My use cases for Venafi were for the Venafi Trust Protection Platform, managing infrastructure PKI and certificates.

Venafi's automation capabilities are very good, which is why we used it. Venafi's ability to stay updated on the most current certification renewals was also very good. Venafi's ability to safeguard my financial services infrastructure was good; we had no problems with that. Venafi's ability to help with compliance and regulatory requirements, including SOX and Swift, was great. This is a major selling point.

In terms of areas for improvement, one thing that we did not appreciate about Venafi was having agents on everything. An agent needed to be installed everywhere to handle the certificate management. Having the agents everywhere is not ideal and is always problematic. Having the agent everywhere is not the best for security, which was our other significant concern.

I have been using Venafi for about two years in my career. I am not currently using it at my current job, but rather at my previous position.

I have no issues about Venafi's stability; it demonstrated good stability.

Venafi's scalability was good as well.

I have contacted Venafi's technical support and customer support. We worked with their consulting group during implementation. I went through the whole implementation phase and they were very effective. For Venafi's support, I would rate them eight or nine out of ten.

I have not used any alternatives to Venafi; nothing at that scale of management.

It took me about six months to a year to fully deploy Venafi across the entire enterprise.

The implementation involved a whole team operation with approximately five or six people in total, including myself, several colleagues, and consultants.

The mean time to respond was significantly reduced with Venafi.

When I was working with Venafi, I was working in financial services as a user of the product and not a partner of Venafi. On a scale from 1 to 10, I would rate Venafi overall for everything an eight.

In my testing and support role as an analyst, I handle a certificates list, checking their expiry dates, and if a certificate is expiring within a month, we ask if there are any private keys to add; if not, we put a public key for renewal or creation based on the expiry date, and we obsolete certificates not in use from the Venafi tool.

The best feature I appreciate about Venafi is its user interface, which allows me to search for any particular certificate and immediately see the certificate details and expiry. I mostly appreciate how user-friendly the UI is. The Venafi solution has helped my organization by allowing us to manage certificates directly instead of relying on server administrators to perform tasks such as renewing and obsoleting.

As an end user, I cannot specifically point out improvements, but I believe it would be beneficial to display active certificates in a separate column on the UI, so users can easily find what they need. Additionally, I think notifications for certificate expirations could include varying time frames such as 60 days or 15 days to better inform end users.

I have been using the Venafi tool for almost six plus years when I worked for Lloyds Banking Group, particularly for certification tasks such as obsoleting, creating, and renewing.

For the stability of the solution itself, I would rate it a seven.

I am not sure about the total users across the whole company, but in our team, there are about 10 to 15 people.

I only utilize Venafi for certificate renewal, so I cannot compare it to other products.

We do not handle the deployment ourselves as different teams manage the installation.

The overall time saved from automating processes compared to manual work could be around ten percent.

Although I am not fully aware of compliance matters, I believe Venafi maintains good authentication since only authorized users can log in, preventing compliance issues. Different clients such as Walmart and Lloyds will have their certificates in separate folders to ensure that data from one client does not mix with another. I am not aware of Venafi's pricing.

Overall, I would rate Venafi a seven because, from my perspective, that feels accurate.

The last contract I was on, I used it with TPP, and we migrated their internal infrastructure to AWS and then back connected to the database internally in their internal network, and it worked just peachy.

The reporting analysis is what I liked the most about it; that was the nicest thing about it. It helped keep track of certificates and their status and where we needed to make improvements, update, replace things. 

The automation capabilities of Venafi are generally pretty good. It's easy to manage, and whenever I automate things, I generally use PowerShell and it's pretty user-friendly and easy to follow. My background is a C# coder, so PowerShell is easy. 

It handled compliance and regulatory requirements, such as HIPAA, very well overall. The reports that come with it generally are enough to satisfy the auditors, and if they're not, writing a new report is pretty easy, especially using the wizards built in.

I've been using it so long that it's kind of second nature to me. Documentation could use some improvement, but that's about all.

I have been using it since 2010. I last used Venafi in May this year.

I would rate it a nine out of ten for performance and stability.

Scalability is great because it's easy to interconnect different Venafi servers in different segments of the network, so once you've got that open door through the firewall, it's not hard at all.

A couple of years ago, I contacted the technical support for something small and a patch fixed it. I'd rate the support at least a nine out of ten. The support is very good in terms of speed and quality. 

Positive

I've done it manually, managed certificates manually, managed them through Microsoft tools, and frankly, Venafi is the easiest and most comprehensive.

The initial deployment was easy for me. For the first time, it took about three days. The easiest part of it is using the discovery tool.

In terms of maintenance, you just have to keep up with the updates. They've generally got something new or good to patch, and if something doesn't work 100%, you'll find a patch on it generally pretty much monthly that could be your solution.

There were three of us for the deployment. Basically a manager and two contractors were involved.

Overall, I'd rate Venafi a nine out of ten.

