System requirements for Venafi components
Before installing and using any Venafi product, carefully review Venafi's supported operating system and hardware configurations.
Also, review any additional or special requirements specified in the documentation provided with each product.
NOTE To view the system requirements for previous releases, visit: https://docs.venafi.com/.
Venafi Trust Protection Platform components
Feature | Requirement |
---|---|
Processor |
4 processing cores |
Memory |
16 GB RAM |
Disk Space (for the Trust Protection Platform application) |
5 GB The Trust Protection Platform application can be installed on a secondary partition. |
Feature | Requirement |
---|---|
If you plan to use Venafi TLS Protect for Kubernetes, you cannot use Microsoft Windows Server 2012 R2. You must use Server 2016 or higher. Trust Protection Platform only supports English Language Installation Media from Microsoft. While it does support region setting configurations to ensure that date and times appear correctly, the Windows servers on which you install Trust Protection Platform must be derived from Windows English installation media. |
If you have three or more Venafi servers, some servers may not require the features in the following table, which lists additional server requirements and roles only for those Venafi servers that support inbound web services. For more information, see Enable web services on required servers.
Feature | Requirement |
---|---|
Install the following required Microsoft Internet Information (IIS) web server roles:
|
|
Windows Server Roles (Web Server\Application Development\.NET Extensibility) |
Microsoft Windows 2022 Server
Microsoft Windows 2019 Server
Microsoft Windows 2016
Microsoft Windows 2012 Server R2
|
Windows service dependencies |
The following services should not be disabled:
|
IIS 7.5 Add-On |
Microsoft URL Rewrite Module 2.1 |
.NET Framework (Venafi web services enabled) |
.NET Framework 4.7.2 or 4.8 is required for compatibility with Trust Protection Platform. Download .NET Framework 4.7.2 from https://support.microsoft.com/en-us/help/4054530 or 4.8 from https://dotnet.microsoft.com/download/dotnet-framework/net48. |
Port 80 Binding Requirements |
If you are using SCEP (Simple Certificate Enrollment Protocol), you must allow port 80 binding. SCEP will not work without port 80 binding. Additionally, the timestamping service requires port 80. If access to port 80 is blocked, the Time Stamp Service endpoints in CodeSign Protect will not be able to get timestamping data. If you are not using SCEP, and you don't care about access to the Time Stamp Service Endpoints, you can disable access on Port 80. |
TIP You can save valuable time in assessing and installing system prerequisites by running the Prereq Check Script and the Base Configuration Utility available at https://download.venafi.com/. After signing in, expand PS Utilities and download the following:
Trust Protection Platform requires a database to store system configuration information, archive certificates and private keys, and secure sensitive data.
Common Requirements (On-Prem or Cloud-based databases)
For specifics about setting up a cloud instance using a supported cloud provider, see Cloud hosting using Amazon RDS, Azure SQL managed Instance, or Google Cloud SQL.
BEST PRACTICE Venafi recommends having enough drive space available on the SQL server to restore an entire copy of the database if required for recovery or troubleshooting. During a critical problem resolution, if the need arises to restore an older copy of the database for comparison or data recovery, it is a best practice to ensure that it is possible to have the current and previous databases available simultaneously.
Feature | Description |
---|---|
Supported Platforms |
The database should not be installed on the Trust Protection Platform server except in test environments. SQL AlwaysON Availability Groups are supported for Disaster Recovery and High Availability. Unless otherwise specified, all updates, patches, and service packs (SPs) for the Microsoft SQL Server versions (in English only) listed below are supported by Venafi Trust Protection Platform. If an SP is specified below, it represents the minimum SP required for the given SQL version. If you use a cloud server for Trust Protection Platform, you should use it for both the database and the Venafi Platform servers. We do not recommend splitting between a cloud provider and on-prem. Venafi releases software updates quarterly. Microsoft releases new SPs and patches for its SQL Server versions regularly. Releases rarely occur at the same time. Venafi recommends that you keep your SQL Server version updated with the latest SPs and patches from Microsoft. Supported:
For more information, see the SQL Server installation guide. IMPORTANT Currently Venafi Platform is only supported on English installations of Microsoft SQL Server. |
Minimum weekly rebuild of table indexes
The performance of index operations online is the major benefit of using MS SQL Enterprise edition rather than Standard edition. With Standard edition, you can only rebuild and reorganize indexes (a recommended weekly manual task) by taking your database server offline, resulting in an outage of Venafi Platform. Enterprise edition allows Venafi Platform to perform these maintenance tasks automatically and in the background with the service remaining active. For help choose the best edition for you, see Which edition of Microsoft SQL Server should I use? |
If you want to host Venafi Platform in a cloud data center, you can pick between Amazon RDS, Azure SQL Managed Instance, or Google Cloud SQL. Support for these cloud providers is described in the following table.
