System requirements for Venafi components

Before installing and using any Venafi product, carefully review Venafi's supported operating system and hardware configurations.

Also, review any additional or special requirements specified in the documentation provided with each product.

NOTE  To view the system requirements for previous releases, visit: https://docs.venafi.com/.

Venafi Trust Protection Platform components

Hardware Requirements
Feature Requirement

Processor

4 processing cores

Memory

16 GB RAM

Disk Space (for the Trust Protection Platform application)

5 GB

The Trust Protection Platform application can be installed on a secondary partition.
Number of servers needed depending on size of installation
Feature Requirement

Number of Venafi servers

(Up to 50K active certificates and 1K SSH servers)

2 total (assuming all in-use features are enabled on both servers)

Number of Venafi servers

(Up to 250K or more active certificates and 5K SSH servers)

6 total

  • 2 dedicated Logging event processing servers
  • 2 web services servers
  • 2 back end processing servers

Number of Venafi servers

(Up to 1M or more active certificates and 20K SSH servers)

Implementations of this size are professionally designed by Venafi according to the customer's needs.

Server Agents doing SSH work

2 additional Venafi servers for every 20,000 SSH servers being managed

Server Agents doing certificate work

2 additional Venafi servers for every 40,000 servers being managed

Network latency to database

For best performance results, you should minimize the network latency between the database server and the Venafi Platform servers.

For comparison, in internal testing, we compared the time required to renew a certificate at various latency levels using a recent release of Venafi Platform and made the following general observations:

WAN Delay (in milliseconds) Time to renew 1 certificate
0 around 2 seconds
15 around 7 seconds
30 around 15 seconds
60 around 30 seconds
120 around 60 seconds

While these speeds are not guaranteed, they are illustrative of the significant impact latency can have on overall system performance.

Venafi Platform server configuration requirements for all server types
Feature Requirement

Operating Systems
  • Microsoft Windows Server 2022 (server with user interface) is supported (and required if you want to use TLS 1.3).

  • Microsoft Windows Server 2019 (server with user interface) is supported.

  • Microsoft Windows Server 2016 (server with user interface) is supported.

  • Microsoft Windows 2012 Server R2 (server with user interface) is supported for upgrades only. Do no use for new installations. Users on Windows 2012 Server should strongly consider upgrading to a newer version as Windows 2012 Server doesn’t support all Venafi features and all third-party integrations.

If you plan to use the following features, you cannot use Microsoft Windows Server 2012 R2; you must use Server 2016 or higher:

  • Venafi TLS Protect for Kubernetes

  • Entrust nShield API connections

Trust Protection Platform only supports English Language Installation Media from Microsoft. While it does support region setting configurations to ensure that date and times appear correctly, the Windows servers on which you install Trust Protection Platform must be derived from Windows English installation media.

Regarding job scheduling and timezones, there is a potential issue with timezone support on different Windows Server versions. Newer Windows Server versions may have updated timezones that older versions cannot parse correctly. This could lead to scheduling issues. It is recommended to have consistent OS versions across Trust Protection Platform servers.

Multiple servers connected using the same database are referred to as a cluster. To help you understand how your cluster is connected together, and to facilitate communication between servers in the cluster, Venafi Platform provides a feature called Message Bus, which uses an MQTT broker to maintain near-immediate connection between all servers in the cluster. Venafi Platform includes its own MQTT broker which allows the servers in the cluster to communicate in mesh mode. You can also use a separate external MQTT broker to allow your servers to communicate via the MQTT broker (hub-and-spoke mode). For details on how to use Message Bus, see Venafi Message Bus.

If you have three or more Venafi servers, some servers may not require the features in the following table, which lists additional server requirements and roles only for those Venafi servers that support inbound web services. For more information, see Enable web services on required servers.

