VSP18 Venafi Security Professional

VSP18 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers Public Key Infrastructure (PKI) Administrators 2018 Venafi. All Rights Reserved. 2

VSP18 Course Objective At the end of the course you should be able to: Enroll a certificate via the Aperture Console Provision a certificate to an Application via the Aperture Console Locate and manage Certificates that you own Create and configure a custom report 2018 Venafi. All Rights Reserved. 4

VSP18 Outline 4 Hour Course Module 1 Introduction to Aperture & Enrolling a Certificate Module 2 Policy & Workflow Module 3 Lost & Found, Installation, Validation, & More Module 4 Custom Reports 2018 Venafi. All Rights Reserved. 5

Venafi Trust Protection Platform Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products Aperture is a certificate security portal designed for IT Professionals who use certificates 2018 Venafi. All Rights Reserved. 7

Before Venafi Certificates were managed in spreadsheets or home grown solutions No way to enforce corporate security standards on certificates Private Keys were mishandled Corporate security compromised from regular outages due to certificate expiration No central control over encryption assets

After Venafi One secure location to manage & protect all keys and certificates System policies and rights allow corporate security enforcement Private keys and certificates can be automatically installed on target systems RENEWAL of certificates and ROTATION of keys is automated

The Company The Company has just purchased Venafi Trust Protection Platform. The Venafi Administrative Team have already configured the Trust Protection Platform deployment for use Application Owners will now use Venafi to: Create new certificates for provisioning Take ownership of discovered certificates Create and consume custom certificate reports

Meet Alice Works in the Company s Utah datacenter facility Member of the Application Team Responsible for IIS, Apache, and in-house applications that utilize Microsoft and a Java KeyStore (JKS)

Alice Needs a Certificate Alice is bringing a new HR system into production To make sure data transmissions are encrypted and employees know it is a trusted site, she needs a certificate for the web application

Alice logs into Aperture Typically login with enterprise credentials

Aperture Dashboard This is Alice s first time logging into the Aperture Dashboard. Notice that none of the widget are populated, this is because Alice does not own any certificates at this time.

Certificate Inventory The Certificate Inventory is where all certificates that a user has been granted permission to view are stored. Alice doesn t have any certificates so it is blank for now.

Create New Certificate Alice needs a new certificate. She chooses Create New Certificate in the Certificate Inventory

Choose Certificate Location Alice needs to select a location that is appropriate for the type of certificate she is creating. A location is a digital folder that is created by your Venafi administration team.

Search Certificate Location If Alice had been given a large number of locations to choose from, she can search from the dropdown menu for the proper location.

Nickname, Description, & Contacts

Tooltips

Certificate Signing Request Alice can have Venafi TrustAuthority generate the private key and CSR

Certificate Signing Request Alice can generate her own CSR and upload it to Venafi Venafi will check the CSR to make sure values meet corporate security requirements and standards such as certificate key length

Additional Certificate Fields Add additional DNS SANS to the certificate Specify who needs to approve this certificate prior to issuance Reuse Private Key Automatic Renewal Choose Certificate Authority & Template

Successful Submission Confirmation After clicking Submit, Alice will receive a confirmation that her request has been successfully submitted for processing.

Certificate Overview and Status As soon as Alice clicks Close on the submission confirmation window, she will be taken directly to the certificate in Aperture.

Email Confirmation Alice will also receive an email confirmation that enrollment of her certificate has begun.

Email Notification Alice receives an email notification to inform that her certificate is ready to be downloaded. The links in the notification will take her directly to the certificate or download in Aperture.

Certificate Details

Show All Properties

Certificate Download File types available for certificate download:

Renewal Details Allows you to review the values that will be used when the certificate is next renewed.

Edit Renewal Details Allows you to make changes to the renewal details.

Edit Renewal Details Same wizard as when certificate was originally requested.