IMPORTANT If you use a cloud server for Trust Protection Platform, you should use it for both the database and the Venafi Platform servers. We do not recommend splitting between a cloud provider and on-prem.
NOTE Azure SQL Single Database and Azure SQL Elastic pool products are not compatible with Venafi Platform. Additionally Azure SQL Managed Instance does NOT support Azure Active Directory authentication for Trust Protection Platform.
In the table below, values are given for specific levels, showing you the minimum system requirements based on the bigger of how many active certificates and SSH keys you have.
- Level 1: Minimum requirements for up to 50k active certificates and 1k SSH servers
- Level 2: Minimum requirements for up to 250k active certificates and 5k SSH servers
- Level 3: Minimum requirements for up to 1M active certificates and 20k SSH servers
For example, if you have 40,000 active certificates and 3,000 SSH servers, you would need to meet the Level 2 requirements since the number of SSH servers exceeds the level 1 allowance.
Feature | Amazon RDS support | Azure SQL Managed Instance support | Google Cloud Database support |
---|---|---|---|
Use case |
|
|
|
Processor |
|
|
|
DB engine version |
When selecting the database version, pick the latest version supported by both Venafi Platform and Amazon RDS. |
Azure manages the SQL version, and always uses the latest production version of SQL Enterprise Edition. |
When selecting the database version, pick the latest version supported by both Venafi and Google Cloud Database. |
Microsoft SQL Server edition |
|
Based on package choice
|
|
DB Instance Class |
|
N/A |
High Memory |
Memory |
|
Based on package choice |
|
Database storage NOTE All values assume a 90-day log retention period. If your retention period is longer, you will need more storage. |
|
|
|
Multi -AZ deployment |
AlwaysOn (supported) |
Use failover as secondary (built on top of AlwaysOn) |
High Availability (supported) |
Storage type |
Provisioned iOps (SSD) |
N/A |
SSD |
Disk I/O per second - Provisioned iOPS |
|
N/A |
Based on machine type |
Public accessibility |
No |
No | Yes (if configured) |
Microsoft SQL Server Windows Authentication |
Untested |
Not supported | Untested |
Deletion protection |
Enabled |
Enabled | N/A |
Additional Notes | Using AWS RDS Multi-AZ (availability zone) with Venafi Platform requires special considerations, including a virtual private cloud with both public and private subnets. Contact Venafi Customer Support for more details. | Azure Active Directory authentication is NOT supported. |
In the table below, values are given for specific levels, showing you the minimum system requirements based on the bigger of how many active certificates and SSH keys you have.
- Level 1: Minimum requirements for up to 50k active certificates and 1k SSH servers
- Level 2: Minimum requirements for up to 250k active certificates and 5k SSH servers
- Level 3: Minimum requirements for up to 1M active certificates and 20k SSH servers
EXAMPLE If you have 40,000 active certificates and 3,000 SSH servers, you would need to meet Level 2 requirements since the number of SSH servers exceeds the level 1 allowance.
Feature | Level 1 | Level 2 | Level 3 |
---|---|---|---|
Processor |
4 processing cores |
16 processing cores | 32 processing cores |
Memory |
16 GB |
32 GB | 64 GB |
Disk I/O per second (IOPS) |
5,000 sustained baseline IOPS |
10,000 sustained baseline IOPS | 20,000 sustained baseline IOPS |
Database Storage NOTE All values assume a 90-day log retention period. If your retention period is longer, you will need more storage. |
50 GB |
250 GB | 1 TB |
Microsoft SQL Server editions |
|
|
Enterprise (Required) |
Venafi Trust Protection Platform supports integrations with Hardware Security Modules (HSMs) to encrypt private keys, credentials, and other secrets stored in the database. You can also use the HSM integration for the central generation of private keys. If either of these use cases apply to you, use the following table to see what HSMs and versions are supported when installed on every Venafi server.
