Trust Protection Platform components

The following is a list of components that are available for selection in Venafi Configuration Console. Any component that is not selected during installation can be enabled later in the configuration console.

Some components can't be added to your system. For example, if IIS is not installed, or if you don't have a valid license for a specific product, related components won't be available.

Filtering the table

You can use the search box to filter the table contents, OR click one of the Product buttons to see its related components. (These features don't work together.)

Component	Answer file key	Products	Description
ACME Service	Acme	TLS Protect, Client Protect	Provides certificate automation via an Automated Certificate Management Environment (ACME). An HTTPS server is set up and configured to automatically obtain a browser-trusted certificate without any human intervention. A certificate management agent runs on the web server. IMPORTANT Venafi's implementation of the ACME protocol was designed and tested for use with the following clients: certbot, win-acme, and acme.sh. If you're using a different client, you might encounter limitations. For example, your alternate ACME client might use portions of the ACME protocol that aren't supported by Venafi's integration with the certbot and win-acme clients.
Authentication Server	AuthServer	Platform	Provides authentication for REST access for web components.
Automatic Layout Manager	AutoLayout	Platform	Enables Placement Job feature, allowing you to reconcile duplicates and organize certificates and devices in folders based on placement rules. If this feature is installed during installation of Venafi Trust Protection Platform, it can be enabled or disabled either in the Venafi Configuration Console, or in Policy Tree on the Platforms tree. If you have multiple servers in your cluster, you may want to enable this feature on some, but not all, of the servers in the cluster for performance reasons. That would enable one server to be running the placement jobs feature without impacting the performance of other servers in the cluster.
Bulk Provisioning Manager	BulkProvisioning	TLS Protect	Provisions keys and certificates to one or more devices simultaneously.
CA Import	CAImport	TLS Protect, Client Protect	Automatically imports certificates from supported Certificate Authorities.
Certificate Lifecycle and Monitoring	Certificates	TLS Protect, Client Protect, CodeSign Protect	Provides certificate lifecycle management. Responsible for certificate-related tasks such as expiration notifications, issuance, renewal and revocation, and for provisioning of certificates to devices.
Certificate Revocation Monitoring	Revocation	TLS Protect, Client Protect	Provides the ability for Trust Protection Platform to provide CRL Distribution Point monitoring. Monitors the revocation status of all certificates in inventory at least daily. Allows you to do an on-demand revocation check for an individual certificate in either Aperture or Policy Tree. Monitors OCSP and CDP endpoint validity. This component does not control your ability to revoke certificates; this component adds the ability to monitor for revocations and to monitor CDP and OCSP endpoints. IMPORTANT Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring. When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access. If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints. CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.
Client REST	Client	Platform	Enables communication between agents and Trust Protection Platform.
Code Signing Client Distribution	ClientDistribution	CodeSign Protect	Enables a web page that provides helpful scripting information and links for downloading CodeSign Protect clients. You can access the page by adding `/csc` to your Trust Protection Platform URL, such as: https://TPP-Server-Name/csc For more information, see Using the CodeSign Protect Client Downloads page.
Code Signing Key Server	KeyServer	CodeSign Protect	Provides functionality to set up a JWK key server and a GPG key server to store public keys and make them publicly available through a RESTful HTTP request. For more information, see GPG public key server .
Enrollment over Secure Transport Service	EstService	TLS Protect, Client Protect	This service provides certificate enrollment capability for devices via the Enrollment over Secure Transport (EST) protocol. For more information on EST, see Certificate enrollment via EST protocol.
HSM Backend	HsmBackend	CodeSign Protect	Provides virtual HSM capability within Trust Protection Platform for code signing. This allows Venafi CodeSign Protect clients to request signing operations using private code signing keys that are managed by Trust Protection Platform.
Key Lifecycle and Monitoring	KeyManager	CodeSign Protect	Provides key lifecycle management. Responsible for tasks such creating new keys and monitoring key expiration. This component is required for GPG and .NET CodeSign Protect Environments, as well as for SSH Protect.
Kubernetes Discovery Manager	JSSDiscovery	TLS Protect	Provides a way to monitor TLS certificates used on clusters managed by Venafi TLS Protect for Kubernetes. With the Kubernetes discovery feature, administrators can create new discovery jobs which import certificates from all Kubernetes clusters registered to Venafi TLS Protect for Kubernetes.
Network Device Enrollment	Scep	TLS Protect, Client Protect	Enables devices to use the SCEP protocol to request certificates from Trust Protection Platform. You would want to enable this feature if you have SCEP-enabled devices or applications and you want those devices and applications to be able to get certificates directly from Trust Protection Platform. This feature is frequently used with mobile-device management solutions. For more information on configuring Network Device Enrollment, see Certificate enrollment via SCEP protocol of the Venafi Trust Protection Platform Certificate Management Guide.
Network Discovery	Discovery	Platform	Runs the Network Discovery surveys configured in your system’s Discovery objects. During a Network Discovery, the Discovery server scans designated IPv4 address ranges and ports to identify SSL certificates. For more information on discovering network certificates, see Discovering certificates and keys.
Object Monitoring	Monitoring	Platform	Monitors SSH key and credential objects for expiration and generates expiration notifications. For more information on logging and event notifications, see Notification and logging overview.
Onboard Discovery Manager	OBDDiscovery	TLS Protect	Configuring onboard discovery jobs lets you automate the process of provisioning by adding devices to one or more specific policies. You then have control over the placement of discovered certificates without having to manually update jobs or reorganize certificates after they've been discovered.
Reporting	Reporting	Platform	Generates and distributes pre-defined and custom reports.
SSH Certificate Lifecycle and Monitoring	SSHCertificates	SSH Protect	Allow you to use SSH Protect to manage SSH Certificates.
SSH Key Detection and Remediation	SSH	SSH Protect	Secures and protect SSH keys and systems through discovery, reporting, policy enforcement, and remediation.
Time Stamp Service	TimeStampService	CodeSign Protect	Provides an RFC 3161-compliant time stamping service for code signing. This service allows you to use either your own time stamping certificate or to specify a list of time stamping proxies. Once configured, you can then specify Trust Protection Platform as your time stamping server.
Validation	Validation	TLS Protect, Client Protect	Runs the network and onboard validation processes. Network validation verifies a certificate or key is installed on the target system, then determines if the correct certificate is being used. For more information on validating certificates and applications, see SSL/TLS network validation.
Web Console	WebConsole	Platform	Web-based management interface. Installs both Policy Tree and Aperture. At least two Venafi servers needs to have Web Console enabled. If Web Console is configured on two different servers, you can disable this component. Server requirements for Web Console are outlined in Web Server Roles (Venafi web services enabled).
Web SDK	WebSDK	Platform	Extend your custom environments by integrating them with Venafi solutions using the Venafi Web SDK code library. For more information, see DevOps and Automation.