Our use case is that our organization had a lot of certificates that were unnoticed. Users used to request the certificate and install it, but when there was a change of resources or anything, they were unaware of where the certificate resides or when it expires. We had a lot of situations where the certificate had expired, the application went down, or users used to get the nasty warning saying the certificate had expired. Another case was where a certificate had expired, or it was installed on multiple endpoints, but the users were unaware of it. They replaced the certificate at one endpoint and forwarded it over to another endpoint, which eventually caused an issue because of the handshake error. These were the main driving factors for us to explore CLM options.

Venafi has reduced the certificate expiration outages to almost nil. Just to give an analysis, before 2022, we had a lot of major incidents due to expired certificates. Since 2022, we have had almost zero major incidents wherein we saw a financial impact or business disruption due to an expired certificate. We have set up alerts 60 days in advance, so that gives sufficient time for the technical owners, the product owners, and the application teams to renew the certificate ahead of time.

The notification stands out as one of the best features. You can customize the emails, and as a retail organization, it was important for us to brand the emails. We wanted our users to give a look and feel of the organization and also adhere to the organization brand guidelines. So, customization of emails was one of the good features. The main core aspect is the certificate tracking. Venafi does this effectively, and its ease of use makes a difference.

When it comes to automation, Venafi has a lot of out-of-the-box connectors, be it for the F5 load balancer, the NetScaler load balancer, for Windows, or for Linux machines. You can even automate the certificate, push the certificate from scratch from Venafi. 

The reporting feature is another aspect that many users love. We can schedule the reports and get them in either PDF or Excel spreadsheet formats when we want to share with the leadership. We can generate the PDF format and share it with the users.

The navigation is pretty good, with a sleek UI and a good dashboard that allows customization of the home page. 

Another important feature that stands in favor of Venafi is the customizability. When a user requests a certificate, we want them to input some additional details. The creation of custom fields was very flexible in Venafi when we compared it with other products. We can define a number of fields and even specify input types, such as alphanumeric strings, numeric values, drop-down selections, and input validation.

Even though it allows for email editing, until version 23.1, you had to log on to the server, and the console itself used to take a lot of time. That has changed from the last release onwards.

When you're defining the flow, there are some areas that can probably cause confusion to the users. If you want to rename the default field, you cannot rename it, which caused a lot of confusion during the initial days until everyone got settled in. Allowing the renaming or updating of the default field is something Venafi can improve on.

Venafi has both the on-prem and the cloud versions, but the on-prem version is far more mature than the cloud version, which lacks a lot of features that the on-prem version offers, at least when we did the POC and evaluated the product. The maturity of the cloud version needs improvement.

Additionally, when considering the on-prem version, there is a minor glitch in the system. When an administrator makes changes, they have flexibility regarding the approval flow. When dealing with a certificate that requires approval from several different teams, there is a minor glitch in the system where the name of the approver does not appear. This is a bug that we are currently addressing.

Additionally, there is room for improvement in key management. Changing the default account name is not a straightforward process; it can be quite tedious. This is an area where improvements could be made.

If there is a particular workflow that we want to tweak, right now, we can achieve it only via a PowerShell script. It would be great if they could also support a small Python script or anything to expand their scripting or adaptable workflow code base. Even though we can call another script from a PowerShell script, if someone doesn't have knowledge of PowerShell, that would be challenging.

It's been more than three years since we've been using the solution.

The stability is pretty stable. For one of their bugs, there are a few workarounds; I would probably give it a nine in terms of stability. This is only for the on-prem version as I do not have great exposure to the cloud version.

It is definitely scalable. I would give scalability a nine, with one point off because of the lengthy time taken to install the product.

It was for an enterprise-wide solution, so more than 15,000 work with Venafi.

Venafi was recently acquired by CyberArk, so it's a different situation right now. When Venafi was solely Venafi, I felt the support was pretty good. However, after the completion of the acquisition by CyberArk, I feel there has been a drastic downtime in the support professionals' response. If it were somewhere around nine earlier, I would probably bring it down to six right now.

Neutral

No. We didn't have a different solution previously. 

It was more or less a Windows next-next-next installer. It isn't a complex installation. Any IT security professional would be aware of all the dependent components, including the database, the bare minimum bare metal requirements, and everything else. 

The installation process is a bit lengthy. Though it's simple, it involves a lot of modules that get installed. It took almost four hours for the entire installation and for the upgrade, which is almost a mimic of installation. It again depends on the number of servers you're doing it for. If you're doing it for one server, it will easily take 30 to 45 minutes, assuming you have a good connection.

It does require some maintenance, but it's not every month you need to patch it and update it. There is flexibility around it, but it does require some sort of management.

Implementation was done by in-house team. 

We evaluated Keyfactor and Venafi, and even though Venafi was priced far higher than Keyfactor, one of the main reasons for choosing Venafi was the ROI we saw. Keyfactor doesn't offer any reporting. Venafi reduced the number of resources for the reporting structure. We had six to seven people dedicated to reporting. We were able to give them better tasks instead of just reporting, so Venafi's reporting capability adds great value to the ROI, along with the dashboard and automation. 

