About Cloud Instance Monitoring

One significant benefit of cloud-based applications is that they can be designed to automatically and dynamically scale processing capacity to match demands. With this elasticity there comes a need to quickly acquire certificates and provision them to new virtual instances, as they are brought online. It also means that certificates frequently become obsolete as virtual instances are terminated in response to waning demand.

Trust Protection Platform provides easy-to-use, RESTful API methods for DevOps applications to quickly obtain certificates for elastic instances; often that’s the only time that Trust Protection Platform is contacted regarding those certificates. Thus, the certificate inventory ends up being a mix of certificates that are actively being used and those that are no longer used. The problem is effectively the same for certificates provisioned to elastic instances by Venafi's Server Agent.

The Cloud Instance Monitoring feature addresses this problem by using the cloud service provider's APIs to identify certificates that were issued for instances that have since been terminated. It also automatically initiates retirement actions to keep the Trust Protection Platform certificate inventory as up-to-date as possible.

Retirement occurs in two phases: the first disables installations to indicate that those instances were no longer found in the cloud; then following a grace period, the second phase deletes installations and disables and/or revokes the certificates that were associated with them.