IMPORTANT Venafi claims minimum supported HSM versions and expects the HSM vendors to be fully backwards compatible. If there are issues found, we will actively test against the newer version.
Supported HSM |
Encrypt Secrets |
Private Key Generation1 |
Code Signing Certificate Private Key Storage2 |
Minimum Client Version |
---|---|---|---|---|
Entrust nShield Connect HSM |
|
|
|
12.40.2 |
Thales SafeNet Luna SA |
|
|
|
6.2.24 NOTE Thales SafeNet Luna SA version 6.3 is known to have issues with Trust Protection Platform. We recommend not using version 6.3. |
Vendor Self-Certified HSMs
NOTE The HSM Partners on the list below have gone through the process of self-certification. This process involves testing the specific PKCS#11 mechanisms that Trust Protection Platform uses when an HSM is used to protect things like private keys and credential objects, and when Advanced Key Protect is enabled.
Self- certification means that the partner has done the testing and proven successful results and integration with Venafi. Successful self-certification results indicate that the integration will work as expected. The HSM vendor may need to be engaged if something is working unexpectedly.
HSM |
Encrypt Secrets |
Private Key Generation5 |
Code Signing Certificate Private Key Storage6 |
Firmware Version |
---|---|---|---|---|
Atos Trustway Proteccio | 1.47 | |||
AWS CloudHSM | 2.4 | |||
Crypto4A QxEDGE | 1 | |||
Entrust nShield nShield as a Service | 12.6 | |||
Fortanix Data Security Manager | 1 | |||
FutureX Vectra Plus | 4.13 | |||
Securosys Primus HSM | 1.7 | |||
Thales Data Protection on Demand | 7.3 | |||
Utimaco CryptoServer | 2.3 |
Port requirements
Depending on your environment, Trust Protection Platform can use the following ports:
Port |
Description |
---|---|
Default Port Assignments |
|
80 |
While Venafi Platform provides several methods of ensuring encryption of traffic, Port 80 binding is ONLY required if you are using SCEP or the Time Stamp Service endpoints, as these features require http access to the internet to function correctly. If you are not using SCEP, and you don't care if the Time Stamp Service endpoints in CodeSign Protect can get timestamping data, you can disable Port 80 binding in IIS. All other Venafi web services will continue to function if access to port 80 is blocked. |
443 |
Hyper Text Transfer Protocol Secure (HTTPS) should be enabled if Policy Tree is secured with a certificate. |
50443 |
This port is used by Trust Protection Platform to handle certificate requests via Enrollment Over Secure Transport (EST) protocol. Allow this port only on servers which will handle such requests. |
Operational Port Assignments |
|
135 |
Trust Protection Platform communicates with the Microsoft Certificate Services and the server hosting Internet Information Services over DCOM. The default DCOM port is 135 (dynamic port range 49152-65535). Trust Protection Platform contacts the IIS application on port 135; however, the application returns its response on a different port. This can pose a problem in a firewall environment. For information on configuring DCOM with firewalls, see the following Microsoft Technical Document: http://support.microsoft.com/kb/154596. |
21 |
Port 21 can be used for sending reports via the FTP protocol. Reports can also be sent using the SMB protocol (port 445). |
22 |
Trust Protection Platform uses the Secure Shell protocol (SSH) to communicate with servers and appliances. The default SSH port is 22. SCP and SFTP run as subsystems of SSH on port 22. Trust Protection Platform supports Open SSH and Tectia SSH versions 4 and 5.3.x. |
25 |
Trust Protection Platform uses the Simple Message Transfer Protocol (SMTP) to communicate with a configured email server to send email notifications. The default SMTP port is 25. |
161 |
Trust Protection Platform uses the Simple Network Management Protocol (SNMP) channel to send selected events to an SNMP management system via an SNMP trap. |
445 |
Port 445 can be used for sending reports via the SMB protocol. Reports can also be sent using the FTP protocol (port 21). |
514 |
The Venafi Log server can send log messages to a syslog server. By default, the Syslog channel uses UDP port 514, but an administrator may configure an alternate port in the Syslog channel configuration. The Log server can also use TLS for sending Syslog messages, if configured. For more information, see About syslog channels. |
Default Database Ports |
|
1433 |
For more information on running the Trust Protection Platform database on a Microsoft SQL system, see Setting up your Microsoft SQL database server. |
Network access requirements
Platform requirements
There are a number of systems that require network access to be enabled for Trust Protection Platform to run.