Venafi Platform server configuration and roles required for servers that support inbound web services
Feature Requirement

Web Server Roles (Venafi web services enabled)

Install the following required Microsoft Internet Information (IIS) web server roles:

  • Common HTTP Features\Static Content
  • Common HTTP Features\Default Document
  • Health and Diagnostics\HTTP Logging
  • Health and Diagnostics\Logging Tools
  • Health and Diagnostics\Request Monitor
  • Health and Diagnostics\Tracing
  • Security\Request Filtering
  • Performance\Static Content Compression

Windows Server Roles

(Web Server\Application Development\.NET Extensibility)

Microsoft Windows 2022 Server

  • ASP.NET 4.8

  • ISAPI Extensions

  • ISAPI Filters

  • .NET Extensibility 4.8

Microsoft Windows 2019 Server

  • ASP.NET 4.6
  • ISAPI Extensions
  • ISAPI Filters
  • .NET Extensibility 4.6

Microsoft Windows 2016

  • ASP.NET 4.5
  • ISAPI Extensions
  • ISAPI Filters
  • .NET Extensibility 4.5

Microsoft Windows 2012 Server R2

  • ASP
  • ASP.NET 4.5
  • ISAPI Extensions
  • ISAPI Filters
  • .NET Extensibility 4.5
Windows service dependencies

The following services should not be disabled:

  • CNG Key Isolation (for elliptic curve key operations)

IIS 7.5 Add-On

Microsoft URL Rewrite Module 2.1

.NET Framework (Venafi web services enabled)

.NET Framework 4.8 is required for all OS versions.

Download .NET Framework 4.8 from https://dotnet.microsoft.com/download/dotnet-framework/net48.
Port 80 Binding Requirements

If you are using SCEP (Simple Certificate Enrollment Protocol), you must allow port 80 binding. SCEP will not work without port 80 binding.

Additionally, the timestamping service requires port 80. If access to port 80 is blocked, the Time Stamp Service endpoints in CodeSign Protect will not be able to get timestamping data.

If you are not using SCEP, and you don't care about access to the Time Stamp Service Endpoints, you can disable access on Port 80.

TIP  You can save valuable time in assessing and installing system prerequisites by running the Prereq Check Script and the Base Configuration Utility available at https://download.venafi.com/. After signing in, expand PS Utilities and download the following:

  • Prereq Check ScriptClosedA PowerShell script that rapidly verifies whether or not all Venafi Platform prerequisites are installed already and reports which ones are not. You can even use the optional Install parameter to automatically install some missing items and remove the IIS default web site, something typically done manually following installation of the Venafi Platform.
  • Base Configuration UtilityClosedDownload and run this utility to set most of the common post-install checklist requirements automatically, including the creation of best-practice policy tree folders, workflows, notifications, and discovery placement rules.

Trust Protection Platform requires a database to store system configuration information, archive certificates and private keys, and secure sensitive data.

Common Requirements (On-Prem or Cloud-based databases)

For specifics about setting up a cloud instance using a supported cloud provider, see Cloud hosting using Amazon RDS, Azure SQL managed Instance, or Google Cloud SQL.

BEST PRACTICE  Venafi recommends having enough drive space available on the SQL server to restore an entire copy of the database if required for recovery or troubleshooting. During a critical problem resolution, if the need arises to restore an older copy of the database for comparison or data recovery, it is a best practice to ensure that it is possible to have the current and previous databases available simultaneously.

Common database requirements
Feature Description

Supported Platforms

The database should not be installed on the Trust Protection Platform server except in test environments.

SQL AlwaysON Availability Groups are supported for Disaster Recovery and High Availability.

Unless otherwise specified, all updates, patches, and service packs (SPs) for the Microsoft SQL Server versions (in English only) listed below are supported by Venafi Trust Protection Platform. If an SP is specified below, it represents the minimum SP required for the given SQL version.

If you use a cloud server for Trust Protection Platform, you should use it for both the database and the Venafi Platform servers. We do not recommend splitting between a cloud provider and on-prem.

Venafi typically releases major software updates every six months. Microsoft releases new SPs and patches for its SQL Server versions regularly. Releases rarely occur at the same time. Venafi recommends that you keep your SQL Server version updated with the latest SPs and patches from Microsoft.

