Trust Protection Platform components

The following is a list of components that are available for selection in Venafi Configuration Console. Any component that is not selected during installation can be enabled later in the configuration console.

Some components can't be added to your system. For example, if IIS is not installed, or if you don't have a valid license for a specific product, related components won't be available.


Answer file features key



ACME Service


TLS Protect, Client Protect

Provides certificate automation via an Automated Certificate Management Environment (ACME). An HTTPS server is set up and configured to automatically obtain a browser-trusted certificate without any human intervention. A certificate management agent runs on the web server.

IMPORTANT  Venafi's implementation of the ACME protocol was designed and tested for use with the certbot client. If you're using a client other than certbot, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by Venafi's integration with the certbot client.

Authentication Server



Provides authentication for REST access for web components.

Automatic Layout Manager



Enables Placement Job feature, allowing you to reconcile duplicates and organize certificates and devices in folders based on placement rules.

If this feature is installed during installation of Venafi Trust Protection Platform, it can be enabled or disabled either in the Venafi Configuration Console, or in Policy Tree on the Platforms tree.

If you have multiple servers in your cluster, you may want to enable this feature on some, but not all, of the servers in the cluster for performance reasons. That would enable one server to be running the placement jobs feature without impacting the performance of other servers in the cluster.

Bulk Provisioning Manager


TLS Protect

Provisions keys and certificates to one or more devices simultaneously.

CA Import


TLS Protect, Client Protect

Automatically imports certificates from supported Certificate Authorities.

Certificate Lifecycle and Monitoring


TLS Protect, Client Protect, CodeSign Protect

Provides certificate lifecycle management. Responsible for certificate-related tasks such as expiration notifications, issuance, renewal and revocation, and for provisioning of certificates to devices.

Certificate Revocation Monitoring


TLS Protect, Client Protect

Provides the ability for Trust Protection Platform to provide CRL Distribution Point monitoring. Monitors the revocation status of all certificates in inventory at least daily. Allows you to do an on-demand revocation check for an individual certificate in either Aperture or Policy Tree. Monitors OCSP and CDP endpoint validity. This component does not control your ability to revoke certificates; this component adds the ability to monitor for revocations and to monitor CDP and OCSP endpoints.

IMPORTANT  Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring.

When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access.

If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints.

CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.

Client REST



Enables communication between agents and Trust Protection Platform.

Cloud Instance Monitoring


TLS Protect

The Cloud Instance Monitoring feature finds stale certificates by using cloud service provider APIs to identify certificates that were issued for instances that have since been terminated. It also automatically initiates retirement actions to keep the Trust Protection Platform certificate inventory as up-to-date as possible.

Enrollment over Secure Transport Service


TLS Protect, Client Protect

This service provides certificate enrollment capability for devices via the Enrollment over Secure Transport (EST) protocol.

For more information on EST, see Certificate enrollment via EST protocol.

Code Signing Key Server


CodeSign Protect

Provides functionality to set up a GPG key server to store GPG public keys and make them publicly available through a RESTful HTTP request.

For more information, see GPG public key server .

HSM Backend


CodeSign Protect

Provides virtual HSM capability within Trust Protection Platform for code signing. This allows Venafi CodeSign Protect clients to request signing operations using private code signing keys that are managed by Trust Protection Platform.

Key Lifecycle and Monitoring


CodeSign Protect, SSH Protect

Provides key lifecycle management. Responsible for tasks such creating new keys and monitoring key expiration. This component is required for GPG and .NET CodeSign Protect Environments, as well as for SSH Protect.

Network Device Enrollment


TLS Protect, Client Protect

Enables devices to use the SCEP protocol to request certificates from Trust Protection Platform.

You would want to enable this feature if you have SCEP-enabled devices or applications and you want those devices and applications to be able to get certificates directly from Trust Protection Platform. This feature is frequently used with mobile-device management solutions.

For more information on configuring Network Device Enrollment, see Certificate enrollment via SCEP protocol of the Venafi Trust Protection Platform Certificate Management Guide.

Network Discovery



Runs the Network Discovery surveys configured in your system’s Discovery objects. During a Network Discovery, the Discovery server scans designated IPv4 address ranges and ports to identify SSL certificates.

For more information on discovering network certificates, see Discovering certificates and keys.

Object Monitoring



Monitors SSH key and credential objects for expiration and generates expiration notifications.

For more information on logging and event notifications, see Notification and logging overview.

Onboard Discovery Manager


TLS Protect

Configuring onboard discovery jobs lets you automate the process of provisioning by adding devices to one or more specific policies. You then have control over the placement of discovered certificates without having to manually update jobs or reorganize certificates after they've been discovered.




Generates and distributes pre-defined and custom reports.

SSH Certificate Lifecycle and Monitoring


SSH Protect

Allow you to use SSH Protect to manage SSH Certificates.

SSH Key Detection and Remediation


SSH Protect

Secures and protect SSH keys and systems through discovery, reporting, policy enforcement, and remediation.

Time Stamp Service


CodeSign Protect

Provides an RFC 3161-compliant time stamping service for code signing. This service allows you to use either your own time stamping certificate or to specify a list of time stamping proxies. Once configured, you can then specify Trust Protection Platform as your time stamping server.



TLS Protect, Client Protect

Runs the network and onboard validation processes.

Network validation verifies a certificate or key is installed on the target system, then determines if the correct certificate is being used.

For more information on validating certificates and applications, see SSL/TLS network validation.

Web Console



Web-based management interface. Installs both Policy Tree and Aperture.

At least two Venafi servers needs to have Web Console enabled. If Web Console is configured on two different servers, you can disable this component.

Server requirements for Web Console are outlined in Web Server Roles (Venafi web services enabled).




Extend your custom environments by integrating them with Venafi solutions using the Venafi Web SDK code library.

For more information, see DevOps and Automation.