Teams used to spend a lot of time just requesting and renewing the certificate, updating it at all endpoints. In Venafi, you can do it with one click. Once you have defined the entire skeleton of where the certificate resides and what it does, you can just click the push button, and the certificate will be installed and bind the complete IIS binding by Venafi. From our perspective, this makes it a good bet.

It is very expensive.

We did a PoC with various vendors available in the market, such as Appviewx, Keyfactor, Venafi, and finally narrowed it down to Venafi because it suited our needs. It was able to give a better dashboard of how many certificates we have and what the installation points are. That's why we went ahead with it.

I would recommend Venafi, but it also depends on the organization's needs. I would recommend Venafi to other users if they're looking for an on-prem solution. If they're looking for a cloud-based solution, I wouldn't recommend Venafi, given that they have a long road ahead of them for maturity. 

I would rate it an eight out of ten, given all the benefits, gaps, and overall maintenance.

We are using Venafi as a certificate lifecycle management tool and for notifications, specifically certificate expiry notifications. Currently, we are working on automation by using Venafi for automatically installing the certificates on different key stores.

By using Venafi, we have reduced our potential risk significantly due to certificate expiry, as all teams are getting emails before 60 days and 90 days, which is helpful.

It has reduced our manual efforts significantly. Earlier, if it took us 10 minutes to issue one certificate, by using Venafi, we are now issuing it in 5 minutes, which is a 50% time saving. 

We are actively monitoring every certificate within our organization. It allows us to know which specific part or server each certificate is being used for. Through our monitoring efforts, we can provide detailed information about each certificate, ensuring our organization is well-informed.

It has improved our operational efficiency by 70% to 80%.

Venafi is a versatile tool, providing many services beyond the tools present in the market. The best feature is that Venafi automatically discovers certificates in the environment and onboards them in the dashboard. Using Venafi, we can automate and install certificates on target machines without human intervention, making it an excellent tool for automation and certificate lifecycle management.

Certification renewal is the fundamental aspect of Venafi, and it meets current market standards, setting the benchmark. We are monitoring each certificate, so our organization is aware of which server uses that certificate, and based on the monitoring, we can access all certificate details, which provides great help.

The solution's ease of use is moderate, and I suggest that the documentation by Venafi should be more linear or simpler because when new associates or trainees try to learn the tool, the documentation is difficult to understand.

Integrating Venafi into existing systems is quite easy; however, the documentation should be improved as we have to conduct analysis from our end, and the documentation hasn't presented information in a proper or linear fashion.

The support from Venafi needs improvement based on my experience. The response time needs improvement, and it takes too long to resolve or provide solutions for some tickets.

I have been working with Venafi for three years.

It's stable. I would assess the stability as eight out of ten. 

It's scalable. Scalability is rated an eight out of ten.

In our organization, we currently have around 15 members working on Venafi, with more than 300 to 400 people having read access to the dashboard to view their certificates.

The support from Venafi needs improvement. I would rate the technical support a seven out of ten.

Neutral

The initial setup process can be a bit complex, but I would classify it as medium-level difficulty. One area for improvement is the documentation, as clearer guidelines would facilitate more effective automation. Based on the current documentation, it typically takes us four to five weeks to deploy any updates or changes. Unfortunately, we've encountered difficulties in locating the necessary information.

We perform maintenance on a quarterly or semi-annual basis to ensure everything runs smoothly.

It brings value from day one; deploying this solution definitely provides beneficial value.

Venafi is versatile, providing numerous features compared to other tools in the market. If I were to recommend a tool to anyone, I would choose Venafi over others.

For certificate-related tasks, we can work on the PCI and DSS components, but regarding Venafi specifically, there isn't a need for PCI and DSS compliance. If we want to install private keys, we need to consider compliance issues, but if we are not installing private keys, there is no need to comply with current governance rules.

I would rate Venafi an eight out of ten, as it has versatility and offers many features compared to tools available in the market for certificate lifecycle management.

For Venafi, our use case is for managing the internal certificates of the company. We use Intrust for public certificates, but the internal certificates, the certificates generated for our own system, are managed, stored, renewed, and downloaded using Venafi.

The best features of Venafi are the event part; if any changes occur on Venafi's side, they send events, allowing our service to consume these events to figure out what changes were made, which is good in Venafi. The tracking part is also very good, as it remains consistent when multiple renewals occur, and we know what actions are being performed by whom. 

Venafi solved the issue of many misplaced internal certificates, as we know that at one place we can get all the information, and the problem of notifications about expiring certificates is resolved, improving our overall system for Expedia.

The access management for Venafi is very difficult. If a specific team needs to access certain parts of the certificates, they need to contact the admin, which is complex. For that reason, we built a third-party internal service to manage Venafi's access. 

The notification part also needs improvement because the general notifications don't specify which certificate owner is responsible. Therefore, we've developed our own notification system over Venafi to send emails to the correct user. 