Renew Now Review settings prior to renewal

Dashboard With a large certificate inventory, the Dashboard Widgets give you quick access to vital information about your certificates.

Module 1 Review What is a certificate nickname? How does Venafi improve security of digital keys and certificates? Does Venafi force you to upload a CSR to request a certificate? What file formats are available when downloading a certificate?

Policies & Workflow

Policies Your Venafi Administrator can set policies in place that lock or suggest values for specific fields. These policies values can be system-wide or location-specific. Common polices to be set on fields such as: Organization City State/Providence Country Private Key Length Certificate Authority

Locked Policies When your Venafi Administrator sets a locked policy for a specific field, that value is always used for new certificate renewals Fields that cannot be changed due to policy locks are removed from view during the Create New Certificate wizard in Aperture

Suggested Policies When your Venafi Administrator sets a suggested policy for a specific field, that value will show up in Aperture with the default value that was set in policy Fields with suggested policy values can be changed if needed in Aperture

No Policy If there is no suggested or locked policy, fields will be blank when new certificates are created This means you must fill out these fields if you want them to be present on the certificate

Alice needs a new certificate Alice is working on the new Venafi Threat Center website. Alice needs an SSL certificate that is publicly trusted for customers visiting the site

Choosing the Appropriate Location

Locked Policy takes effect Only common name field is displayed on Certificate Signing Request page. All other fields are hidden because they have been preconfigured by Alice s Venafi Administrator and locked in Policy

Additional Information

Workflows The Venafi Administrator has setup Workflows that require Approval of certificate requests. Alice will not be able to download her certificate until the certificate has been Approved.

Meet Susan Manages the company s Utah datacenter Applications, Authentication, Infrastructure, & Operations all report to Susan Susan approves all certificate enrollments and revocations for the Utah datacenter

Notification for Needed Approval Susan receives an email each time her approval is needed Clicking on the link takes her directly to the certificate for review and processing

Pending My Approval Widget Susan also sees how many certificates are pending her approval by logging into Aperture and viewing the Certificate Dashboard Clicking on Pending My Approval would take her to the certificates that need her approval 2018 Venafi. All Rights Reserved. 49

Approver Certificate Details

Review & Approve Susan can specify an optional comment and Reject or Approve the certificate. Values with a lock icon are forced by policy.

Additional info about Workflows When multiple individuals or a group is specified for a single approval, anyone specified can approve or reject Certificates may require multiple levels of approval by various entities (manager, Venafi Administrator, Finance) If approver rejects a workflow, the contacts for the certificate will receive an email with rejection comment

Module 2 Lab: Requesting and Approving Certificates Request a certificate as Alice Approve the certificate as Susan View Certificate Dashboard as Bob

Module 2 Review How is a locked policy value displayed in Aperture? How are suggested policy values displayed in Aperture? Are policy settings location-specific or system wide? How is someone notified that a certificate is pending their approval?

More Aperture Features Module 3 Lost & Found, Installation, Validation, & More

Meet Frank Works on the Infrastructure team in the Utah datacenter Primarily responsible for Load- Balancers, Firewalls, Routers, and Switches

Frank is looking for certificates Frank is responsible for approximately 70 different certificates on devices that he manages Frank wants all of his certificates protected by Venafi. He wants to make sure he is notified when any of his certificates are about to expire. He currently owns only 16 certificates in Aperture

Lost & Found Frank navigates to Inventory> Certificates and uses the quick filter Lost & Found to search through a list of unclaimed certificates that the Venafi Administrator has previously discovered Frank can now search these results for his missing certificates and move them to folders that he manages

Filtering an Aperture List Frank doesn t want to scroll through all the certificates so he utilizes the filters in the Aperture certificate inventory to narrow the results. On the left side of the certificate inventory, Frank can apply various filters to search for specific certificates by expanding any of the categorized search containers.

