Deprecated Functionality From Venafi Platform


This article contains a current list of features that have been removed from shipping versions of Trust Protection Platform. 

Applies To:

All versions of Trust Protection Platform.  More details below.

See Also:

For a list of features that are scheduled for deprecation in upcoming releases, see

Venafi Platform 20.1

Splunk Log Channel Driver
In 19.3, we made significant enhancements to our Syslog driver which we believe, based on feedback from customers and Splunk themselves, provides an overall better integration path that the Splunk driver which is delivering event data in a manner that is not common for enterprise applications.  Thus the Splunk driver has been removed from the Venafi Platform. After upgrading to Trust Protection Platform version 20.1, existing Splunk driver objects appear as a question mark. (?). They'll no longer function, but you'll have the ability to delete them.

SSH connection method removed from the Citrix NetScaler driver
In Trust Protection Platform version 17.1, Venafi began transitioning from SSH CLI to REST API in connection with updates made at that time to the NetScaler driver and the introduction of Onboard Discovery. During subsequent releases, Venafi continued to support the SSH CLI in order to give customers time to migrate existing instances. With the release of Trust Protection Platform 20.1, the legacy SSH connection method has been removed from the Citrix NetScaler driver. The currently supported connection method for this driver is now HTTPS only. 

SSH connection method removed from the IBM DataPower driver
In Trust Protection Platform version 17.3, Venafi began transitioning from SSH CLI to REST API in connection with updates made at that time to the IBM DataPower driver and the introduction of Onboard Discovery. During subsequent releases, Venafi continued to support the SSH CLI in order to give customers time to migrate existing instances. With the release of Trust Protection Platform 20.1, the legacy SSH connection method has been removed from the IBM DataPower driver. The currently supported connection method for this driver is now HTTPS only. 

Web SDK API Key authentication
For the Web SDK, the API key deprecation schedule is: 20.1 Deprecated,  20.3 requires a special license, 20.4 end all support for API keys. Use OAuth token authentication instead.

Web SDK Authorization Methods involving API Keys
API key authentication is depreciated. The following methods are deprecated: POST vedsdk/Authorize, POST vedsdk/Authorize/Certificate, GET /vedsdk/Authorize/CheckValid, GET vedsdk/Authorize/Integrated.

Instead of an API key, you must use token authorization methods in the Auth SDK. Introduced in 19.2, token authorization provides longer session validity, support for load balancing Web SDK servers, and granular access controls via scopes and privileges.  

Special Certificate Placement Behavior for Network Discovery
Since 14.3 - when we find multiple generational versions of the same certificate on use in the network, the TLS product had special behavior in how certificates were stored.  The product would create multiple certificate objects and move the appropriate applications/installations to the two certificate objects to represent where they are installed.

Starting in 20.1 - we will no longer have this special behavior and the placement will be more in line with the behavior experienced with Server Agent Discovery Placement.  When there are multiple generations of the same certificate discovered - we will rely on daily validation to notify certificate owners that the old certificates are still in use.

Note: This deprecation is also being backported to 19.4.x via a patch.

Venafi Platform 19.4

Xolphine CA driver
In Trust Protection Platform 19.4, integration with the Xolphin CA has been transitioned from the built-in Venafi Xolphin CA driver to a solution that leverages Venafi's Adaptable Framework.

Venafi Platform 19.3

POST Credentials/RenameContainer Web SDK Method

POST Credentials/RenameContainer is deprecated. Instead, use Config/RenameObject because it has identical functionality and it is more commonly used. This change can help eliminate customer confusion and simplify support of the API.

Venafi Platform 19.2

Layer 7 Certificate Installation Driver
Venafi's technology partnership ended when Computer Associates acquired Layer 7 in 2013. There is insufficient market demand for this integration. Customers using Venafi to integrate with Layer 7 should work with CA Technologies or a third-party resource to implement an Adaptable integration with Layer 7 load balancers.

IIS 6 Certificate Installation Driver
Microsoft's extended support for Windows Server 2003 ended in July 2015. Since the CAPI driver is the recommended and compatible method for provisioning to all newer versions of Windows, the IIS 6 driver has been removed from Venafi Platform. 