Supported:

  • Microsoft SQL Server 2022
  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2016 SP2
  • Microsoft SQL Server 2014
  • Microsoft SQL Server 2012 SP2

For more information, see the SQL Server installation guide.

IMPORTANT  Currently Venafi Platform is only supported on English installations of Microsoft SQL Server.

Database maintenance plan

Minimum weekly rebuild of table indexes

The performance of index operations online is the major benefit of using MS SQL Enterprise edition rather than Standard edition. With Standard edition, you can only rebuild and reorganize indexes (a recommended weekly manual task) by taking your database server offline, resulting in an outage of Venafi Platform. Enterprise edition allows Venafi Platform to perform these maintenance tasks automatically and in the background with the service remaining active. For help choose the best edition for you, see Which edition of Microsoft SQL Server should I use?

 

If you want to host Venafi Platform in a cloud data center, you can pick between Amazon RDS, Azure SQL Managed Instance, or Google Cloud SQL. Support for these cloud providers is described in the following table.

IMPORTANT  If you use a cloud server for Trust Protection Platform, you should use it for both the database and the Venafi Platform servers. We do not recommend splitting between a cloud provider and on-prem.

NOTE  Azure SQL Single Database and Azure SQL Elastic pool products are not compatible with Venafi Platform. Additionally Azure SQL Managed Instance does NOT support Azure Active Directory authentication for Trust Protection Platform.

In the table below, values are given for specific levels, showing you the minimum system requirements based on the bigger of how many active certificates and SSH keys you have.

  • Level 1: Minimum requirements for up to 50k active certificates and 1k SSH servers
  • Level 2: Minimum requirements for up to 250k active certificates and 5k SSH servers
  • Level 3: Minimum requirements for up to 1M active certificates and 20k SSH servers

For example, if you have 40,000 active certificates and 3,000 SSH servers, you would need to meet the Level 2 requirements since the number of SSH servers exceeds the level 1 allowance.

Cloud data center comparison matrix
Feature Amazon RDS support Azure SQL Managed Instance support Google Cloud Database support

Use case
  • Production
  • Development
  • Test
  • Production
  • Development
  • Test
  • Production
  • Development
  • Test
Processor
  • Level 1: 4 processing cores
  • Level 2: 16 processing cores
  • Level 3: 32 processing cores
  • Level 1: 4 processing cores General Purpose
  • Level 2: 16 processing cores General Purpose
  • Level 3: 32 processing cores Business Critical
  • Level 1: 4 processing cores
  • Level 2: 16 processing cores
  • Level 3: 32 processing cores

DB engine version

When selecting the database version, pick the latest version supported by both Venafi Platform and Amazon RDS.

Azure manages the SQL version, and always uses the latest production version of SQL Enterprise Edition.

When selecting the database version, pick the latest version supported by both Venafi and Google Cloud Database.

Microsoft SQL Server edition

Info... | Help me decide
  • Level 1: Enterprise (recommended) and Standard (supported)
  • Level 2: Enterprise (recommended) and Standard (supported)
  • Level 3: Enterprise (required)

Based on package choice

 
  • Level 1: Enterprise (recommended) and Standard (supported)
  • Level 2: Enterprise (recommended) and Standard (supported)
  • Level 3: Enterprise (required)

DB Instance Class
  • Level 1: db.m4.xlarge
  • Level 2: db.m4.4xlarge
  • Level 3: db.m4.10xlarge

N/A

 High Memory
Memory
  • Level 1: 16 GB
  • Level 2: 32 GB
  • Level 3: 64 GB
 Based on package choice
  • Level 1: 16 GB
  • Level 2: 32 GB
  • Level 3: 64 GB

Database storage

NOTE  All values assume a 90-day log retention period. If your retention period is longer, you will need more storage.

