Creating and using answer files

An answer file is an XML file that contains pre-determined configuration settings. You have an option to create an answer file at the end of the Venafi Platform Configuration wizard. Once you have an answer file, you can use it to specify configuration settings, making it much faster to deploy future Venafi Trust Protection Platform installations.

You can create an answer file without deploying the software by checking the appropriate option on the Configure Server tab of the Venafi Platform configuration wizard.

Below is a sample unencrypted answer file. You can use this sample file and modify it for your specific needs, as long as you are willing to use an unencrypted file. If you prefer to use an encrypted answer file, you need to generate it from the Venafi Platform configuration wizard. An unencrypted answer file is a plain text XML file that contains information like your master admin user name and password, your database connection credentials, your software encryption key, and all other configuration settings. You can read more information about creating and encrypting answer files via the configuration wizard.

Answer file sections and settings

Complete answer file example

The following is a complete answer file with all possible options enabled. You can use this as a starting point for your answer file, or you can generate one from the Venafi Configuration Console. Your final answer file will likely be shorter, as your are unlikely to enable every option on all Venafi servers.

Copy
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <TppConfiguration CreatedOn="12/31/2025 12:00:00" By="abe.lincoln" On="WIN-Venafi01">
        <Components>
            <Products>
                TLSProtectProduct
                ClientProtectProduct
                SSHProtectProduct
                CodeSignProtectProduct   
                PlatformProduct
            </Products>
            <Features>
                Acme
                BulkProvisioning
                CAImport
                Certificates
                Scep
                OBDDiscovery
                JSSDiscovery
                Revocation
                Validation
                EstService
                SSH
                SSHCertificates
                HsmBackend
                TimeStampService
                KeyManager
                KeyServer
                ClientDistribution
                AuthServer
                AutoLayout
                Client
                Discovery
                Monitoring
                Reporting
                WebConsole
                WebSDK
            </Features>
        </Components>
    <DBO>
        <DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=DBO_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True;Integrated Security=True</DSN>
    </DBO>
    <Database>
        <DSN>Data Source=mssql.example.com,1433;Initial Catalog=VenafiDB; User ID=Operational_user@example.com;Password=ExamplePassword; TrustServerCertificate=True;MultiSubnetFailover=True; Integrated Security=True</DSN>
    </Database>
    <HardwareEncryption>
        <DllPath>c:\program files\myhsmvendor\pkcs11library.dll</DllPath>
        <Slot>0</Slot>
        <Pin>ExamplePassword</Pin>
        <Key>MyDemoKey</Key>
        <AccountType>CryptoOfficer</AccountType>
    </HardwareEncryption>
    <!-- Use the following SoftwareEncryption element to use a previously-generated software key on additional servers. If you want the system to generate a key, omit this element. -->    
    <SoftwareEncryption>
        <Key>-----BEGIN VED ENCRYPTED KEY-----
        <!-- Base64 Encrypted key text -->
        -----END VED ENCRYPTED KEY-----</Key>
        <Password>ExamplePassword</Password>
    </SoftwareEncryption>
    <AdminAccount>
        <Username>masterAdmin</Username>
        <Password>ExamplePassword</Password>
    </AdminAccount>
    <!-- This Message Bus element is for a mesh connection. Use either this one OR the hub and spoke connection, not both.  -->
    <MessageBus>
        <Port>8883</Port>
        <!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
        <Tls>yes</Tls>
        <!-- Use 'no' for unencrypted -->
    </MessageBus>
    <!-- This Message Bus element is for hub and spoke connection to a central broker. Use either this one OR the mesh connection, not both. -->
    <MessageBus>
        <Port>8883</Port>
        <!-- 8883 is recommended for TLS encrypted. Port 1883 is recommended for unencrypted. -->
        <Tls>yes</Tls>
        <!-- Use 'no' for unencrypted -->
        <Server>name</Server> <!-- Central server -->
        <Instance>id</Instance> <!-- Central instance id -->
        <Username>name</Username> <!-- Central auth username; if auth required -->
        <Password>password</Password> <!-- Central auth password; if auth required -->
        <Certificate>PFX data</Certificate> <!-- Central auth certificate; in lieu of username/password -->
    </MessageBus>
    <Logging>
        <LogProcessor />
        <LogExpiration Days="90" />
    </Logging>
    <Environment>
        <CompanyName>Example Company, Inc.</CompanyName>
        <DeploymentType>PRODUCTION</DeploymentType>
    </Environment>
    <Server>
        <StartServices>yes</StartServices>
        <LogPath>C:\Program Files\Venafi\Logs\Tpp Configuration Log.txt</LogPath>
    </Server>
</TppConfiguration>