VSP16 Venafi Security Professional 16 Course 04 April 2016
VSP16 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers Public Key Infrastructure (PKI) Administrators
VSP16 Prerequisites Terms & acronyms you should be familiar with: Digital Certificate Revocation CSR Certificate Authority SSL/TLS DNS IP Address Database SMTP HTML
VSP16 Outline 4 Hour Course Module 1 Introduction to Aperture & Enrolling a Certificate Module 2 Policy & Workflow Module 3 Lost & Found, Revocation, and Validation Module 4 User Portal Module 5 Intro to Web Admin & Certificate Objects Module 6 Devices, Applications, & Provisioning
Introduction to Aperture Module 1: Enrolling a Certificate
Venafi Trust Protection Platform Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products Aperture is a certificate security portal designed for IT Professionals who use certificates
Before Venafi Certificates were managed in spreadsheets or home grown solutions No way to enforce corporate security standards on certificates Private Keys were mishandled Corporate security compromised from regular outages due to certificate expiration No central control over encryption assets
After Venafi One secure location to manage & protect all keys and certificates System policies and rights allow corporate security enforcement Private keys and certificates can be automatically installed on target systems RENEWAL of certificates and ROTATION of keys is automated
Venafi Browser Support
Meet Alice Smith Works in the Venafi Utah datacenter facility Member of the Application Team Responsible for IIS, Apache, and in-house applications that utilize Microsoft and a Java KeyStore (JKS)
Alice Needs a Certificate Alice is bringing a new HR system into production To make sure data transmissions are encrypted and employees know it is a trusted site, she needs a certificate for the web application
Alice logs into Aperture URL is https://[server]/aperture/ eg: vspopenenrollment.lab.venafi.com/aperture/ Typically login with enterprise credentials
Aperture Dashboard This is Alice s first time logging into Aperture, the initial page is called the Dashboard
Certificate Inventory The Certificate Inventory is where all certificates that a user has been granted permission to view are stored. Alice doesn t have any certificates.
Create New Certificate Alice needs a new certificate. She chooses Create New Certificate in the Certificate Inventory
Choose Certificate Location Alice needs to select a location that is appropriate for the type of certificate she is creating. A location is a digital folder that is created by your Venafi administration team.
Search Certificate Location If Alice had been given a large number of locations to choose from, she can search from the dropdown menu for the proper location
Nickname, Description, & Contacts
Tooltips
Certificate Signing Request Alice can have Venafi TrustAuthority generate the private key and CSR
Certificate Signing Request Alice can generate her own CSR and upload it to Venafi Venafi will check the CSR to make sure values meet corporate security requirements and standards such as certificate key length
Additional Certificate Fields Add additional DNS SANS to the certificate Specify who needs to approve this certificate prior to issuance Reuse Private Key Automatic Renewal Choose Certificate Authority & Template
Successful Submission Confirmation After clicking Submit, Alice will receive a confirmation that her request has been successfully submitted for processing.
Certificate Overview and Status As soon as Alice clicks Close on the submission confirmation window, she will be taken directly to the certificate in Aperture.
Email Confirmation Alice will also receive an email confirmation that enrollment of her certificate has begun.
Email Notification Alice receives an email notification to inform that her certificate is ready to be downloaded. Link in email takes her directly to her certificate in Aperture.
Certificate Details
Show All Properties
Certificate Download File types available for certificate download:
Renewal Details Allows you to review the values that will be used when the certificate is next renewed.
Edit Renewal Details Allows you to make changes to the renewal details.
Edit Renewal Details Same wizard as when certificate was originally requested.
Renew Now Review settings prior to renewal
Module 1 Competencies Understand the common acronyms Be able to log into Aperture Find and view your certificates
Module 1 Review What web browser(s) are supported? What is a certificate nickname? How does Venafi improve security of digital keys and certificates? Does Venafi force you to upload a CSR to request a certificate? What file formats are available when downloading a certificate?
Policies & Workflow Module 2 Locked, Suggested & Approvals
Policies Your Venafi Administrator can set policies in place that lock or suggest values for specific fields. These policies values can be system-wide or locationspecific.
Locked Policies When your Venafi Administrator sets a locked policy for a specific field, that value is always used for new certificate renewals Fields that cannot be changed due to policy locks are removed from view during the Create New Certificate wizard
Suggested Policies When your Venafi Administrator sets a suggested policy for a specific field, that value will show up in Aperture with the default value that was set in policy Fields with suggested policy values can be changed if needed in Aperture
No Policy If there is no suggested or locked policy, fields will be blank when new certificates are created
Alice needs a new certificate Alice is working on the new Venafi Threat Center website. Alice needs an SSL certificate that is publicly trusted for customers visiting the site
Choosing the Appropriate Location
Locked Policy takes effect Only common name field is displayed on Certificate Signing Request page. All other fields are hidden because they have been preconfigured by your Venafi Administrator via locked Policy
CA Vendor Specific Fields
Meet Susan Johnson Manages Venafi s Utah datacenter Applications, Authentication, Infrastructure, & Operations all report to Susan Susan approves all certificate enrollments and revocations for the Utah datacenter
Notification for Needed Approval Susan receives an email each time her approval is needed Clicking on the link takes her directly to the certificate for review and processing
Approver Certificate Details
Review & Approve Values with a lock icon are forced by policy. Susan can specify an optional comment and Reject or APPROVE the certificate.