- All Venafi servers need access to the database server
- If using an HSM to (1) encrypt private keys, credentials, and other secrets stored in the Venafi database, or (2) for the central generation or storage of private keys, all Venafi servers need access to the HSM.
- If using an identity provider, like Active Directory or LDAP, all Venafi servers need network access to the identity infrastructure.
- Each Venafi server that has the Event Processing component enabled must have access to the configured logging channels. For example, email server, syslog, SMTP, etc.
- For each Venafi server that has a web service enabled (e.g. UI consoles, Web SDK, Agent service, etc.), all clients that are connecting to the service must have network access to the Venafi server, either directly or through a proxy.
Feature-specific requirements
Most features in Trust Protection Platform can be configured to only use a subset of servers to use that feature. For example, when integrating with a certificate authority, the Venafi server(s) integrated with that certificate authority need network access to connect to that certificate authority, but other servers in your cluster would not need that access.
There are three ways you can control what Venafi servers need access:
- Processing engines. For more information see Management Zones.
- Network discovery zones. For more information see Configuring discovery zones.
- Turning off the associated component on a specific server's Venafi Configuration Console. For more information see Trust Protection Platform components.
Most product features have a Network Access component for the feature. We recommend you review what features you plan to use, as well as which Venafi server(s) will be responsible for these features, and configure network access accordingly.
The Venafi Configuration Console is built upon the Microsoft Management Console (MMC) Framework. Some of the nodes, such as the Venafi Event Viewer and the Venafi Code Signing are snap-ins that are available to be installed on other Windows servers and workstations, even if they are not setup to be Venafi servers. If you plan leverage this functionality, it can only be installed on Windows systems that meet the following requirements:
- .NET 4.7.2
- Windows 8.1 or later or Windows MS SQL 2016 SP2 or later
-
Windows
- .NET 4.7.2
- Windows 8.1 or later
- Windows Server 2012 R2 or later
-
Linux versions tested by Venafi
- Debian 8 and later
- Ubuntu 16.04 and later
- CentOS 7 and later
- Red Hat Enterprise Linux (RHEL) 7 and later
- May be compatible with other Linux distributions
-
macOS
- PKCS#11 and GPG: Yosemite 10.10 and later
- Keychain integration: Catalina 10.15 and later
Server Agent
Unless otherwise specified, all updates, patches, editions, and service packs (SPs) for a listed operating system version are supported. The 64-bit architecture is supported across most platforms (see below). IPv6 is supported on all operating systems.
NOTE Venafi releases software updates quarterly. Operating system vendors release new SPs and patches regularly. Releases rarely occur at the same time.
Supported Operating Systems
-
Microsoft Windows 7, Microsoft Windows 10, Microsoft Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 (64-bit only), and Windows Server 2022.
NOTE While Microsoft Windows Server 2008R2 and Microsoft Windows 7 are technically supported in this release, they are not recommended due to excessive memory consumption.
Before installing the Server Agent, verify that target systems use one of the supported x86-64 operating systems as noted above.
-
Windows 7, 2008 R2, 2012, and 2012 R2 require the update for Universal C Runtime.
You can download the update at https://support.microsoft.com/en-us/kb/2999226.
-
The Server Agent requires .NET 4.0 or later on all Windows versions.
-
- AIX 7.1 (PPC) and AIX 7.2 (PPC)
- Solaris 10 (SPARC), and Solaris 11 (SPARC)
- Red Hat Enterprise Linux (RHEL) 6, RHEL 7, and RHEL 8 (64-bit only)
- Community Enterprise Operating System (CentOS) 6, CentOS 7, and CentOS 8 (64-bit only)
- SUSE Linux Enterprise Server versions 11 and 12 (64-bit only)
Compatible Keystores
For information about compatible keystores for certificate installation, see Server Agent-supported keystores.