  • Level 1: 50 GB
  • Level 2: 250 GB
  • Level 3: 1 TB
  • Level 1: 50 GB
  • Level 2: 250 GB
  • Level 3: 1 TB
  • Level 1: 50 GB
  • Level 2: 250 GB
  • Level 3: 1 TB

Multi -AZ deployment

AlwaysOn (supported)

Use failover as secondary (built on top of AlwaysOn)

 High Availability (supported)

Storage type

Provisioned iOps (SSD)

N/A

 SSD

Disk I/O per second - Provisioned iOPS
  • Level 1: 5,000 sustained baseline IOPS
  • Level 2: 10,000 sustained baseline IOPS
  • Level 3: 20,000 sustained baseline IOPS

N/A

 Based on machine type

Public accessibility

No

 No Yes (if configured)

Microsoft SQL Server Windows Authentication

Untested

Not supported Untested

Deletion protection

Enabled

 Enabled N/A
Additional Notes Using AWS RDS Multi-AZ (availability zone) with Venafi Platform requires special considerations, including a virtual private cloud with both public and private subnets. Contact Venafi Customer Support for more details. Azure Active Directory authentication is NOT supported.  

In the table below, values are given for specific levels, showing you the minimum system requirements based on the bigger of how many active certificates and SSH keys you have.

  • Level 1: Minimum requirements for up to 50k active certificates and 1k SSH servers
  • Level 2: Minimum requirements for up to 250k active certificates and 5k SSH servers
  • Level 3: Minimum requirements for up to 1M active certificates and 20k SSH servers

EXAMPLE  If you have 40,000 active certificates and 3,000 SSH servers, you would need to meet Level 2 requirements since the number of SSH servers exceeds the level 1 allowance.

Database requirements for on-premise MSSQL servers
Feature Level 1 Level 2 Level 3

Processor

4 processing cores

 16 processing cores 32 processing cores

Memory

16 GB

 32 GB 64 GB

Disk I/O per second (IOPS)

5,000 sustained baseline IOPS

 10,000 sustained baseline IOPS 20,000 sustained baseline IOPS

Database Storage

NOTE  All values assume a 90-day log retention period. If your retention period is longer, you will need more storage.

50 GB

 250 GB 1 TB

Microsoft SQL Server editions

More info... |  Help me decide
  • Enterprise (Recommended)
  • Standard (Compatible)
  • Enterprise (Recommended)
  • Standard (Compatible)
 Enterprise (Required)

Venafi Trust Protection Platform supports integrations with Hardware Security Modules (HSMs) to encrypt private keys, credentials, and other secrets stored in the database. You can also use the HSM integration for the central generation of private keys. If either of these use cases apply to you, use the following table to see what HSMs and versions are supported when installed on every Venafi server.

IMPORTANT  Venafi claims minimum supported HSM versions and expects the HSM vendors to be fully backwards compatible. If there are issues found, we will actively test against the newer version.

Supported HSM

Encrypt Secrets

Private Key Generation1

Code Signing Certificate Private Key Storage2

Minimum Client Version

Entrust nShield Connect HSM

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported

12.40.2

Thales SafeNet Luna SA (including Azure Dedicated HSM)

Green check mark, indicates feature is supported

Green check mark, indicates feature is supported
(requires CKE3)

Green check mark, indicates feature is supported

6.2.24

NOTE  Thales SafeNet Luna SA version 6.3 is known to have issues with Trust Protection Platform. We recommend not using version 6.3.

Vendor Self-Certified HSMs

NOTE  The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.

Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly.

