Introducing Director 11
Agenda Director 11 Introduction Mobile Certificate Manager - CA Import - Mobile Device Management (MDM) Integration - New Certificate Types - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Business is Driving Certificate Proliferation CAs
Mobile Certificate Security Risks Orphaned mobile certificates Constantly changing environments Fraudulent mobile certificates and CA compromise Weak cryptography Poor application security
Visibility and Control CAs Reporting Management Policy Control Revocation Etc.
How Does Venafi Solve the Pr0blems? Prevent Detect Respond Problem to Solve Mobile certificates from being misused Mobile certificate anomalies in real- time Automatically and immediately remediate and respond to mobile certificate anomalies Venafi Strategy Control: Automated mobile certificate policy enforcement Visibility: Certificate visibility and mapping to users Kill Switch: One- click Single- click revocation revocation
Any Key. Any Certificate. Anywhere. Director 11 Introducing: Mobile Certificate Manager IT Security s Mobile Kill Switch. Server Certificate Manager
Agenda CA Import Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
CA Import Microsoft CA Two Phases - Import certificates from CA to a temporary staging area - Create policy tree objects from the staging area Placement Rules - User defined, based on components of the Subject DN Reconciliation - Considers thumbprint, issuer, subject, serial number, key usage, extended key usage, expiration date and the system from which the enrollment request originated
CA Import Configuration Create CA Import objects in Discovery tree Same Hostname and Service Name used for Microsoft CA template objects Successful connection returns all of the templates the Microsoft CA supports for enrollment
CA Import Initiation Imports can be scheduled or initiated manually When the first phase of the import has completed, an estimate is provided for where the certificates will be placed
CA Import Placement Rules All conditions of the rule must be met for it to apply. Rules are processed from top- to- bottom and can be reordered via drag- and- drop. Certificates not matching a rule can be placed in a specified policy or discarded Once placement rules have been figured out, don t wait in between phases
CA Import Placement Estimate Refreshing the Summary tab updates the estimate if placement rules have changed If satisfied with the estimate, click the button to initiate the second phase
CA Import Placement Summary When placement is complete, there will be no more certificates found Placement estimate changes to a summary of what actually occurred
CA Import Reconciliation New objects are created for certificates which are not correlated to any that exist Certificates with later expiration dates become active and the one they replace moves to history Certificates that are already managed are ignored Certificates with earlier expiration dates are added to the object s history
Agenda New Certificate Types Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Certificate Types Now three distinct certificate types - Server Certificate - Client Device Certificate - User Certificate New icons Necessary to apply different features and behaviors Reporting and licensing considerations
Certificate Types New Look Three new columns have been added to the View tab for certificates Type, Template, and Requested From New icons are visible in the Policy tree
Certificate Types Conversion Certificate type is also displayed in the title bar Type can be changed by clicking a new button on the Summary tab
Certificate Types Classification criteria - Extended Key Usage (EKU) - Subject Alternative Name (SAN) Server Certificate User Certificate Client Device Certificate EKU includes Server Authentication OCSP Signing SCVP Server Time Stamping Code Signing EKU includes SmartCard Logon - or- SAN present of type RFC822 (email address) OtherName: User Principal Name (UPN) Any certificate which does not meet the criteria for being classified as a Server or User certificate.
Agenda MDM Integration Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
MDM with Microsoft CA MSCA Portal (certsrv) MSCA (ADCS) One time challenge via MS certsrv interface Cert via SCEP NDES MDM System
Centralizing Policy Enforcement & Tracking MSCA (ADCS) One time challenge via MS certsrv interface* Cert via SCEP Director MDM System
NDES Configuration New compatibility options for dealing with different interpretations of the SCEP specification Important that the MSCA templates you use are not configured to build their subject automatically
Agenda User Certificate Mapping Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
New Certificate Types in Aperture Aperture now supports multiple certificate types.