Server Agent Windows 32-bit Support
Due to Microsoft's deprecation of 32-bit operating systems for its server line, Venafi no longer ships the 32-bit version of the Windows Installer and Venafi Update Packages. 

Venafi Platform 19.1

.NET Framework update
Installation of Microsoft .NET Framework version 4.7 will be required on Venafi Platform servers.

User Agent for Windows will require .NET Framework version 4.6.1
User Agent for Enterprise Mobility Protect will require installation of Microsoft .NET Framework version 4.6.1 on all Windows devices where it is installed.

Agent Support for Solaris
Starting in 19.1, the Server Agent will only support Solaris 10 and newer. Support for Solaris 8 and 9 will be deprecated. 

Network Discovery Placement Preview
The Network Discovery Placement Preview feature will be removed from Aperture. After its removal, Network discovery will work more like agent and TrustNet discovery. When discovered, items automatically appear in the Policy tree.

Custom Permissions and Containers for Placement Rules
Placement Rules have been migrated off of the Discovery Tree in WebAdmin.  While permissions for Placement Rules are now managed in Aperture, you can give users either permissions to all placement rules or no placement rules.  There is no longer support to give users permissions to some placement rules but not others.  Also, Placement Rules could previously be placed in sub folders within the Discovery Tree.  Now all Placement Rules are on a flat list.

Passing the WebSDK API key via URL query string
The Trust Protection Platform WebSDK has historically permitted the post-authentication API key to be passed to REST methods in two different ways, as a query string parameter (i.e. ?apikey=) or as an HTTP header (i.e. X-Venafi-Api-Key). Since its introduction in 14.1, the HTTP header approach has been recommended over the query string because the latter exposes the cleartext API key value in the IIS logs of the Venafi server.  Since this poses a security risk the option will no longer be supported.

Certain Validation Columns no longer Available in WebAdmin Policy View Export
Due to the refactor of Validation Storage, the following columns: SSL/TLS Validation Results and Chain Validation Results are no longer available to be included in the export of the Certificate Policy View.  In 19.2 there are plans to add dashboards to improve visibility into validation results.

Venafi Platform 18.4 

Cisco ACE Certificate Installation Driver
Cisco announced the end-of-life of this product in late 2013. Cisco’s official end-of-support is January 2019.

POST Config/RemoveAttributeValues
POST Config/RemoveAttributeValues will be removed as a supported method. If misused, this API call can be catastrophically destructive. Config/RemoveAttributeValues was removed from product documentation in 18.3 and will be completely removed in 18.4. Instead, please use a similar API call, such as POST Config/ClearAttribute.

Venafi Platform 18.3

Network Discovery Jobs in Web Admin
Network Discovery job configuration was removed from the Web Administration console. Beginning in 18.2, you will need to use Aperture for all Network Discovery jobs. Enhanced configuration options for Network Discovery have been available in Aperture since version 14.3.

Onboard Discovery will be moved from Web Admin to Aperture
Onboard discovery for F5, NetScaler, and DataPower will only be available in Aperture. These onboard discovery options are no longer available in the Web Administration Console.

Server Agent Support for SuSE/SLES 10
Long Term Service Pack Support for SuSE/SLES 10 SP4 ended on 31 July 2016.  In 18.1, support for SLES 12 was added so we dropped support for SusE/SLES 10 in 18.3

F5 Provisioning/Installation Support for F5 version 10.x
This has been considered a legacy platform for several years and the vendor has ended support in December 2016.  Discontinuing support will allow for removing complexity in coding, usability, testing and support.

GSK Provisioning & Certificate Installation Support for JKS and PKCS#12
IBM Dropped support for the JKS format when they released GSK 8.0 in 2010.  The GSK driver support for JKS and PKC#12 depends upon the software utilities hosted on the remote device which has proven problematic.  Venafi's JKS and PKCS#12 drivers are better suited to handle these use cases because they support central generation of the keystone and now support all of the use cases the GSK driver once uniquely supported.

GSK Storage Types
The JCEKS, JKS, and PKCS#12 Storage Types for GSK Application objects have been discontinued in 18.3. Only the Certificate Management Services (CMS) Storage Type is supported.