Additional info about Workflows When multiple individuals or a group is specified for a single approval, anyone specified can approve or reject Certificates may require multiple levels of approval by various entities (manager, Venafi Administrator, Finance) If approver rejects a workflow, certificate is placed in an error state for review
Dashboard With a large certificate inventory, the Dashboard Widgets give you quick access to vital information about your certificates.
Module 2 Lab: Requesting and Approving Certificates Be able to request a certificate Approve necessary workflows Review out of the box notifications generated
Module 2 Review What effect do locked policy values have on Aperture? What effect do suggested policy values have on Aperture? Are policy settings location-specific or system wide? How is someone notified that a certificate is pending their approval?
More Aperture Features Module 3 Lost & Found, Validation, & More
Meet Frank Walton Works on the Infrastructure team in the Utah datacenter Primarily responsible for Load-Balancers, Firewalls, Routers, and Switches
Frank is looking for certificates Frank is responsible for approximately 70 different certificates on devices that he manages Frank wants all of his certificates protected by Venafi. He wants to make sure he is notified when any of his certificates nears expiration. He currently only sees 16 certificates under his name in Aperture
Lost & Found Frank looks in the Certificate Inventory and uses the quick filter to search for Lost & Found Which contains a list of unclaimed certificates that the Venafi Administrator has discovered Frank can search for certificates that are his and move them to locations that he manages
Filtering an Aperture List Frank doesn t want to scroll through all the certificates so he utilizes the search feature in Aperture to narrow the results. On the left side of the certificate inventory, Frank can apply various filters to search for specific certificates by expanding any of the five categorized search containers.
Filtering an Aperture List
Take Ownership
Review Renewal Details
Take Ownership Confirmation After the certificate has been successfully claimed, Frank will receive a confirmation
SSL/TLS Validation Network Validation confirms that the correct certificate is working and being used on the application and network
SSL/TLS Validation How SSL/TLS Validation works: Venafi contacts server hosting the SSL certificate pretending to be a web browser Venafi receives certificate from server Venafi compares certificate in secure database with the certificate presented by server Validation successful when the certificates are a match
Enable Network Validation Your Venafi Administrator may disable SSL/TLS Validation by default to prevent an abundance of Validation Failure email notifications.
Daily Network Validation SSL/TLS Validation is automatically performed daily, by default at midnight Can also be triggered manually by clicking Validate Now
Failed Validation If Validation fails, an email notification is sent to certificate contacts Certificate is put in Urgent status to fix validation settings or fix server If network validation isn t possible, it should be disabled on certificate
Revocation When we revoke a certificate, we send a request to the issuing Certificate Authority asking that it no longer vouch for the validity of a certificate. When web browsers see a certificate, they will check the Certificate Authority s revocation list. If the certificate is on the list, the certificate will be considered invalid.
Why Revoke? For the same reason we disable unnecessary ID badges that grant access to a secure building, we must also revoke digital certificates that are no longer needed. Someone with a valid certificate and private key can gain unauthorized access to enterprise resources.
How to Revoke When viewing the Details page for a certificate, click the Revoke button in the Expiration section.
How to Revoke 1. Select a reason 2. Provide a comment 3. Click Revoke 4. Page banner will reflect status
Custom Fields Admins can configure custom fields to gather specific information when certificates are requested
Module 3 Lab: Validation & Revocation Request a new certificate and revoke it
Module 3 Review What are Lost certificates? What is Network Validation? When does Network Validation occur? What happens if Network Validation fails? Why is it important to revoke certificates not in use?
User Portal Module 4 End User Certificate Request Portal
User Portal Introduction Venafi has introduced new End User Self-Enrollment Portal as part of the TrustAuthority Mobile product. Built for company employees to request and install user certificates.
Features Secure Easy to Use Supports User Certificates Supports automatic certificate installation on IOS 7 and Android 4.4 and IE10 or greater Supports multiple layers of approval On IE 10, the Private Key and CSR can be generated in the user s browser
Certificate Selection Alice is shown certificates that she has been given rights to request. Note: Your Venafi Administrator has control over all messages on the portal. Your portal will probably be different than the example in the slides.
Certificate Selection Alice needs a certificate for her ipad to authenticate to the company Wi-Fi
Confirmation Alice receives a confirmation of the successful submission request. The company identity management team will review the request and approve.
Certificate Ready Email After the request is approved, Alice receives an email with instructions and a secure link to download the certificate.