HSM

Encrypt Secrets

Private Key Generation5

Code Signing Certificate Private Key Storage6

Firmware Version
Atos Trustway Proteccio Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1.47
AWS CloudHSM Green check mark, indicates feature is supported   Green check mark, indicates feature is supported 2.4
Crypto4A QxEDGE Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 1
Entrust nShield as a Service Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 12.6
Fortanix Data Security Manager Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 4.19
FutureX Vectra Plus Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 4.13
Gradiant KeyConnect     Green check mark, indicates feature is supported 1
Securosys Primus HSM and Cloud HSM Service Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 2.8
Thales Data Protection on Demand Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 7.3
Utimaco CryptoServer Green check mark, indicates feature is supported Green check mark, indicates feature is supported Green check mark, indicates feature is supported 2.3

Port requirements

Depending on your environment, Trust Protection Platform can use the following ports:

Venafi Trust Protection Platform Port Requirements

Port

Description

Default Port Assignments

80

While Venafi Platform provides several methods of ensuring encryption of traffic, Port 80 binding is ONLY required if you are using SCEP or the Time Stamp Service endpoints, as these features require http access to the internet to function correctly.

If you are not using SCEP, and you don't care if the Time Stamp Service endpoints in CodeSign Protect can get time stamping data, you can disable Port 80 binding in IIS.

All other Venafi web services will continue to function if access to port 80 is blocked.

443

Hyper Text Transfer Protocol Secure (HTTPS) should be enabled if Policy Tree is secured with a certificate.

50443

This port is used by Trust Protection Platform to handle certificate requests via Enrollment Over Secure Transport (EST) protocol. Allow this port only on servers which will handle such requests.
8883 This is the IANA-assigned port for encrypted (TLS) MQTT connections between servers in the cluster using the Message Bus feature. By default, Message Bus uses this encrypted port. If you opt for unencrypted communication, the IANA-assigned port is 1883.

Operational Port Assignments

135

Trust Protection Platform communicates with the Microsoft Certificate Services and the server hosting Internet Information Services over DCOM.

The default DCOM port is 135 (dynamic port range 49152-65535). Trust Protection Platform contacts the IIS application on port 135; however, the application returns its response on a different port. This can pose a problem in a firewall environment. For information on configuring DCOM with firewalls, see the following Microsoft Technical Document: http://support.microsoft.com/kb/154596.

21

Port 21 can be used for sending reports via the FTP protocol. Reports can also be sent using the SMB protocol (port 445).

22

Trust Protection Platform uses the Secure Shell protocol (SSH) to communicate with servers and appliances. The default SSH port is 22.

SCP and SFTP run as subsystems of SSH on port 22.

Trust Protection Platform supports Open SSH and Tectia SSH versions 4 and 5.3.x.

25, 587

Trust Protection Platform uses the Simple Message Transfer Protocol (SMTP) to communicate with a configured email server to send email notifications. The default SMTP port is 25.

161

Trust Protection Platform uses the Simple Network Management Protocol (SNMP) channel to send selected events to an SNMP management system via an SNMP trap.

445

Port 445 can be used for sending reports via the SMB protocol. Reports can also be sent using the FTP protocol (port 21).

514

The Venafi Log server can send log messages to a syslog server. By default, the Syslog channel uses UDP port 514, but an administrator may configure an alternate port in the Syslog channel configuration. The Log server can also use TLS for sending Syslog messages, if configured.

For more information, see About syslog channels.

Default Database Ports

1433

For more information on running the Trust Protection Platform database on a Microsoft SQL system, see Setting up your Microsoft SQL database server.

Network access requirements

Platform requirements

There are a number of systems that require network access to be enabled for Trust Protection Platform to run.

  • All Venafi servers need access to the database server
  • If using an HSM to (1) encrypt private keys, credentials, and other secrets stored in the Venafi database, or (2) for the central generation or storage of private keys, all Venafi servers need access to the HSM.
  • If using an identity provider, like Active Directory or LDAP, all Venafi servers need network access to the identity infrastructure.
  • Each Venafi server that has the Event Processing component enabled must have access to the configured logging channels. For example, email server, syslog, SMTP, etc.
  • For each Venafi server that has a web service enabled (e.g. UI consoles, Web SDK, Agent service, etc.), all clients that are connecting to the service must have network access to the Venafi server, either directly or through a proxy.

