Embed Size (px)
Citation preview
VSP18Venafi Security Professional
© 2018 Venafi. All Rights Reserved. 1
13 April 2018
VSP18 Prerequisites
Course intended for:
• IT Professionals who interact with Digital Certificates
Also appropriate for:
• Enterprise Security Officers
• Public Key Infrastructure (PKI) Administrators
© 2018 Venafi. All Rights Reserved. 2
Terms & acronyms you should be familiar with
• Digital Certificate
• Revocation
• CSR
• Certificate Authority
• SSL/TLS
© 2018 Venafi. All Rights Reserved. 3
• DNS• IP Address• Database• SMTP• HTML
VSP18 Course Objective
At the end of the course you should be able to:
• Enroll a certificate via the Aperture Console
• Provision a certificate to an Application via the Aperture Console
• Locate and manage Certificates that you own
• Create and configure a custom report
© 2018 Venafi. All Rights Reserved. 4
VSP18 Outline – 4 Hour Course
• Module 1 – Introduction to Aperture & Enrolling a Certificate
• Module 2 – Policy & Workflow
• Module 3 – Lost & Found, Installation, Validation, & More
• Module 4 – Custom Reports
© 2018 Venafi. All Rights Reserved. 5
Introduction to Aperture
© 2018 Venafi. All Rights Reserved. 6
Venafi Trust Protection Platform
• Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products
• Aperture is a certificate security portal designed for IT Professionals who use certificates
© 2018 Venafi. All Rights Reserved. 7
Before Venafi
• Certificates were managed in spreadsheets or home grown solutions
• No way to enforce corporate security standards on certificates
• Private Keys were mishandled
• Corporate security compromised from regular outages due to certificate expiration
• No central control over encryption assets
After Venafi
• One secure location to manage & protect all keys and certificates
• System policies and rights allow corporate security enforcement
• Private keys and certificates can be automatically installed on target systems
• RENEWAL of certificates and ROTATION of keys is automated
The Company
• The Company has just purchased Venafi Trust Protection Platform.
• The Venafi Administrative Team have already configured the Trust Protection Platform deployment for use
• Application Owners will now use Venafi to:• Create new certificates for provisioning
• Take ownership of discovered certificates
• Create and consume custom certificate reports
Meet Alice
• Works in the Company’s Utah datacenter facility
• Member of the Application Team
• Responsible for IIS, Apache, and in-house applications that utilize Microsoft and a Java KeyStore (JKS)
Alice Needs a Certificate
• Alice is bringing a new HR system into production
• To make sure data transmissions are encrypted and employees know it is a trusted site, she needs a certificate for the web application
Alice logs into Aperture
• Typically login with enterprise credentials
Aperture Dashboard
This is Alice’s first time logging into the Aperture Dashboard. Notice that none of the widget are populated, this is because Alice does not own any certificates at this time.
Certificate Inventory
The Certificate Inventory is where all certificates that a user has been granted permission to view are stored. Alice doesn’t have any certificates so it is blank for now.
Create New Certificate
Alice needs a new certificate. She chooses “Create New Certificate” in the Certificate Inventory
Choose Certificate Location
Alice needs to select a location that is appropriate for the type of certificate she is creating. A location is a digital folder that is created by your Venafi administration team.
Search Certificate Location
If Alice had been given a large number of locations to choose from, she can search from the dropdown menu for the proper location.
Nickname, Description, & Contacts
Tooltips
Certificate Signing Request
Alice can have Venafi TrustAuthority generate the private key and CSR
Certificate Signing Request
▪ Alice can generate her own CSR and upload it to Venafi
▪ Venafi will check the CSR to make sure values meet corporate security requirements and standards such as certificate key length
Additional Certificate Fields
▪ Add additional DNS SANS to the certificate
▪ Specify who needs to approve this certificate prior to issuance
▪ Reuse Private Key
▪ Automatic Renewal
▪ Choose Certificate Authority & Template
Successful Submission Confirmation
After clicking Submit, Alice will receive a confirmation that her request has been successfully submitted for processing.
Certificate Overview and Status
As soon as Alice clicks Close on the submission confirmation window, she will be taken directly to the certificate in Aperture.
Email Confirmation
Alice will also receive an email confirmation that enrollment of her certificate has begun.
Email Notification
Alice receives an email notification to inform that her certificate is ready to be downloaded.
The links in the notification will take her directly to the certificate or download in Aperture.