The AWS tracking process is quite weak. For instance, while a certificate is associated with a load balancer, Venafi does not provide a straightforward way to identify which load balancer it is linked to. To resolve this, we need to create a root user in Amazon and grant access to Venafi, which adds complexity to the process. We can determine where the certificate is being used by using the certificate ARN. We developed an external solution for this issue, but it is something that Venafi could address as well.

I've been using the solution for around three years.

For stability, I'd rate it around six out of ten since we experience some outages despite the investment.

Venafi is scalable. We have 300 to 400 human users and many bot users using cert-manager in Kubernetes to generate certificates. I would rate its scalability a nine out of ten.

The vendor support is good; we can raise tickets in their support system, and typically a developer is assigned within one to two hours for debugging. However, there have been critical errors for which the support didn't have immediate solutions, causing some delays. Overall, the vendor support for Venafi is good.

Positive

Previously, we had a manual process for storing internal certificates managed by the PKI team, and they used to store them in a vault manually, making it a hectic process with high chances for manual errors, especially if someone leaves the company. Compared to that solution, Venafi is very good and helps, so that's why we purchased a three-year license. However, now that we're using Venafi, we've started noticing some flaws such as the notification issue, so we are looking for a better solution or building our own.

It's on prem, but we'll start migrating it to the cloud. 

Deploying Venafi can be quite complex, especially since it operates on a Windows machine. Previously, the deployment process was primarily manual and could take one or two days at a new site. However, after we implemented some Terraform scripts, the deployment time has significantly reduced to about one hour. Despite this improvement, the process remains complicated for someone new to it.

Maintenance is required for Venafi due to frequent upgrades and occasional misbehavior of the Venafi node, necessitating a separate team to check the health of the servers.

Evaluating the return on investment is complex. Overall, it has saved us a lot of time and money. Originally, the outages stopped, and we no longer had issues with certificate expirations. However, we did experience one significant outage due to the expiration of our root certificate. Unfortunately, we didn’t receive a notification from Venafi because it wasn't configured correctly, which led to a loss of around 12 million dollars. In the two years prior, we didn't have any outages, but last year we faced a major issue where the entire Expedia system was down for six hours. So while it seems to average out, the time savings and improvements in our processes have been beneficial.

For our budget, Venafi's cost is moderate. It's not expensive as internal certificate generation is free, and we only pay for the public CA certificate signer and for storage in Venafi. With the top-tier license, we can store unlimited certificates, so the pricing falls between moderate and expensive.

The solution was directly purchased from Venafi. We have a three-year license.

I would recommend Venafi if someone struggles to manage internal certificates without a management tool, but if they already have a mature system in place, I would not be sure to recommend it. It depends on the user's situation; for someone starting out, Venafi can be a good choice.

I would rate Venafi a seven out of ten.

Venafi is a certificate lifecycle management tool that I utilize as middleware to manage certificates; it's not the actual creator of the certificate, but it's what comes between the creator and the consumers.

The automation capabilities of Venafi are great; it's not complete, but it's a work in progress. The automation capabilities of Venafi have helped my organization reduce errors. It is probably the best out there. The PKI space is super niche and the automation pieces are all just coming together, so they haven't been fully fine-tuned. The automation part of it is not mature anywhere in the industry, but Venafi is probably the best that you're going to get. 

There are lots of benefits to using Venafi. The automation piece is definitely the best out there. I've dealt with other CLMs in the past, and I've really struggled with products that don't work. Venafi works. There are these issues here and there, but the fact that it works is a big plus. For example, we were able to do integration F5s, so our entire organization doesn't have to worry about that aspect of it, and our networking team doesn't have to be humongous. The networking team is probably one of the most overworked teams anywhere, in any enterprise, but we've managed to cut down their certificate work by loads. They're probably only doing 10%, maybe even 5%, of the certificate work they should be doing if they were doing it manually. 

Venafi has definitely helped reduce risk in my organization. We can scale out certificates as quickly as we can, so in the example of the automation of the F5, just the fact that we're able to scale out some certificates pretty quickly definitely stops us from being in a non-secure manner. 

Venafi has helped us reduce the mean time to respond. I don't have to go into the CA to get a certificate. I can just log in quickly to the Venafi web app and get a cert with two or three clicks. That's pretty handy. 

Venafi has helped my organization free up staff to work on other projects or tasks; the companies that have been able to implement it in creative ways have managed to do it to a point where the team doesn't even need to be that big. There are only just four of us dealing with certificates, and that's pretty small compared to most other companies out there. The fact that we were able to implement it correctly in the beginning and utilize the tools around the space and those that can attach to it has definitely freed up a lot of our space to a point where it's running itself.

The support is definitely great. What I like best about Venafi is that it's very easy to get somebody on a call and get any of my questions answered. That's probably the biggest thing. Besides the fact that it's a mature product and it works, the support is a big deal. 