Feature-specific requirements

Most features in Trust Protection Platform can be configured to only use a subset of servers to use that feature. For example, when integrating with a certificate authority, the Venafi server(s) integrated with that certificate authority need network access to connect to that certificate authority, but other servers in your cluster would not need that access.

There are three ways you can control what Venafi servers need access:

Most product features have a Network Access component for the feature. We recommend you review what features you plan to use, as well as which Venafi server(s) will be responsible for these features, and configure network access accordingly.

 

The Venafi Configuration Console is built upon the Microsoft Management Console (MMC) Framework. Some of the nodes, such as the Venafi Event Viewer and the Code Signing are snap-ins that are available to be installed on other Windows servers and workstations, even if they are not setup to be Venafi servers.  If you plan leverage this functionality, it can only be installed on Windows systems that meet the following requirements:

  • .NET 4.7.2
  • Windows 8.1 or later or Windows MS SQL 2016 SP2 or later

  • Windows

    • .NET 4.8
    • Windows 8.1 or later
    • Windows Server 2012 R2 or later

  • Linux versions tested by Venafi

    • Debian 8 and later
    • Ubuntu 16.04 and later
    • CentOS 7 and later
    • Red Hat Enterprise Linux (RHEL) 7 and later
    • May be compatible with other Linux distributions

  • macOS

    • PKCS#11 and GPG: Yosemite 10.10 and later
    • Keychain integration: Catalina 10.15 and later

Server Agent

Unless otherwise specified, all updates, patches, editions, and service packs (SPs) for a listed operating system version are supported. The 64-bit architecture is supported across most platforms (see below). IPv6 is supported on all operating systems.

NOTE  Venafi typically releases major software updates twice a year. Operating system vendors release new SPs and patches regularly. Releases rarely occur at the same time.

Supported Operating Systems

  • Microsoft Windows 7, Microsoft Windows 10, Microsoft Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 (64-bit only), and Windows Server 2022.

    NOTE  While Microsoft Windows Server 2008R2 and Microsoft Windows 7 are technically supported in this release, they are not recommended due to excessive memory consumption.

    Before installing the Server Agent, verify that target systems use one of the supported x86-64 operating systems as noted above.

    • Windows 7, 2008 R2, 2012, and 2012 R2 require the update for Universal C Runtime.

      You can download the update at https://support.microsoft.com/en-us/kb/2999226.

    • The Server Agent requires .NET 4.0 or later on all Windows versions.

  • AIX 7.1 (PPC) and AIX 7.2 (PPC)
  • Solaris 10 (SPARC), and Solaris 11 (SPARC)
  • Red Hat Enterprise Linux (RHEL) 6, RHEL 7, and RHEL 8 (64-bit only)
  • Community Enterprise Operating System (CentOS) 6, CentOS 7, and CentOS 8 (64-bit only)
  • SUSE Linux Enterprise Server versions 11 and 12 (64-bit only)

Compatible Keystores

For information about compatible keystores for certificate installation, see Server Agent-supported keystores.

Disk Space Requirements

200 MB free disk space (150 MB for agent and 50 MB to store results waiting to be returned to the Trust Protection Platform server).

Venafi Certificate Authority Drivers

Certificate Authority integrations are a required component of the TLS Protect and CodeSign Protect products for any level of automation beyond discovery and expiration monitoring. Verify that your current Certificate Authorities are on the list of supported integrations below. If not, they may be supported by a third party through our Adaptable Framework.

The following internal CA drivers are supported on the past four versions of Trust Protection Platform:

  • Adaptable CA

    Includes a reference sample of DigiCert PKI Platform (Magnum).

  • Microsoft Standalone CA
  • Microsoft Enterprise CA (ADCS)
  • OpenSSL
  • OpenTrust Enterprise PKI
  • RedHat Certificate System
  • RSA Certificate Manager
  • DigiCert PKI Platform

TIP  For a complete list of supported version numbers, see Supported Vendors, Products, and Versions.