Certificate Details
Show All Properties
Certificate Download
File types available for certificate download:
Renewal Details
Allows you to review the values that will be used when the certificate is next renewed.
Edit Renewal Details
Allows you to make changes to the renewal details.
Edit Renewal Details
Same wizard as when certificate was originally requested.
Renew Now
Review settings prior to renewal
Dashboard
With a large certificate inventory, the Dashboard Widgets give you quick access to vital information about your certificates.
Module 1 Review
• What is a certificate nickname?
• How does Venafi improve security of digital keys and certificates?
• Does Venafi force you to upload a CSR to request a certificate?
• What file formats are available when downloading a certificate?
Policies & Workflow
Policies
• Your Venafi Administrator can set policies in place that lock or suggest values for specific fields.
• These policies values can be system-wide or location-specific.
• Common polices to be set on fields such as:• Organization
• City
• State/Providence
• Country
• Private Key Length
• Certificate Authority
Locked Policies
• When your Venafi Administrator sets a locked policy for a specific field, that value is always used for new certificate renewals
• Fields that cannot be changed due to policy locks are removed from view during the Create New Certificate wizard in Aperture
Suggested Policies
• When your Venafi Administrator sets a suggested policy for a specific field, that value will show up in Aperture with the default value that was set in policy
• Fields with suggested policy values can be changed if needed in Aperture
No Policy
• If there is no suggested or locked policy, fields will be blank when new certificates are created
• This means you must fill out these fields if you want them to be present on the certificate
Alice needs a new certificate
• Alice is working on the new Venafi Threat Center website.
• Alice needs an SSL certificate that is publicly trusted for customers visiting the site
Choosing the Appropriate Location
Locked Policy takes effect
Only common name field is displayed on Certificate Signing Request page.All other fields are hidden because they have been preconfigured by Alice’s Venafi Administrator and
locked in Policy
Additional Information
Workflows
• The Venafi Administrator has setup Workflows that require Approval of certificate requests.
• Alice will not be able to download her certificate until the certificate has been Approved.
Meet Susan
• Manages the company’s Utah datacenter
• Applications, Authentication, Infrastructure, & Operations all report to Susan
• Susan approves all certificate enrollments and revocations for the Utah datacenter
Notification for Needed Approval
Susan receives an email each time her approval is needed
Clicking on the link takes her directly to the certificate for review and processing
Pending My Approval Widget
• Susan also sees how many certificates are pending her approval by logging into Aperture and viewing the Certificate Dashboard
• Clicking on “Pending My Approval” would take her to the certificates that need her approval
© 2018 Venafi. All Rights Reserved. 49
Approver Certificate Details
Review & Approve
• Susan can specify an optional comment and Reject or Approve the certificate.
• Values with a lock icon are forced by policy.
Additional info about Workflows
• When multiple individuals or a group is specified for a single approval, anyone specified can approve or reject
• Certificates may require multiple levels of approval by various entities (manager, Venafi Administrator, Finance)
• If approver rejects a workflow, the contacts for the certificate will receive an email with rejection comment
Module 2 Lab: Requesting and Approving Certificates
• Request a certificate as Alice
• Approve the certificate as Susan
• View Certificate Dashboard as Bob
Module 2 Review
• How is a locked policy value displayed in Aperture?
• How are suggested policy values displayed in Aperture?
• Are policy settings location-specific or system wide?
• How is someone notified that a certificate is pending their approval?
More Aperture FeaturesModule 3 – Lost & Found, Installation, Validation, & More
Meet Frank
• Works on the Infrastructure team in the Utah datacenter
• Primarily responsible for Load-Balancers, Firewalls, Routers, and Switches
Frank is looking for certificates
• Frank is responsible for approximately 70 different certificates on devices that he manages
• Frank wants all of his certificates protected by Venafi. He wants to make sure he is notified when any of his certificates are about to expire.
• He currently owns only 16 certificates in Aperture
Lost & Found
• Frank navigates to Inventory> Certificates and uses the quick filter “Lost & Found” to search through a list of unclaimed certificates that the Venafi Administrator has previously discovered
• Frank can now search these results for his missing certificates and move them to folders that he manages
Filtering an Aperture List
▪ Frank doesn’t want to scroll through all the certificates so he utilizes the filters in the Aperture certificate inventory to narrow the results.
▪ On the left side of the certificate inventory, Frank can apply various filters to search for specific certificates by expanding any of the categorized search containers.