There's definitely lots of room for improvement with Venafi. They have a website where we can suggest new features, and they need to take that a little bit more seriously. I don't know if they're backing out because of numerous requests, and I know developers are always working hard to get the new features out, but there's definitely a lot that can be done still. There are quite a few different technical aspects of Venafi that I feel they just missed out on; I'd have to look at my notes for the specifics.

I have been using Venafi since 2021, so about 4 years now.

Venafi is a stable product. It's definitely more stable than others. If there's ever been an issue with Venafi, it usually tends to be something else; maybe the Windows server just needs a reboot or something, and very rarely do we see big issues that are bugs. The bugs exist, but the organizations I've been in haven't been hit as much with the bugs that are out there.

Scalability with Venafi is good; you can definitely use it if you have ten thousand certs, a thousand certs, a million, or a couple million. I know of an organization that I was almost hired into that has millions of certs, and they were explaining it to me, so Venafi is definitely scalable.

The support is definitely great. It is easy to get somebody on a call or get any of my questions answered, so that's probably the biggest thing. I would rate their customer support a nine out of ten because there are situations where support could be improved. They could improve their technical support team by just training up; it's a work in progress.

Positive

I have used NCLM, which is Nokia's product for certificate lifecycle management, in the past.

I've just always known how to do the initial setup for Venafi; they have their documents, but we also have the support of the vendor if we have any questions.

I have evaluated other solutions before choosing Venafi; there's Keyfactor, DigiCert, Entrust, and a whole bunch. It always seems to be between Keyfactor and Venafi for me. Venafi has always been the tool that I've utilized; I haven't really gotten into Keyfactor quite yet, so I can't really speak to that.

I would say that using Venafi is not for beginners, but the documentation is there, and they make it really easy for you to use. You should have an idea of what PKI is before you jump into it. You need a little bit of training to use Venafi; it's not something that you would just jump in and be able to do right without some training. 

It's definitely worth the money to have Venafi as a tool; it's definitely miles away from the competition, in my opinion. Deployment with Venafi is very easy. I would recommend Venafi to other people. 

I would rate Venafi a nine out of ten.

I work in telecom. I am not only working with Venafi; I am also working with other CyberArk products.

The most important use case for us is certificate inventory, discovery, automation, and lifecycle management of multiple endpoints across multiple platforms. We automate certificates on various platforms, including OpenShift. We are working on Azure migrations. Venafi acts as a central core platform. It provides a view of every application certificate hosted and serves as a central system to implement security governance policies. Venafi acts as the heart of everything we do.

Its automation capabilities are strong, supported by robust driver setups. Additionally, Venafi's training materials and documentation help end users of various technical levels effectively. In a large company like ours, not every user is the same. They do not have the same level of technical understanding. A good thing is that their documentation is good and detailed. You can take a driver and go step by step. It clearly explains to you what you have to configure.

We have reduced 80% to 90% of our outages with Venafi, which impacts the revenue substantially. They have introduced automation for OpenShift through Venafi which has made the lives of developers much easier. Whenever we want to implement some policies, we target only one secret. The developers get to focus on developing their applications. They can spend time on their applications and leave the security for us.

I have done PoCs with multiple vendors. Compared to others, Venafi is a bit advanced. They are three to six months ahead in terms of technology. For Azure integration, they have an out-of-the-box driver. There is no need to spend time. We just need to follow the step-by-step process that they have explained, and that is it. It works.

We previously had an in-house tool that only gave us notifications and reminders. With Venafi, we have consolidated all the principles in a central platform. It helps teams to have a central view of anything. We have also integrated Venafi with a lot of vulnerability management tools to have a central view. We are using reporting to have a central plane of data where every week, anyone can come and see the status.

It helps notify people. It gives a heads-up to the people regarding what is happening in their system for their certificates. It has reduced the overall complexity. We are not where we were five years ago. If we want to change the root certificate altogether, we can just push it from Venafi. We just push the certificate onto the endpoint. Most people are now aware of what is happening with their applications.

The core principle of policies, automation, and notifications has reduced the time for a product to be deployed in production. It helped people understand how to use a certificate and how to configure it.

It has saved time. Previously, if the application team wanted to deploy something, they had to rebuild the code and other things. They used to take two days, which has now been reduced to almost half an hour. Once they configure it, they just push it. Even for OpenShift, the time was reduced from five hours to ten minutes.

The most important feature for us is the ease of use. If something is not available, we can develop our own scripts for it. We can create change management around this tool.

We also have a lot of control, such as deciding when our application team wants to push implementations and making detailed reports. We can have reporting for change management, problem management, and lifecycle management. If someone is not renewing on time, we can notify them that this has been scheduled. We can do tracking and have workflows around it. It is easy. We can integrate it with almost everything.

The product was really good when it was a Venafi product. However, since its acquisition by CyberArk, there has been a lack of significant innovations. They are pushing for cloud adoption, but we prefer on-premises solutions due to regulatory concerns. They are giving support for cloud-based and SaaS solutions. I would like equivalent support for on-premises ecosystems.