Venafi Platform 18.2

Server Agent Support for RedHat Enterprise Linux 4.x
In order to improve Venafi build processes, support for RHEL 4.x was dropped. This is because RHEL 4.x cannot support the improvements made to Venafi build processes. RHEL 4 was released in 2005 and the last kernel update was in 2011.

Master Admin Permissions Revocation
Trust Protection Platform no longer allows master administrators to have permissions revoked anywhere within the product tree. Any additional permissions assigned or removed are ignored.

Automatic configuration of Microsoft Outlook 2007
In 18.1, Enterprise Mobility Protect User Agent was able to automatically configure Microsoft Outlook 2007 with the latest user certificate. Microsoft officially announced the end of extended support of Office 2007. Therefore, when you upgrade to Trust Protection Platform 18.2, Enterprise Mobility Protect User Agent no longer supports automated configuration of Outlook 2007.

Venafi Platform 18.1

Server Agent No Longer Supports Apache Driver

The Apache driver is not supported with Server Agent provisioning mode after 18.1. Instead, you can use Agentless certificate installation.           

User Portal No Longer Supports Local Key Generation in Internet Explorer
Modern browsers have either deprecated or plan to deprecate support for key and CSR generation within the browser.  The current method for Internet Explorer requires ActiveX controls and the lowering of IE security settings to run.  Because of this, the User Portal will only support service generated private keys and CSRs for requesting certificates.

Symmetric Key Manager Product
The Symmetric Key Manager component has been removed from the available components list of the installer. Symmetric key management has not been a focus of our short- or long-term roadmap for several years.

Comodo Certificate Authority Driver - Web Host Reseller (legacy)
According to Comodo, all customers have been (or are) in the process of being migrated to the newer Comodo Certificate Manager (CCM) platform. Therefore, the legacy CA driver has been removed.

Entrust Security Manager Certificate Authority Driver
This native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.

Symantec Local Hosting Kit (LHK) Certificate Authority Driver
This native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.

Keynectis Sequoia Certificate Authority Driver
This native driver has been replaced by an Adaptable script developed by a third-party Venafi Technology Partner.

SSH TrustMap
SSH TrustMap has been removed. You can get the textual information provided by TrustMap in other areas of the product user interface. We are evaluating requirements and exploring other models that will provide a graphical view of SSH trust relationships in a future version of the product.  

Log View Read Only Credentials
In previous versions of Trust Protection Platform, there were separate credentials that could be entered specifically for viewing logs in WebAdmin and WinAdmin. This feature was not used widely by customers and during a refactor to allow for each Trust Protection Platform server to have it's own database connection configuration (some Trust Protection Platform servers can now have WinAuth while other others have SQL Auth), this feature was dropped.

TrustNet Dashboard Widget "New Locations" Slice
In 18.1 TrustNet features in TPP have been updated, during the update, the "New Locations" Slice has been removed from the trustnet Dashboard widget

TrustNet Dashboard Widget "Duplicate Name" Slice and Inventory Filter
In 18.1, TrustNet features in Trust Protection Platform has been updated. During the update, the "Duplicate Name" Slice has been removed from the TrustNet Dashboard widget. Also, the Duplicate Name filter has been removed from the TrustNet filter on the Certificate Inventory page.

Venafi Platform 17.4

Microsoft SQL Server 2008 R2
Venafi Trust Protection Platform no longer works with Microsoft SQL Server 2008 R2.  Please upgrade to a recently patched version of Microsoft SQL 2012 R2, 2014, or 2016 prior to installing Trust Protection Platform 17.4 or higher.

See Also: Error: "This Upgrade Is Not Allowed Due To An Incompatible Version Of SQL Server"

Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2 is no longer a supported version to run Venafi Trust Protection Platform 17.4 or higher.  Before upgrading your Trust Protection Platform environment, you should have new Windows servers available on which to install Trust Protection Platform so that you can replace existing Servers running older versions of Venafi software. Currently supported versions of Windows Server are: Microsoft Windows 2016 Server (server with user interface) and Microsoft Windows 2012 Server R2 (server with user interface).