Filtering an Aperture List
Take Ownership
Take Ownership Confirmation
After the certificate has been successfully claimed, Frank will receive a confirmation
Provisioning Certificates
• Frank has requested a certificate previously and now wants Venafi to install the certificate on one of his load balancers.
• In order to do this, Frank has studied the Venafi F5 LTM documentation he found by searching for F5 LTM on https://docs.venafi.com
© 2018 Venafi. All Rights Reserved. 63
Adding Installation
• Frank finds the Certificate he wants to install on the F5 by using the Common Filters in the Certificate Inventory. Once found, he uses the actions menu to Add Installation
Add Installation
• Track Certificate-Creates Basic App object
• Track And Validation-Creates Basic App and asks for validation port
• Track, Validate and automate installation –Asks what type of application it will install cert on, and what port to validate on
Add Installation
• Can add a new device object, or use existing.
• When creating a Device object, you must specify the installation type and validation port in addition to the device address.
Add Installation
• Next, it will ask if you want to configure the installation. If you select Not Now installation will not be possible.
• Selecting yes will bring you to settings for the installation.
Installing the certificate
• To Install the certificate Frank select Installations
• In the drop down list he select Install
• This will push the certificate to the application
SSL/TLS Validation
Network Validation confirms that the correct certificate is being used by the application and available on the network. This also tells Frank that the correct certificates are in use.
SSL/TLS Validation
How SSL/TLS Validation works:
• Venafi contacts server hosting the SSL certificate pretending to be a web browser
• Venafi receives certificate from server
• Venafi compares certificate in secure database with the certificate presented by server
• Validation successful when the certificates are a match
Enable Network Validation
Your Venafi Administrator may disable SSL/TLS Validation by default to prevent an abundance of “Validation Failure” email notifications.
Daily Network Validation
• SSL/TLS Validation is automatically performed daily, by default at midnight
• Can also be triggered manually by clicking “Validate Now” or “Validate Installation”
Failed Validation
• If Validation fails, an email notification is sent to certificate contacts
• If network validation isn’t possible, it should be disabled on certificate
Revocation
When we revoke a certificate, we send a request to the issuing Certificate Authority asking that it no longer vouch for the validity of a certificate.
When web browsers see a certificate, they will check the Certificate Authority’s revocation list. If the certificate is on the list, the certificate will be considered invalid.
Why Revoke?
For the same reason we disable unnecessary ID badges that grant access to a secure building, we must also revoke digital certificates that are no longer needed.
Someone with a valid certificateand private key can gain unauthorized access to enterprise resources.
How to Revoke
When viewing the Overview page for a certificate, click the “Actions” button and select “Revoke”. This will revoke current certificate. Frank can revoke previous versions of the certificate in the “Previous Versions” section on the left.
How to Revoke
• When revoking a certificate Frank needs to select the reason why he is revoking it
• He can leave a comment that will be logged
• Revocation can not be undone
Module 3 Lab: Installation
• Install the certificate from the Enrollment Lab to your assigned IIS server
• View validation results
Module 3 Review
• What are “Lost” certificates?
• What is Network Validation?
• When does Network Validation occur?
• What happens if Network Validation fails?
• What does “Add Installation” do?
Reporting
Meet Jeff
• Been at The Company for 40 years
• Manager of Enterprise Security & IT Information Technology team
• Manages himself
Jeff is looking for SHA1 certificates
• Jeff is responsible for Security. He is concerned about the SHA1 to SHA2 migration dragging behind in the organization.
• Jeff needs a report of all SHA1 certificates so he can contact the certificate owners to get these replaced.
• He wants the report to be automated so he does not have to do anything but forward emails.
Custom Reports
• Report types• Certificate Details
• SSH Key Usage
• Agents
• Schedulable
• Email, FTP and Fileshare delivery
Custom Reports
• View existing Report
• Download Reports
• Create new Reports
Custom Reports
Custom Reports
Custom Report Columns
Custom Reports Filters
Custom Reports
Custom Reports
Custom Reports
Report Example
Lab: Reporting
• Create Custom Report for SHA1 Certificates
Review
• Can Custom Reports be scheduled for automatic generation and delivery?
• What are some delivery methods for custom reports?
• What formats are available to generate a custom report?
Course Review
Course Review
• Venafi Trust Protection Platform (Venafi Platform) is the security platform for all Venafi products
• Aperture is a certificate security portal designed for IT Professionals who use certificates
© 2018 Venafi. All Rights Reserved. 97
Thank You