Integrating Venafi with CyberArk's Conjur for centralized secret management is currently challenging for us. Conjur is a central platform where applications can store all kinds of secrets, even certificates, private keys, and passwords in a central location, and that can be distributed everywhere. This integration is crucial for our seamless operations, and we have been awaiting a solution for nearly two years.

I have been using the solution since 2021, so it has been almost four years.

We encounter hiccups, but 95% of the time, it runs perfectly fine for us.

Scalability is an issue for us, requiring new components or servers for installation. Horizontal scaling is a necessity rather than vertical scaling. However, with a proper ecosystem design, it should not pose significant problems.

We worked directly with Venafi professional support, and our experience was excellent. Their technical support is knowledgeable and helpful, making Venafi stand out among other CyberArk products.

Positive

We initially had our own in-house component for lifecycle management, but it was not effective. We developed our own scripts, but they did not fulfill all our needs. This led us to adopt Venafi.

I was responsible for choosing and deploying this solution. Its initial setup is straightforward, but they have to improve the upgrade process. In a distributed network, you have machines everywhere, and it takes time. They have improved it a bit, but sometimes it is better to do it server by server. 

Overall, it is easy. You just have to install the package on a server. That is it. You can enforce policies. All CyberArk products are like this.

After we started using the product, we saw its value within nine months. The shorter the certificate lifecycle, the more apparent the benefits. We have policies that allow us to realize the value within approximately nine months.

We took approximately three to four months to prepare the setup for automation. It took about eight to nine months for all the teams to get used to it. In a year, it was completely in production and operational mode. The application team started using the automation principles and following the self-service model. Our team is not involved in anything. People come and have a certificate. They do their automation on their own.

It does not require any maintenance. If you have implemented it well, It just keeps running. You have to build your process around it. We planned it and got it reviewed by Venafi. We are following the best standards and best practices of the industry. We upgraded it in November, and so far, we have not touched anything. It is just running on the latest version.

We worked directly with Venafi professional support.

Measuring benefits or returns in security is challenging for us. We reduced outages by 80% but quantifying that in terms of revenue saved is difficult, as each outage has its unique value.

The pricing has increased for us, impacting our organization due to its operational expenditure (OPEX). The pricing model is complex, considering factors beyond the number of certificates. This complexity can make our payments to Venafi challenging if costs continue to rise. It is good but more expensive than the competitors.

We conducted a proof of concept with two vendors aside from Venafi. The ease of use, responsiveness, and accuracy made Venafi stand out. Venafi reliably executed tasks and provided feedback. That gave it an edge over other products. However, now, Venafi lacks innovation which seems to be an issue with all CyberArk products.

To someone who is looking into Venafi but already has a legacy solution in place, I would recommend going for Venafi. It helps understand the ecosystem and enforce policies. You can have visibility into all the certificates and automation with the cloud and on-premises solutions. Integration is easy and straightforward.

You should understand how teams are organized in your company before starting with Venafi because everything is based on permission sets. After identifying the teams, you can prepare policies for them and integrate them with Venafi.

Overall, I would rate Venafi an eight out of ten.

As the Venafi administrator at my previous organization, which was a payments processor and software company handling payments, I managed hundreds of certificates, primarily for TLS termination. We automated certificate management within Venafi and integrated it with Fortanix, a hardware security module, to achieve FIPS 140-3 compliance. My role involved structuring Venafi's folder structure, assigning ownership, and training various teams across the organization on using the platform. This included introducing the marketing team to the tool and setting up integrations. Beyond the technical implementation, I focused on fostering organizational buy-in by explaining Venafi's capabilities, providing training, and empowering teams to choose their level of engagement. This collaborative approach ensured that teams understood the benefits of Venafi and could effectively monitor and manage their certificates.

Beyond adhering to best practices, we implemented Venafi to address the stringent security requirements of our banking partners. As a B2B SaaS provider for healthcare payments, we white-labeled our services for major banks that demanded advanced security for certificate generation. While Venafi offers native Fortanix integration for encrypting its database with a Fortanix-generated master key, this did not meet our partners' specific requirements. To achieve full compliance, we collaborated with consultants to develop a more advanced integration, ensuring each certificate was generated directly within Fortanix. This solution ultimately enabled us to meet STIP compliance standards for our larger banking customers.

Venafi actively develops its software and tools, maintaining compatibility with major platforms and generally staying up-to-date with industry changes. Like many mid-sized companies, it addresses bugs and implements new features based on customer feedback and demand. While it may not immediately integrate every new technology or process, such as DNS certificate re-verification, it typically adapts within six months to a year. However, the constantly evolving nature of certificate management presents an ongoing challenge for Venafi, requiring it to adapt to changes made by certificate authorities like GlobalSign continually.