Venafi Server Agent no longer supports Windows Server 2003
In order for the Venafi Server Agent to update it's runtime libraries, support for Windows Server 2003 had to be dropped. The 17.4 version of the Server Agent will not run on Windows Server 2003. Please upgrade your Windows Servers 2003 to newer versions of the Microsoft Server Operating System in order to continue to have the Venafi Agent installed on those systems.

Venafi Platform 17.3 

Transition IBM DataPower Driver interface from SSH to REST
This driver has been transitioned from SSH CLI to a REST API.  DataPower versions prior to 7.2 will no longer be supported; however, they should still be compatible.  Versions being targeted for support are XI52 7.2 and IDG 7.5.

Transition DigiCert CA Driver from Enterprise to CertCentral API
The DigiCert CA driver has been migrated from the legacy Enterprise API to the current CertCentral API. You will need to have your account migrated. DigiCert has stated that they are available to help customers with the migration.

Venafi Platform 17.2

Supported Firefox version Update
Supported web browsers have been updated to Internet Explorer 11 and Mozilla FireFox ESR 52. The latest version of Google Chrome is still categorized as a compatible browser.

Devices removed from Aperture Folder tree
Devices have been removed from the Aperture Folder tree so that only Folders are visible.  This was done to enhance performance and usability.  Devices are still accessible to SSH customers in the Aperture Inventory menu.

Inventory > Devices top navigation menu. Agent Discovery of Root Certificates
In order to increase performance of Server Agent Certificate Discovery, Trust Protection Platform no longer stores data where it was found for root and intermediate certificates.  In previous versions, partial information on where the Root certificate was discovered was available from the Support tab.

IBM GSK Driver Support for GSK version 6.0
The GSK Certificate Installation Driver no longer supports version 6.0.  Version 6.0 reached end-of-life in September 2013.

Java Key Store (JKS) Driver Support for Java version 1.4 or 1.5
The Java Key Store (JKS) Certificate Installation Driver no longer supports Java versions 1.4 or 1.5. These versions reached their end-of-life in October 2008 and October 2009, respectively.

Venafi Platform 17.1

Brocade Application Driver
The Brocade Application Driver used for certificate installations is no longer available.

Verizon SureServer Certificate Authority Driver
The Verizon SureServer Certificate Authority Driver used for certificate enrollments is no longer available.

Oracle DB support
Oracle is no longer supported. For more information refer to:

Canned CA Trust Report
The canned CA Trust Report found in the Web Administration Console has been removed.

Web Admin Licensing Status Dashboard
This functionality has been migrated to Aperture and is now visible on the new System Status dashboard.

Venafi Support Tool
The Venafi Support Tool is removed.  It has been replaced by a new utility called the Venafi Support Center.

Venafi Platform 16.4

VED Client UI Portal
The undocumented and unsupported UI Portal component has been removed.  This change should not affect any customers. 

z/OS CA driver
The z/OS CA driver has been removed from Trust Protection Platform. This integration is outdated and the Adaptable CA driver provides a better alternative.

Venafi Platform 16.3

SSH non-recursive discovery
SSH Key Discovery no longer supports performing non-recursive scans. The ability to scan "just this folder" and exclude all sub-folders is no longer available.

Aperture certificate status “Revocation Approval Required”
The Certificate Status of Revocation Approval Required has been replaced with Pending My Approval.

Venafi Server Agent has deprecated support for Hewlett Packard Unix Persistent Architecture Reduced Instruction Set Computer (HP-UX PA-RISC)
Venafi Trust Protection Platform no longer includes an agent installer for HP-UX PA-RISC.  This does not affect our support for HP-UX on Itanium Processors (HP-UX IA).  Hewlett Packard stopped supporting HP-UX PA-RISC in early 2005.  We have deprecated support for this specific operating system so that we can realign resources to support newer and more popular enterprise operating systems.

Fore more information about the deprecation of PA-RISC, visit:

Aperture License dashboard widget and filter
The License dashboard widget and certificate list License filter have been removed from the Aperture console.  If this filter was used in a saved Custom Report, the report will be updated to remove this filter. Licensing information can be retrieved using the in-product Licensing Report found in the Web Administration Console.