About default algorithm configuration

Cryptographic algorithms define the security of keys and certificates used across your organization. Venafi Platform supports a comprehensive list of algorithms, but not all may align with your organization's security policies or compliance requirements. The Default Algorithm Configuration window in Venafi Configuration Console (VCC) allows you to specify which algorithms can be used and in what order of priority.

How default algorithm configuration works

Venafi Platform maintains two categories of algorithms:

  • Available algorithms: These algorithms exist within the system but are not approved for use. These are the items on the left panel.

  • Allowed algorithms: These algorithms are authorized globally for use and prioritized according to your organization's security policies. These are the items on the right panel.

By configuring allowed algorithms, administrators can enforce security standards, restrict outdated or vulnerable algorithms, and prioritize stronger cryptographic options.

Why priority matters

Usually, a requester will select the algorithm they want to use from among those allowed by the system, or by policy. However, suppose a certificate is using RSA 1024 when it is allowed by the system administrators. Later, RSA 1024 is removed from the allowed algorithms. When that certificate is renewed, it can't be renewed using RSA 1024, as it isn't permitted anymore, therefore, the system will use the highest-priority allowed algorithm (the highest one in the allowed list that is allowed by policy) to renew the certificate.

It is important to keep your allowed algorithms ranked from highest priority to lowest priority so the system uses the desired fall back algorithm when a previously-used algorithm is no longer allowed.

You can configure priority using the steps described in Configuring allowed algorithms.

Further restriction of algorithms by policy

Sometimes, you will want to restrict individual containers to only allow a subset of the globally-allowed algorithms. In versions of Trust Protection Platform before 25.1, you could only enforce a single algorithm by policy, not allow a choice of algorithms. Now you can select multiple algorithms that are allowed by policy, as long as they are on the globally allowed list from VCC (as discussed above). You can even further restrict sub-folders to only use a subset of the algorithms allowed by a higher-level policy setting.

EXAMPLE  Suppose you have a container (folder) for certificates issued for devices in Europe, and you have a sub-container (or sub-folder) for certificates issued for devices in Bulgaria.

Your system administrator may have chosen 15 algorithms that are allowed globally in VCC. You can limit the algorithms used for items in the Europe folder to just ten of those globally-allowed algorithms, and you can limit the algorithms allowed for items in the Bulgaria folder to just five of the ten algorithms permitted in Europe.

Venafi Platform provides enhanced flexibility to your policy owners to allow any or all the algorithms available to them, based on the global and parent policy settings.

Using the SDK to manage algorithms

An authorized user of the Venafi's API can use our Algorithm Selector APIs to perform a number of tasks, including setting globally allowed algorithms (instead of using VCC), and setting the allowed algorithms for a container (folder). For more information, see the following OpenAPI endpoint documentation (and related endpoints in the Algorithm Selector section): Get All Algorithms.