The following external CA drivers are supported on the past four versions of Trust Protection Platform and all include an API interface and are cloud-based hosting platforms:

  • Amazon Certificate Manager (ACM)
  • Sectigo Certificate Manager (SCM)
  • DigiCert CertCentral
  • Entrust Certificate Services
  • GlobalSign MSSL
  • HydrantID
  • QuoVadis
  • Symantec Managed PKI for SSL
  • VikingCloud

TIP  For a complete list of supported version numbers, see Supported Vendors, Products, and Versions.

  • DigiCert

  • Entrust Certificate Service

  • Microsoft CA

  • Microsoft CA Pool

Provisioning (Certificate Installation) Drivers

Agentless Provisioning drivers support the automatic installation of TLS certificates to their host systems and are a feature of TLS Protect that require a Trust Force™ license for each endpoint you install to. Below is a list of natively supported integrations with certificate keystores, applications, cloud services, and enterprise appliances. If your application is not listed, it does not necessarily mean that automatic installation cannot be achieved. For example, provisioning to a Tomcat web server is possible using the Java Keystore driver. Other integrations are possible using the Adaptable Framework through third parties and the Venafi Marketplace. Review the list of what drivers you plan to use as part of your deployment.

The following provisioning drivers are supported on the past five versions of Trust Protection Platform, except where noted:

  • Adaptable Application

  • Apache/PEM (OpenSSL)
  • IBM Global Security Kit (GSK)
  • Java Keystore (JKS and JCEKS)
  • Microsoft CAPI
  • Microsoft IIS
  • Network Security Services (Oracle iPlanet)

  • PKCS#12

    See About CSR-supported formats for more information.

TIP  For a complete list of supported version numbers, see Supported Vendors, Products, and Versions.

NOTE  For a list of supported keystores to which you can provision using the Server Agent, see Server Agent-supported keystores.

The following appliance drivers are supported on Trust Protection Platform:

  • Amazon Web Services IAM/ELB/CloudFront
  • Apache
  • Azure Key Vault (Microsoft)
  • Blue Coat SSL Visibility Appliance
  • CAPI (IIS 7+)
  • Citrix NetScaler MPX (with HSM)
  • Citrix NetScaler VPX
  • F5 Big-IP F5 LTM Advanced
  • Google Cloud Load Balancer (external proxies only)
  • HashiCorp Vault PKI
  • IBM GSK
  • IBM Sterling Connect:Direct
  • IBM WebSphere DataPower
  • Imperva MX (doesn't support file validation)
  • iPlanet
  • JKS
  • Palo Alto Networks Next Generation Firewall
  • PEM
  • Riverbed SteelHead WAN Optimizer
  • Tealeaf PCA (Passive Capture Appliance)

TIP  For a complete list of supported version numbers, see Supported Vendors, Products, and Versions.

Supported browsers and supported vendors, products, and versions

Supported and compatible web browsers
Status Browser

Supported

Microsoft Edge (Chromium, latest version) and Google Chrome (latest version)

Compatible

Firefox 78 ESR

Minimum supported monitor resolution requirement: 1280 x 1024.

Click a column heading to sort by vendors, products, versions, or types of integrations.

Vendor Supported Products Supported Versions* Integration Types

Amazon

Amazon Certificate Manager (ACM)

 

Certificate Authority

Amazon

Amazon Web Services (AWS)

ACM, IAM, ALB, ELB, CloudFront

Cloud Service

Apache

HTTP Server 2.2 and 2.4 Application
Bouncy Castle Clients using BC bcpkix library 1.64 Certificate Enrollment via EST Protocol
Cisco IOS 15.7(3)M3 Certificate Enrollment via EST Protocol
Cisco libest (Client) 1.1.0 Certificate Enrollment via EST Protocol

Citrix

NetScaler VPX

13.1 build 42.47, 13.0 build 58.32

Network Appliance

Citrix

NetScaler MPX w/HSM

v13.0 build 58.32

 Network Appliance
CyberArk Enterprise Password Vault 10.5, 11, 12 Credential Provider