Filtering an Aperture List

Take Ownership

Take Ownership Confirmation After the certificate has been successfully claimed, Frank will receive a confirmation

Provisioning Certificates Frank has requested a certificate previously and now wants Venafi to install the certificate on one of his load balancers. In order to do this, Frank has studied the Venafi F5 LTM documentation he found by searching for F5 LTM on https://docs.venafi.com 2018 Venafi. All Rights Reserved. 63

Adding Installation Frank finds the Certificate he wants to install on the F5 by using the Common Filters in the Certificate Inventory. Once found, he uses the actions menu to Add Installation

Add Installation Track Certificate- Creates Basic App object Track And Validation- Creates Basic App and asks for validation port Track, Validate and automate installation Asks what type of application it will install cert on, and what port to validate on

Add Installation Can add a new device object, or use existing. When creating a Device object, you must specify the installation type and validation port in addition to the device address.

Add Installation Next, it will ask if you want to configure the installation. If you select Not Now installation will not be possible. Selecting yes will bring you to settings for the installation.

Installing the certificate To Install the certificate Frank select Installations In the drop down list he select Install This will push the certificate to the application

SSL/TLS Validation Network Validation confirms that the correct certificate is being used by the application and available on the network. This also tells Frank that the correct certificates are in use.

SSL/TLS Validation How SSL/TLS Validation works: Venafi contacts server hosting the SSL certificate pretending to be a web browser Venafi receives certificate from server Venafi compares certificate in secure database with the certificate presented by server Validation successful when the certificates are a match

Enable Network Validation Your Venafi Administrator may disable SSL/TLS Validation by default to prevent an abundance of Validation Failure email notifications.

Daily Network Validation SSL/TLS Validation is automatically performed daily, by default at midnight Can also be triggered manually by clicking Validate Now or Validate Installation

Failed Validation If Validation fails, an email notification is sent to certificate contacts If network validation isn t possible, it should be disabled on certificate

Revocation When we revoke a certificate, we send a request to the issuing Certificate Authority asking that it no longer vouch for the validity of a certificate. When web browsers see a certificate, they will check the Certificate Authority s revocation list. If the certificate is on the list, the certificate will be considered invalid.

Why Revoke? For the same reason we disable unnecessary ID badges that grant access to a secure building, we must also revoke digital certificates that are no longer needed. Someone with a valid certificate and private key can gain unauthorized access to enterprise resources.

How to Revoke When viewing the Overview page for a certificate, click the Actions button and select Revoke. This will revoke current certificate. Frank can revoke previous versions of the certificate in the Previous Versions section on the left.

How to Revoke When revoking a certificate Frank needs to select the reason why he is revoking it He can leave a comment that will be logged Revocation can not be undone

Module 3 Lab: Installation Install the certificate from the Enrollment Lab to your assigned IIS server View validation results

Module 3 Review What are Lost certificates? What is Network Validation? When does Network Validation occur? What happens if Network Validation fails? What does Add Installation do?

Reporting

Meet Jeff Been at The Company for 40 years Manager of Enterprise Security & IT Information Technology team Manages himself

Jeff is looking for SHA1 certificates Jeff is responsible for Security. He is concerned about the SHA1 to SHA2 migration dragging behind in the organization. Jeff needs a report of all SHA1 certificates so he can contact the certificate owners to get these replaced. He wants the report to be automated so he does not have to do anything but forward emails.

Custom Reports Report types Certificate Details SSH Key Usage Agents Schedulable Email, FTP and Fileshare delivery

Custom Reports View existing Report Download Reports Create new Reports

Custom Reports

Custom Report Columns

Custom Reports Filters

Custom Reports

Report Example

Lab: Reporting Create Custom Report for SHA1 Certificates

Review Can Custom Reports be scheduled for automatic generation and delivery? What are some delivery methods for custom reports? What formats are available to generate a custom report?

Course Review

Course Review Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products Aperture is a certificate security portal designed for IT Professionals who use certificates