Disk Space Requirements
200 MB free disk space (150 MB for agent and 50 MB to store results waiting to be returned to the Trust Protection Platform server).
Venafi Certificate Authority Drivers
Certificate Authority integrations are a required component of the TLS Protect, Client Protect, and CodeSign Protect products for any level of automation beyond discovery and expiration monitoring. Verify that your current Certificate Authorities are on the list of supported integrations below. If not, they may be supported by a third party through our Adaptable Framework.
The following internal CA drivers are supported on the past four versions of Trust Protection Platform:
-
Adaptable CA
Includes a reference sample of DigiCert PKI Platform (Magnum).
- Microsoft Standalone CA
- Microsoft Enterprise CA (ADCS)
- OpenSSL
- OpenTrust Enterprise PKI
- RedHat Certificate System
- RSA Certificate Manager
- DigiCert PKI Platform
TIP For a complete list of supported version numbers, see
The following external CA drivers are supported on the past four versions of Trust Protection Platform and all include an API interface and are cloud-based hosting platforms:
- Amazon Certificate Manager (ACM)
- Sectigo Certificate Manager (SCM)
- DigiCert CertCentral
- Entrust Certificate Services
- GlobalSign MSSL
- HydrantID
- QuoVadis
- Symantec Managed PKI for SSL
- VikingCloud
TIP For a complete list of supported version numbers, see
-
DigiCert
-
Entrust Certificate Service
-
Microsoft CA
-
Microsoft CA Pool
Provisioning (Certificate Installation) Drivers
Agentless Provisioning drivers support the automatic installation of TLS certificates to their host systems and are a feature of TLS Protect that require a Trust Force™ license for each endpoint you install to. Below is a list of natively supported integrations with certificate keystores, applications, cloud services, and enterprise appliances. If your application is not listed, it does not necessarily mean that automatic installation cannot be achieved. For example, provisioning to a Tomcat web server is possible using the Java Keystore driver. Other integrations are possible using the Adaptable Framework through third parties and the Venafi Marketplace. Review the list of what drivers you plan to use as part of your deployment.
The following provisioning drivers are supported on the past five versions of Trust Protection Platform, except where noted:
-
Adaptable Application
- Apache/PEM (OpenSSL)
- IBM Global Security Kit (GSK)
- Java Keystore (JKS and JCEKS)
- Microsoft CAPI
- Microsoft IIS
- Network Security Services (Oracle iPlanet)
-
PKCS#12
See About CSR-supported formats for more information.
TIP For a complete list of supported version numbers, see
NOTE For a list of supported keystores to which you can provision using the Server Agent, see Server Agent-supported keystores.
The following appliance drivers are supported on Trust Protection Platform:
- Amazon Web Services IAM/ELB/CloudFront
- Apache
- Azure Key Vault (Microsoft)
- Blue Coat SSL Visibility Appliance
- CAPI (IIS 7+)
- Citrix NetScaler MPX (with HSM)
- Citrix NetScaler VPX
- F5 Big-IP F5 LTM Advanced
- Google Cloud Load Balancer (external proxies only)
- HashiCorp Vault PKI
- IBM GSK
- IBM Sterling Connect:Direct
- IBM WebSphere DataPower
- Imperva MX (doesn't support file validation)
- iPlanet
- JKS
- Palo Alto Networks Next Generation Firewall
- PEM
- Riverbed SteelHead WAN Optimizer
- Tealeaf PCA (Passive Capture Appliance)
TIP For a complete list of supported version numbers, see
Supported browsers and supported vendors, products, and versions
Status | Browser |
---|---|
Supported |
Microsoft Edge (Chromium, latest version) and Google Chrome (latest version) |
Compatible |
Firefox 78 ESR |
Minimum supported monitor resolution requirement: 1280 x 1024.