Certificate management without a dedicated tool like Venafi or Keyfactor often resembles the Wild West, with companies employing risky practices such as generating keys on individual laptops and relying on spreadsheets for tracking. This leads to poor certificate handling, security vulnerabilities, and compliance issues. Venafi provides a centralized, platform-agnostic solution for managing certificates across diverse environments like Windows IIS, GlobalSign, AWS, Azure, and GCP. By automating certificate lifecycle processes, Venafi enforces best practices, improves security posture, and helps organizations meet compliance requirements. While Venafi offers integrations with HSMs like Fortanix and potentially Talos, its core strength lies in centralizing and securing certificate management, making it a valuable tool for growing companies.

Venafi is essential for achieving SOC and PCI compliance, mainly when working with larger banks that require adherence to FIPS 140-3 standards. This standard mandates using a Hardware Security Module for certificate generation and distribution, which is inefficient and impractical to manage manually. Venafi provides a crucial solution by seamlessly integrating with HSMs, automating certificate deployment, and ensuring compliance with high-grade banking regulations. While implementing Venafi can be challenging, it is indispensable for achieving FIPS 140-3 compliance and robust certificate management.

While Venafi didn't necessarily save time, it provided a solution where none previously existed. It wasn't about efficiency but rather about enabling a task that was previously impossible. Venafi offered a path to completion, even if it didn't expedite the process.

Venafi helps reduce response times by enabling automation where possible and enhancing visibility between technical teams and product owners when automation isn't feasible. This improved global visibility significantly contributes to faster resolution times.

Venafi has significantly reduced our risk exposure by enabling touch-free certificate generation and distribution. Manually handling certificates increases vulnerability, as private keys can be easily misplaced, stored insecurely, or lack adequate password protection. Automating this workflow with Venafi minimizes human interaction with private keys, mitigating potential security risks.

Venafi's automation capabilities were significant, as they allowed us to automate certificate rotation and deployment effectively. We integrated it with GlobalSign and aimed to automate DNS verification, although challenges remained. Venafi's platform-agnostic nature was beneficial for handling certificates across different systems like IIS, AWS, and Azure. It ensures centralized certificate management, which is crucial for compliance and maintaining best practices.

It significantly improved our operational efficiency by automating certificate workflows. This reduced the number of certificates requiring manual management, freeing internal resources from deploying trivial certificates. While some complex certificates still needed manual intervention, automating simpler ones eliminated internal bottlenecks associated with tasks like uploading certificates to Imperva. By automating these processes, we reduced errors, streamlined workflows, and eliminated the need to repeatedly remember and execute complex procedures, ultimately increasing our overall operational efficiency.

The automation capabilities are good; when properly configured, it performs as expected.

Venafi excels in automating certificate rotation and deployment but could enhance its offering by improving support for hardware security modules like Fortanix and providing more advanced, out-of-the-box integrations with public certificate authorities for DNS re-verification. Currently, the yearly DNS verification required by certificate authorities necessitates manual intervention, hindering full automation. This limitation, however, is not unique to Venafi, as most tools lack the API integration necessary to automate the verification process with certificate authorities. Until such integration is achieved, the added security layer of domain verification will continue to pose a challenge for fully automated public certificate management.

I used Venafi for two years.

Venafi is super stable, and we experienced no issues with its stability.

Venafi scaled well, and there were no issues with the tool's functionality. The main challenges arose in the integrations.

Venafi's technical support is excellent, with even their first-tier support being in-house and highly competent. This expertise is likely reflected in the licensing cost, as certificate management is complex, and Venafi invests in ensuring customer success. Their support team, even at the initial level, demonstrates a strong understanding of certificate management. For example, when we encountered bugs with the Imperva integration, their first-tier support effectively diagnosed the issue, gathered information, and escalated it appropriately. This level of competency across all support tiers makes Venafi's support a valuable asset.

The downside is that Venafi is a smaller company, likely with limited staff, so its support may not be as comprehensive as Microsoft's global 24/7 offering. As a US-based company, its support model primarily caters to that region. While I haven't personally needed to contact support at odd hours, their availability likely reflects their size and focus on the US market.

Positive

My previous experience with certificate management is primarily limited to Amazon Certificate Manager. While ACM offered the convenience of a fully integrated solution, it led to vendor lock-in. To avoid this, we chose Venafi, intending to remain platform-agnostic.

The infrastructure deployment is moderately complex, with a difficulty level of approximately four out of ten. While the basic setup is relatively standard, complexity increases with advanced SQL configurations or high-availability disaster recovery implementations. However, the initial setup of Venafi itself is fairly straightforward.

With Venafi, it wasn't about saving time but achieving functionality that was otherwise impossible, such as distributing certificates without manual intervention.

I would rate Venafi as an eight out of ten. While Venafi is a powerful tool for certificate automation, its successful implementation requires careful planning, approvals, and company-wide buy-in. This can be challenging, especially for larger organizations lacking the dedicated resources for such a project. Although smaller companies might find deployment easier, Venafi's cost and advanced features may be prohibitive unless they manage many certificates or require complex functionalities. For companies like ours, built on mergers and acquisitions, Venafi becomes essential for standardizing certificate practices across diverse entities. However, smaller companies with more straightforward needs might find manual certificate management more cost-effective.