Additional Information on Details Page Certificate type Template Additional SAN Information
User Certificate Mapping Kill switch for terminated or reassigned users Identify all certificates issued to or managed by the user Revoke certificates Notify managers if managed by certificates need to be reassigned, replaced and revoked Minimize risk of data or system compromise
Rapidly Identifying a User s Certificates New option in Aperture to search for users to identify their certs. *Note: Requires the Allow Aperture User Search right in order to use this option
Finding Users Search for users in AD based on patterns Matching users displayed
Viewing a User s Certificates Shows certificates issued to the user Shows certificates managed by the user
Kill Switch: Rapidly Revoking Immediately revoke certificates issued to the terminated employee.
Preventing Compromise for Device Certs Notify a manager regarding certificates that must be reassigned, replaced, and revoked.
Notification Email Director- provided text can be edited to provide additional details and information to manager.
Agenda Certificate Inventory Report Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Visibility Certificate Inventory Report
Agenda Director Developer s Guide Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Developer s Guide Set up, support and examples of typical use cases - Request and retrieve certificates - Import data into Director create objects, assign attribute values, initiate processing, etc. - Export data from Director feed into external applications, custom reporting, etc. REST API reference Object Class reference Available from Director Web Help or in PDF format
Developer s Guide - PDF REST APIs Object Classes Sample JSON Attribute Definitions
Developer s Guide Web Help Fully searchable Director Developer s Guide
Agenda New and Enhanced Drivers Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
New A10 Provisioning Driver Support for provisioning certificates and private keys to A10 AX Series Application Delivery Controllers Optional creation and updating of SSL Templates Supports Network and File Validation Automatic certificate name generation based on CN and serial number
New A10 Provisioning Driver Provisioned certificate SSL Template Configuration (optional)
Enhanced VeriSign CA Driver Transition from Symantec s VICE to VICE2 API Eliminates dependency on screen scraping Granular control over enrollment - Attempt Renewal - Renewal - Enroll New - Replace Added support for OFX certificates
Enhanced VeriSign CA Driver Enrollment Mode defaults to Attempt Renewal which is how the old version of the driver always behaved
Enhanced Microsoft CA Driver Support for Microsoft s Enrollment Agent feature Provides two factor authentication for MSCA Two levels of implementation - Signing of CSRs prior to submission - Restricted MSCA access limits enrollment to using specific templates; requires manual approval and prohibits revocation requests
Enhanced Microsoft CA Driver Director will use the assigned Enrollment Agent certificate to sign CSRs before submitting them to this Microsoft CA Direct link from WebAdmin to detailed information about using the Enrollment Agent feature Establish Restricted Enrollment Agents http://technet.microsoft.com/en- us/library/cc754154.aspx
Agenda Validation Failure Report Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Validation Failure Report Rollup that can be distributed in a single email Summarizes the current state of validation Can target specific contacts with only their assets Provides interpretation and troubleshooting guidance - Name Resolution Failed - No Certificate Found - Certificate Mismatch Applies to Network Validation of certificate and application objects
Validation Failure Report Explanation of failure mode and tips for remediation Common Name hyperlinks direct to certificate object in WebAdmin Port hyperlinks browse to the actual target that Director is configured to validate
Agenda CA Trust Report Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Detect Focusing on the Relying Party Fraudulent certificate attacks include: - Signed malware - Authentication - Digital Signatures - Man- in- the- middle
CA Trust Report Prevent rogue certificate attacks by limiting the number of CAs trusted on your systems - Report on trusted CAs - Classify Trustworthy and Untrustworthy CAs - View statistics and details regarding trusted CAs - Use the information to limit risk by removing untrustworthy CAs
CA Trust Report Setting Trustworthiness Classify CA Root Certs as Trustworthy or Untrustworthy.
CA Trust Report Additional Statistics
CA Trust Report Root Cert Details View details of discovered oot certificates by category.
Agenda CA Trust Report Director 11 Introduction Mobile Certificate Manager - CA Import - New Certificate Types - Mobile Device Management (MDM) Integration - User Certificate Mapping - Single- click Revocation - Certificate Inventory Report Server Certificate Manager - Director Developer s Guide - New and Enhanced Drivers - Validation Failure Report - CA Trust Report Updated Licensing Report Q&A
Updated Licensing Report
QUESTIONS?
Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third- party trademarks are the property of their respective owners. 2013 Venafi Proprietary and Confidential