Protecting against unapproved changes to Adaptable CA scripts

Venafi's Adaptable drivers—such as Adaptable CA, Adaptable Application, Adaptable Bulk Provisioning, and Adaptable Log Channel—rely on PowerShell scripts stored in the \Venafi\Scripts\AdaptableDriverName directory on Trust Protection Platform servers. To ensure the integrity of these scripts, Trust Protection Platform supports signed scripts.

Because other people might have access to the server that is running Trust Protection Platform, they could modify your PowerShell scripts without your knowledge, either accidentally or intentionally. However, with signed scripts, any modifications made to the script will result in a failed signature validation, and the script will not be executed.

To protect against unapproved changes to your scripts, Trust Protection Platform monitors PowerShell script files that are being used by existing Adaptable objects. If a new script is used or a PowerShell script is modified on the file system, Trust Protection Platform displays a warning and you'll need to re-validate the script.

This security feature helps to prevent potentially harmful modifications to your scripts from being run.

IMPORTANT  Because of this security feature, following an upgrade to Trust Protection Platform, you must take specific steps on all existing Adaptable objects in order for them to be re-enabled. Refer to the documentation for each Adaptable driver for details.

When you encounter an error stating that the associated Adaptable CA PowerShell script has been modified, you'll need to open the associated CA template, run validation again (in the Connection box), and then re-save the template settings. When you do, the driver is then re-enabled and you can continue using the script.

After you've verified and approved the changes made to the script, Trust Protection Platform can also be configured to automatically retry all failed issues caused by script changes. This feature is available for the Adaptable CA and Adaptable Application drivers.

To re-enable an Adaptable CA driver following a change to its associated PowerShell script

  1. Open and review the associated scripts to verify that they contain only approved changes.
  2. Open Policy Tree and navigate to the associated Adaptable CA template object.
  3. In the Connection box, click Validate.
  4. (Optional) Select When script is updated, fix related certificate errors if you want Trust Protection Platform to fix the failed enrollment of affected certificates automatically.

    DID YOU KNOW?  Enabling the When script is updated... feature instructs Trust Protection Platform to retry all failed issues automatically once you have verified and approved the changes made to the script. How you approve scripts is done differently for each Adaptable driver.

    Example:

    Suppose one of your Adaptable CA scripts is modified. You see a warning repeated across ten certificate renewal requests. They are all using the same Adaptable CA template, which depends on the modified script file. The driver blocked processing when it detected script changes, so the renewal process failed. You open the script file to verify that the changes are safe and accurate. Then you open the associated Adaptable CA template, run another validation, set When script is updated... to Yes, and then save the template again. Because you enabled the option, all ten certificates are retried automatically and processing completes successfully. If you hadn't enabled this setting, you would need to go to each of the ten certificates and rerun certificate renewals manually.

    The time required for the automated fix to be completed depends on the number of issues. But Trust Protection Platform fixes the issues as quickly as it can.

  5. When you're finished, click Save.

Related Topics Link IconRelated Topics