Dell

iDRAC 8 (using RACADM 8.3)**

2.41.40.40 firmware

IoT

DigiCert

DigiCert CertCentral

NA

Certificate Authority

Entrust

Entrust Certificate Services

NA

Certificate Authority

Entrust nShield

Entrust nShield Connect HSM

12.40.2 (client; minimum version)

Hardware Security Module

F5

Big-IP Local Traffic Manager (LTM) / Application Delivery Controller (ADC)

13.1.5.1 build 0.0.2,
14.1.5.5 build 0.0.2,
15.1.9.1 build 0.0.5,
16.1.3.5 build 0.0.5,
17.1.0.2 build 0.0.2

 Network Appliance

GlobalSign

GlobalSign MSSL

NA

Certificate Authority

Hewlet-Packard (HP)

iLO 4 (using HPQLOCFG 1.5)**

2.50 firmware

IoT

HydrantID

HydrantID

NA

Certificate Authority

IBM

Sterling Connect:Direct with Secure+

6.0x, 6.1x, 6.2x for Windows and 6.0x, 6.1x, 6.2x for UNIX

Application

IBM

WebSphere DataPower IDG

10.0.1, 10.5.0

Network Appliance
IBM

Global Security Kit (GSK)

7.0.3.15, 7.0.4.20 (gsk7cmd, gsk7capicmd & iKeyMan); 8.0.14.34 (gsk8capicmd)

 Keystore
Imperva MX 13.6 Appliance

Microsoft

Internet Information Services (IIS)

8.0, 8.5, 10.0.1607, and 10.0.1809

Application

Microsoft

Active Directory Certificate Services (ADCS)

Enterprise or Standalone CA running on Windows Server 2003-2012, 2016, 2019, and 2022

Certificate Authority

Microsoft

Azure

Key Vault, Web App

Cloud Service
Microsoft

Windows Certificate Store (CAPI)

Windows Server 2012, 2012 R2, 2016, and 2019

Keystore
Mozilla

Network Security Services (NSS)

For more information, visit https://en.wikipedia.org/wiki/Network_Security_Services.

 3.x Keystore

OpenSSL

OpenSSL CA

1.0.0, 3.0.0

Certificate Authority

OpenSSL

PEM

NA

Keystore

OpenTrust

Enterprise PKI

4.7.1

Certificate Authority

Oracle

Sun Java System Web Server / Oracle iPlanet Web Server

For more information, visit https://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server.

6.1, 7.0

Application
Oracle Java Keystore (JKS and JCEKS) 1.6, 1.7, 1.8

Keystore

Palo Alto Networks

Next Gen Firewall 9.1, 10.1, and 10.2 Appliance

QuoVadis

QuoVadis

NA

Certificate Authority

RedHat

Red Hat Certificate System

8.1

Certificate Authority

Riverbed

SteelHead WAN Optimizer

VCX555H 9.0.0b

Appliance

RSA Security

RSA Certificate Manager

6.8 and 6.9

Certificate Authority
RSA Security PKCS#12 NA Keystore

Sectigo

Sectigo Certificate Manager (CCM)

NA

Certificate Authority

Symantec

Symantec Managed PKI for SSL

NA

Certificate Authority

Symantec

DigiCert PKI Platform***

NA

Certificate Authority

Symantec

(Blue Coat)

SSL Visibility Appliance

3.11.3.1 (Remote API 2.9)

Network Appliance
Thales estclient 1.0.1 Certificate Enrollment via EST Protocol

Thales

SafeNet Luna SA

6.22 (client)

Hardware Security Module

VikingCloud

VikingCloud

NA

Certificate Authority

* Venafi Labs has tested these versions. Other versions might be compatible but are not supported by Venafi.

** For Dell iDRAC and HP iLO, refer to the Adaptable Application driver reference samples. See Adaptable Application .

*** DigiCert PKI Platform is provided as a supported reference sample for the Adaptable CA driver. See Adaptable CA.

Related Topics Link IconRelated Topics