What's New in Venafi Platform

Trust Protection Platform version 25.1 introduces some significant enhancements across all product lines. In the list below, features related to ideas posted and voted on in the Product Ideas Community are marked with a double caret: ^^ followed by the idea number.

IMPORTANT! Before upgrading to version 25.1, carefully review Important Considerations Before Upgrading.

Trust Protection Platform 25.1

  • New support for more than 100 algorithms across all platform products - Trust Protection Platform now supports more than 100 algorithms for encryption, hashing, and signing. Learn more

  • Default allowed algorithms can be set product-wide - With the number of algorithms now supported, we've introduced the ability to specify, in Venafi Configuration Console (VCC), which algorithms are allowed in your organization. Any algorithms disallowed in VCC will not appear in algorithm lists across the product. Learn more

  • Policies can allow multiple algorithms - When you set the algorithm settings using a policy, you can now select multiple algorithms, based on those allowed in VCC. A sub-container can further restrict the available algorithms, based on the inherited policy settings. Learn more

  • Support for post-quantum algorithms - Venafi Platform now supports many post-quantum (or quantum-resistant) algorithms, including composite algorithms that combine traditional and quantum-resistant encryption. Research in quantum-safe algorithms is evolving quickly. Venafi will continue to develop support for quantum-safe cryptography and will adapt as standards are established. Learn more

  • New CLI utility: TPPPKIS.exe - To support the additional algorithms that this release can use, a new utility, TPPPKIS.exe has been introduced. Learn more

TLS Protect

  • Algorithm security strength options - Several new cryptographic algorithm parameter sets have been added for more data encryption options. Venafi Configuration Console (VCC) now includes a Strength column in the main settings area to show how strong each option is. Administrators can then easily remove any algorithms that do not meet their company's security policy requirements.

  • Selecting specific certificate chains - As customers transition away from RSA and with the widespread adoption of cross-signing by public Certificate Authorities (CAs), certificates often have multiple valid chain paths. Now, administrators can configure their preferred certificate chain when requesting a certificate. By using a CA template, administrators can specify the desired chain.

  • Editable AWS Regions list - Users can now edit the AWS Regions list directly. This enhancement allows administrators to tailor their AWS configurations to better meet their specific needs.

  • Simplified policy structure and algorithm parameter sets - Administrators can now select multiple parameter sets per policy, ensuring end users have access to only acceptable strength parameter sets that meet company security standards.

CodeSign Protect

  • Dozens of new algorithms available - Several dozen new encryption algorithms are now available to use in CodeSign Protect environment templates and projects, including post-quantum algorithms. See supported encryption algorithms.

  • --hashalg option for sign and verify Commands - The sign and verify commands now support a new --hashalg flag, allowing you to specify the hashing algorithm used during signing and verification. Previously, a single hardcoded algorithm was used for all operations. Supported values include standard algorithms as well as a new PURE option, which bypasses hashing. See the sign and verify descriptions in cspconfig, pkcs11config, gpgconfig, and tkdriverconfig.

  • Additional options for client configuration health command - Several options have been added to the health command. The new options are --drivers, --grants, --updates, and --urls. Each option returns results specific to that category. See the health description in cspconfig, pkcs11config, gpgconfig, and tkdriverconfig.

SSH Protect

  • SSH key management updates - Discovered keys will be validated against allowed algorithms and flagged if not compliant. See About the SSH keyset inventory list.

  • Key validation - Discovered keys are validated against the Allowed Algorithms list, which is defined by its corresponding policy. See SSH policy settings details.

  • SSH certificates - Template settings have been removed. Settings are now managed by the folder specified in the field Create Certificate Object in Folder. Customers should check the Algorithm and Allowed Algorithms specified in the folder. The same settings apply to keys issued under this folder. See Working with issuance templates.

Drivers Integration

  • Chain order in Azure Key Vault settings - New Chain Order field allows users to select the order of the certificate chain with options for "Root first" and "End-entity first." See Creating an Azure Key Vault application object.

  • Azure onboard discovery - The Azure Subscription ID is now included in the attributes of all discovered certificates, not just those bound to web applications. This enhancement improves tracking and enables customers to map certificate owners more effectively. See Onboard Discovery prerequisites.

  • AWS regions and discovery - Users can now specify AWS regions using a new control in the UI. Discovery jobs can be set up to use specific regions for discovery. See Creating a new Onboard Discovery job.

  • Sectigo CA driver migration - The Sectigo CA driver has been migrated from SOAP to REST API due to the upcoming deprecation of the SOAP API. This update ensures continued functionality and includes changes to the authentication method and the use of the Admin API for listing and using all certificate products/types.

  • API updates for CyberArk Privilege Cloud - Trust Protection Platform (TPP) now supports new authentication methods in CyberArk Privilege Cloud. It includes WebSDK enhancements, CyberArk Connector updates, and REST API adaptations.