Venafi's difficulty is effectively structuring the tool to align with an organization's certificate management needs and best practices. While the tool itself is straightforward and has a user-friendly interface, its implementation can be challenging, especially for larger organizations with complex hierarchies and numerous certificates. Success with Venafi requires a strong understanding of certificate management, the organization's structure, and the ability to translate that structure into Venafi's policy tree. This can be particularly difficult for those unfamiliar with similar tools or lacking in-depth knowledge of their organization's certificate usage. Although Venafi simplifies certificate automation, the initial setup and configuration require careful planning and a deep understanding of both the tool and the organizational context.

We use Venafi for certificate management, including tracking expiration dates and automating installations. Venafi eliminates manual installation by automating the process across various endpoints, including servers, load balancers, and cloud workspaces like AWS and Azure.

Venafi solved our healthcare-related identity security problems by automating the monitoring of certificate expiration dates. Previously, this was a manual process, but Venafi automatically emailed certificate owners and their managers, escalating notifications without our intervention. This automation eliminates manual reports and prevents outages caused by certificate expirations.

We currently operate on-premises but have purchased a cloud-based SaaS version of Venafi that is being deployed.

Venafi is generally user-friendly. While administrators require some training, the end-user experience is intuitive. Venafi provides comprehensive user guides with step-by-step instructions, but most users can easily navigate the platform and complete tasks without consulting documentation.

The automation capabilities have significantly improved our workflow by automating the installation of certificates on servers, endpoints, load balancers, and cloud workspaces. This automation has eliminated the need to manually install certificates on each device, saving us valuable time and resources.

Automation helps reduce human error by providing a clear validation trail. For example, within a certificate object, we can easily see where a certificate was installed, such as in AWS or on a load balancer. This automated validation ensures accurate tracking and eliminates the need for manual verification, which can be unreliable and prone to errors.

Venafi simplifies certificate renewal by offering a seamless process that allows users to renew certificates with a single click.

We saw the benefits of Venafi immediately after deploying it, as our previous solution was inadequate. The reporting feature alone significantly improved, allowing us to track every certificate. Venafi's discovery feature also proved invaluable, identifying certificates on our systems that we were unaware of. This allowed us to import them into Venafi, monitor their expiration dates, assign owners, and communicate with those owners about renewals or compliance issues, such as the use of self-signed certificates. By proactively addressing these issues, we ensured the security and compliance of our certificates from day one.

Venafi's reporting capabilities are crucial in helping us meet regulatory compliance requirements. Their signing algorithm report allows us to scan every certificate within our organization to identify any out-of-compliance, such as self-signed certificates. This enables us to locate the certificate owner, have them rectify the issue, and update the certificate in Venafi. The comprehensive reporting facilitates the identification and resolution of any compliance concerns.

Venafi's reporting mechanisms help us reduce our mean time to respond by quickly identifying and addressing compliance issues and compromised certificates. We can locate the certificate owner and promptly fix any non-compliant certificates. In the event of a compromised certificate, Venafi enables us to create a new one swiftly, deploy it to servers or cloud workspaces, and renew and install it within minutes.

Venafi helped us reduce risk exposure by migrating all identified self-signed certificates to trusted certificate authorities during our discovery process, mitigating any associated risks.

We would be overwhelmed if we had to install all these certificates manually on each endpoint. Venafi automates this process, eliminating the need for constant monitoring and freeing up our time significantly. With Venafi, we simply initiate the process and let it run, saving us the equivalent of two additional employees.

While Venafi's services come at a cost, the increased efficiency ultimately saves us the expense of hiring two additional employees.

Venafi has a minimal learning curve. New users can typically log in and navigate the product without guidance, with only about 10 percent requiring minor assistance.

The most valuable feature of Venafi is the automation that helps save time and reduce human error.

Venafi could enhance its offerings by providing more automation features. Currently, specific processes require manual installations due to the lack of built-in integrations. While custom scripts can address some gaps, expanding the range of out-of-the-box integrations would significantly improve the user experience.

I have used Venafi for six years.

Venafi's stability has been consistently reliable. We generally experience no problems with its functionality. Occasionally, IAS might become unresponsive after patching, but this issue is not unique to Venafi and could occur with any site.

Our Venafi platform is load-balanced and segregated by team, ensuring that users can only access certificates relevant to their work. This role-based access control enhances scalability and efficiency by providing a focused view of necessary information.

Venafi's technical support is impressively fast. Inquiries are typically addressed the same day, with most issues, even complex ones, resolved within 24 hours. Their responsiveness and efficiency have consistently exceeded our expectations.

Positive

Venafi's pricing appears to be competitive within the market. After evaluating other vendors, we found that Venafi offers good value for the cost, and we are satisfied with their pricing structure.

I would rate Venafi a nine out of ten. There is room for improvement, but we are extremely happy with it.

Venafi requires regular maintenance, such as server patching and yearly software updates, which are common to most applications. Beyond these standard tasks, Venafi does not demand excessive upkeep.