same libraries (for example, VMWare Services), you may be prompted to either 1) close those applications during installation, upgrade, or uninstallation of Venafi Platform; or 2) be prompted to restart windows at the completion of the Venafi installation process. This is expected.

    If you prefer to avoid this step, you can upgrade your Visual Studio runtime libraries before you run the Venafi installer. The vc_redist.x64.exe libraries can be found here: https://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads.

  3. Click Finish.

    The Windows installer completes the installation and then launches the Venafi Configuration Console wizard.

Configure Venafi platform from the Venafi Configuration Console

  1. On the Venafi Configuration Console Welcome screen, determine which option applies:

    • Install a new Venafi Platform Server for the first time (connect to an empty database)
    • Add a Venafi Platform Server to an existing installation (connect to an existing database)

      If you select this option, you will need the extracted software key from the existing installation. For information, see Backing up the software encryption key.

    Depending on the option you choose in this step, the availability of options and the requirements for entering data will change in the following steps.

  2. (Optional) If you have run this wizard previously, and you have an answer file that you want to use to pre-populate fields, select the checkbox.

    For more information about working with answer files, see Creating and using answer files.

  3. Click Next.

    IMPORTANT  On the next screen, the tabs available in the left menu depend on what options you selected on the Welcome Screen. As you continue through these steps, each of the possible tabs will be listed. If the tab doesn't appear in the Wizard, you can skip that step below. The order of the sections will also vary, depending on what you selected.

  4. On the Before You Begin tab, read the instructions on this screen, then click Next.

  5. [Optional] If you are using an answer file, on the Answer File tab click the Browse button to locate the answer file. If the answer file is encrypted with a password, enter the password, then click Next.

  6. On the Component Selection tab, use the tree to select which components and features you want to enable for the installation.

    For a list of available components, see Trust Protection Platform components.

    IMPORTANT  The installation will not work properly unless you select at least one product (TLS Protect, Client Protect, CodeSign Protect, or SSH Protect). If you are trying to install a UI-only server (WebConsole) you need to select one top-level product, in addition to the UI components in the Common Components list. However, in that case, you can deselect the child components of the top-level product. For example, this is a valid configuration:

    Select the components you want to install, then click Next.

  7. On the Hardware Encryption tab, determine if you want to use hardware encryption.

    Venafi Trust Protection Platform can encrypt data using one or more keys stored in an HSM. For code signing, Venafi Trust Protection Platform can use private keys stored on an HSM to sign code. To enable hardware encryption, check the box, and fill out the requested information.

    TIP  If you are installing to an existing database, if hardware encryption is enabled, you will need to enter the PIN to continue, even though no other information appears on the screen.

    NOTE  You must select either one or both encryption types (hardware and/or software encryption). To help you decide, see Database Encryption.

    IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys, you cannot access the database or stored secrets.

  8. On the Software Encryption tab, determine if you want to use software encryption.

    Venafi Platform can encrypt data using a software encryption key.

    If you are connecting to a new database, you can either provide a key, or have one generated for you.

    If you are connecting to an existing database, you must use the software key used to encrypt that database.

    If you are connecting to an existing database with software encryption enabled, before you can move to the next tab, the system will verify that the software key matches the existing database's software encryption key.

    TIP  If you are installing with an existing database, if software encryption has not been configured for that database, the options on this screen will be disabled.

    NOTE  You must select either one or both encryption types (hardware and/or software encryption). To help you decide, see Database Encryption.

    IMPORTANT  The keys used to encrypt Trust Protection Platform are critical to the system's functionality. Without the encryption keys you cannot access the database or stored secrets. Consequently, if you use a software encryption key, it is highly recommended that you back up the key to a secure location. In the event of a system failure, you can restore the key so Trust Protection Platform can access your system data. For information, see Backing up the software encryption key.

  9. On the Database Settings tab, choose either the Settings tab or the Expert tab, and fill out the connection information for your database. If you enter different data into both tabs, the tab you are on when you click Next will determine which settings are applied.

    Before you configure a new database connection, you must have previously created the Trust Protection Platform database and configured both database service accounts. For more information, see Preparing the database server.

    For information about the types of database service accounts and permissions they need, see Setting up your Microsoft SQL database server.

    If you are connecting to an existing database, before you can move to the next tab, the system will verify that the database connection information is correct.

  10. On the Administrative Account tab, enter information for the local master admin account for Venafi Trust Protection Platform.

    You need to create a local master admin account for Trust Protection Platform. You will use this account to log in to Trust Protection Platform and to perform maintenance and upgrade tasks in the system. The local master admin account has all permissions to every object in Trust Protection Platform.

    Enter the user name and password. Password requirements are show on the screen. The password will be validated locally to verify it meets complexity requirements.

    Verify the password, then click Next.

  11. On the Message Bus tab, select whether or not you want to use a TLS-encrypted connection for the Message Bus (the MQTT broker used to communicate between servers in the cluster). The default is to use TLS.

    We recommend using the IANA registered ports for MQTT: port 8883 for TLS, or port 1883 for unencrypted.

    If you plan to use an external MQTT broker, click Central MQTT broker, then provide the URL to the service, and authentication information.

    For more details on Message Bus and its configuration, see Working with Message Bus.

    If you don't know what to enter here, you can likely accept the default values.

    Continue to the next tab by clicking Next.

  12. On the Event Logging tab, determine if you want this server to process log events.

    At least two Venafi servers needs to have event logging enabled. If event logging is configured on two different servers, you can leave this check box cleared.

    Venafi recommends you define a retention period to control growth of the database. Trust Protection Platform will periodically automatically delete logs older than the specified number of days.

    Click Next.

  13. On the Environment tab enter the required information.

    Enter your organization name, and select the deployment type for this server, then click Next.

    Your organization name and deployment type are used in Venafi reports, and may be used in the future in other ways to enhance your product experience.

  14. On the Customer Experience tab, review the information on how data is collected.

    NOTE  Participation in the Customer Experience Improvement Project is required for all customers, enabling Venafi to gather license utilization and product usage telemetry. This does not include any personally-identifiable data. Read more about our data collection policy in the Venafi Data Privacy Policy for Venafi Trust Protection Platform™.

    Click Next.

  15. On the Save Configuration tab, do the following:

    • Determine the location where the configuration progress and errors will be logged. If there is a problem with the configuration of the Venafi database, this file will show you where the error occurred, which will help Venafi Customer Support troubleshoot your issue more quickly and efficiently.
    • Specify whether Venafi Platform services should be started immediately upon completion of configuration.
    • We recommend you save your configuration as an answer file if this configuration is different than an answer file you have previously created. An answer file simplifies the process of upgrading Trust Protection Platform, reinstalling Trust Protection Platform, or installing more than one Trust Protection Platform server, connecting to the same database.

      • If you create an answer file, it is recommended that you encrypt your answer file with a password. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings.
      • If you are just completing the wizard to create an answer file, select the appropriate option. The wizard will save the answer file and will close when you click the Finish button.
  16. Click Finish.

    Venafi Platform will configure the server using the settings you have configured. When the configuration is complete, click Close.

Once you have completed the configuration wizard, the Venafi Configuration Console window automatically opens. For more information, see Venafi Configuration Console in the Administration guide.