Vendor | Supported Products | Supported Versions* | Integration Types |
---|---|---|---|
Amazon |
Amazon Certificate Manager (ACM) |
|
Certificate Authority |
Amazon |
ACM, IAM, ALB, ELB, CloudFront |
Cloud Service |
|
Apache |
HTTP Server | 2.2 and 2.4 | Application |
Bouncy Castle | Clients using BC bcpkix library | 1.64 | Certificate Enrollment via EST Protocol |
Cisco | IOS | 15.7(3)M3 | Certificate Enrollment via EST Protocol |
Cisco | libest (Client) | 1.1.0 | Certificate Enrollment via EST Protocol |
Citrix |
NetScaler VPX |
11.1 build 64.11, |
Network Appliance |
Citrix |
v13.0 build 58.32 |
Network Appliance | |
CyberArk | Enterprise Password Vault | 10.5, 11, 12 | Credential Provider |
Dell |
iDRAC 8 (using RACADM 8.3)** |
2.41.40.40 firmware |
IoT |
DigiCert |
DigiCert CertCentral |
NA |
Certificate Authority |
Entrust |
Entrust Certificate Services |
NA |
Certificate Authority |
Entrust nShield |
Entrust nShield Connect HSM |
12.40.2 (client; minimum version) |
Hardware Security Module |
F5 |
Big-IP Local Traffic Manager (LTM) / Application Delivery Controller (ADC) |
12.1.5.2 build 10.0, |
Network Appliance |
GlobalSign |
GlobalSign MSSL |
NA |
Certificate Authority |
Hewlet-Packard (HP) |
iLO 4 (using HPQLOCFG 1.5)** |
2.50 firmware |
IoT |
HydrantID |
HydrantID |
NA |
Certificate Authority |
IBM |
6.0x, 6.1x, 6.2x for Windows and 6.0x, 6.1x, 6.2x for UNIX |
Application |
|
IBM |
2018.4.1.10 |
Network Appliance |
|
IBM |
7.0.3.15, 7.0.4.20 (gsk7cmd, gsk7capicmd & iKeyMan); 8.0.14.34 (gsk8capicmd) |
Keystore | |
Imperva | MX | 12.5 | Appliance |
Microsoft |
Internet Information Services (IIS) |
8.0, 8.5, 10.0.1607, and 10.0.1809 |
Application |
Microsoft |
Enterprise or Standalone CA running on Windows Server 2003-2012, 2016, 2019, and 2022 |
Certificate Authority |
|
Microsoft |
Key Vault, Web App |
Cloud Service |
|
Microsoft |
Windows Server 2012, 2012 R2, 2016, and 2019 |
Keystore |
|
Mozilla |
Network Security Services (NSS) For more information, visit https://en.wikipedia.org/wiki/Network_Security_Services. |
3.x | Keystore |
OpenSSL |
OpenSSL CA |
1.0.0 |
Certificate Authority |
OpenSSL |
NA |
Keystore |
|
OpenTrust |
Enterprise PKI |
4.7.1 |
Certificate Authority |
Oracle |
Sun Java System Web Server / Oracle iPlanet Web Server For more information, visit https://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server. |
6.1, 7.0 |
Application |
Oracle | Java Keystore (JKS and JCEKS) | 1.6, 1.7, 1.8 |
Keystore |
Palo Alto Networks |
Next Gen Firewall | 8.1, 9.1, 10.1, and 10.2 | Appliance |
QuoVadis |
QuoVadis |
NA |
Certificate Authority |
RedHat |
Red Hat Certificate System |
8.1 |
Certificate Authority |
Riverbed |
VCX555H 9.0.0b |
Appliance |
|
RSA Security |
RSA Certificate Manager |
6.8 and 6.9 |
Certificate Authority |
RSA Security | PKCS#12 | NA | Keystore |
Sectigo |
Sectigo Certificate Manager (CCM) |
NA |
Certificate Authority |
Symantec |
Symantec Managed PKI for SSL |
NA |
Certificate Authority |
Symantec |
DigiCert PKI Platform*** |
NA |
Certificate Authority |
Symantec (Blue Coat) |
3.11.3.1 (Remote API 2.9) |
Network Appliance |
|
Thales | estclient | 1.0.1 | Certificate Enrollment via EST Protocol |
Thales |
SafeNet Luna SA |
6.22 (client) |
Hardware Security Module |
VikingCloud |
VikingCloud |
NA |
Certificate Authority |
* Venafi Labs has tested these versions. Other versions might be compatible but are not supported by Venafi.
** For Dell iDRAC and HP iLO, refer to the Adaptable Application driver reference samples. See Adaptable Application .
*** DigiCert PKI Platform is provided as a supported reference sample for the Adaptable CA driver. See Adaptable CA.