Login on ipad Alice opens the email on her ipad and logs in with her corporate credentials
Download on ipad Alice reads the instructions and clicks Download. Note: This page also tells Alice how many times she is allowed to download the certificate* *default value is 3 times
Choose Password Alice must choose a secure password to protect the certificate while it is being downloaded
Confirm Password ios will detect that a certificate is being downloaded and prompt Alice for the password she just chose to begin the certificate install
Certificate Install Success ios will show that the certificate was installed successfully
Certificate details Clicking on the certificate will show the certificate details
User Portal Closing the certificate screen in ios will return Alice to the portal page.
Module 4 Lab: User Certificates Enroll Authentication and Email certificates using the End User Portal
Module 4 Review What is the functional purpose of the User Portal? What three features of the User Portal did we discuss? On what types of devices or applications can the User Portal automate the installation of the certificate?
Web Administration Console Module 5: Advanced Certificate Features
Web Administration Console Central administration console for Venafi Trust Protection Platform Advanced Features in TrustForce for SSL for keeping certificates secure Known as Web Admin Same rights and login credentials apply to Web Admin and Aperture
Advanced Certificate Features Automatically install certificates on supported applications and appliances Check revocation status of certificates Track multiple instances of single certificates (one-tomany) Access archived certificates Fix errors in certificate processing View logs File & keystore validation (Onboard Validation) Upload certificate from file Import certificate from web server
Web Admin Overview
Types of Objects in Web Admin Policy Object Certificate Objects Device Objects Application Objects Credential Objects
Certificate Types in Web Admin Server Certificate User Certificate Client Device Certificate Web Administration Console has three types of certificate objects. The main differences are: User certificates cannot be validated or automatically provisioned User and client device certificates are licensed differently than server certificates
Certificate Type Examples
Certificate Summary Status Status Icon & Message Status icon and associated message describe the current condition of the certificate. There is no processing or error. Status message says OK.. The certificate is being processed. The status message and stage states current condition.. There is a problem and the certificate is not functioning. The status message provides a description of the problem.
Certificate Summary Top Half
Fixing Processing Errors Restart clears error, resets the certificate processing stage to zero and starts processing again from beginning Retry clears error & retries the last failed operation in processing Reset clears error and brings the certificate out of a processing state
Certificate Summary Bottom Half
Certificate Settings Top Half
Certificate Settings Bottom Half
Associations
Compliance
History
Network Validation
Logging
Logging Options
Module 5 Lab: Enrolling a Certificate in WebAdmin Get familiar with the Web Administration Console Create, Approve, & Download a certificate in Web Admin
Module 5 Review What are the three types of certificates? How does TrustAuthority treat these certificate types differently? What are the differences between Restart, Retry, Reset? What information does the Compliance Tab show? What host address is used for network validation? What is the default port for network validation?
Venafi TrustForce SSL Module 6: Automated Installation of Certificates
Provisioning At the TrustForce licensing level (formerly called Provisioning), Venafi provides the greatest level of security and protection for enterprise certificates TrustForce SSL can automatically install certificate on target application and configure for use No manual handling of certificate or private key Requires Management type to be set to Provisioning Requires association (link) between certificate object and application object
Credential Objects Credentials objects allow administrators to: Allows Trust Protection Platform users to utilize credentials in a controlled way without having direct access to the credentials themselves. Allows administrators to limit rights of who can use the credentials Allows for easier update when credentials need to be rotated. (ex: update the password on the credential object when a password expires instead of location the credential is used)
Types of Credential Objects Password (password only) Private Key Username (username & password) Certificate Generic (used for Entrust Security Manager CA)
Devices All device objects have the same fields available Are stored on the policy tree Are containers for application objects Have connection settings and other values that are applicable to multiple application types
Device Settings Hostname is a required field Device credential allows for specifying credential once for multiple applications Some application drivers require a temp directory specified for provisioning
Application Objects Application objects are always placed under device objects Multiple application objects can exist under one device object Provides specific configuration information to provision and validate certificates
General Application Settings
PEM Driver
CAPI Driver
Basic Application Object Generic placeholders for application objects Used when you don t know the application type or the application type isn t supported by TrustForce for SSL Basic application objects can be converted to other types
Onboard Validation Only configured on application object on provisioning certificates Uses application s supported management protocol Connects to application and physically locates certificate file and compare serial number and thumbprint On-Board Validation results can be seen on associated certificate object s summary tab or application object s validation tab
Onboard Validation
Renewing and Provisioning
Queued for Renewal
Processing Started
Preparing the Certificate for processing
Check Application for Key Store
Create & Configure Key Store
Create Private & Public Key Pair
Create Certificate Signing Request
Post CSR to Certificate Authority
Certificate Authority Approval
Retrieve Certificate from CA
Automated Installation of Certificate
Verify Application Configuration
Configure Application
Application Restart
Application Processing Completed
Validation Initiated
Validation Successful
Module 6 Lab: Provisioning Create a Device and Application object Provision a certificate to IIS using the CAPI driver
Module 6 Review What stage do we upload a CSR to the Certificate Authority? What stage do we download the certificate from the Certificate Authority? What stage do we install the certificate on the application? What type of application objects require a device object?
VSP16 Course Review Module 7: Course Review
Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 2014 Venafi Proprietary and Confidential