- Fix bogus error during
New-VcMachineCommonKeystore
#304 - Update VC machine creation components due to API deprecation
- Add
Get-VcSatelliteWorker
, either all, by id or all workers associated with a specific satellite - Add
Remove-VcSatelliteWorker
, you guessed it...removes vsat workers - Add
Get-VcSatellite -IncludeWorkers
to get vsats and their associated workers in one call. - Add
Invoke-VcCertificateAction -Provision
to push a certificate to associated machine identities. You can also use-Renew -Provision
together and it will renew and then provision the new certificate. - Add
Set-VcApplication -IssuingTemplate
to add one or more issuing templates to an application. It will overwrite by default or use-NoOverwrite
to append.
- Add
Set-VcCertificate
. This replacesAdd-VcCertificateAssociation
to set the applications associated with a certificate. Certificate tagging is now supported, both add and replace. - Add support for URL port during TLSPDC token operations, #305
- Fix Find-VdcObject documentation page not building, #302
- Rebranding post CyberArk acquisition
- Add specific exception types when working with invalid paths or access issues on VDC objects
- Merge all functions into 1 psm1 module. This yields much better performance, especially when running multithreaded.
- Add multithreading support on PS v5 with the Microsoft.PowerShell.ThreadJob module (installed separately). If the module isn't installed, multithreading will be disabled. Set
-ThrottleLimit
to 1 on the functions that support it to disable multithreading on PS v5 and v7. - Module now available in the GitHub release. This is helpful for those without access to PowerShell Gallery, although that is the preferred option.
- PSSodium, needed for several TLSPC functions for encryption, is no longer directly included in the module. Install it from the Gallery.
- The VenafiSession class has been deprecated and replaced with a PSCustomObject equivalent
- Key based authentication on TLSPDC has been deprecated
- Default
Invoke-VdcCertificateAction -Push
to push to all applications and added an example to override and push to specific applications
- Add batching to
Invoke-VcCertificateAction
with progress and verbose logging. Batches will be 1000 by default, but can be overridden with-BatchSize
. Also added better use of ShouldProcess.
- Fix
Import-VdcCertificate -Data
failure due to being converted to an array. #290
- Add
Export-VdcVaultObject
to retrieve historical certificates. This function supports certificates, keys, and p12. #280 - Add support in
New-VcConnector
for manifests from the simulator and 'full' ones which already have deployment details - Fix
Add-VcCertificateAssociation
when piping certificate objects, #284 - Fix examples in
Get-VcCertificate
andGet-VdcCertificate
referencing old parameter names, #279
- Add
Get-VdcCredential -IncludeDetail
to provide additional credential information eg. expiration, path to linked certificate, and more - Add discrete parameters to
Set-VdcCredential
to simplify updating credentials;-Value
will be deprecated. Add support for updating the Expiration and setting a Credential 'link' to an existing certificate in TLSPDC. - Update
Invoke-VcWorkflow
API endpoint #275 - Fix
Test-VdcToken -VenafiSession
when the parameter value is null/empty #274
Get-VdcAttribute
parallel enhancements to support input objects of -Path and not just -All. #271- Add
Get-VdcAttribute -ThrottleLimit
- Add
Export-VcCertificate -PKCS12
, requires PowerShell v7.1+. #251 - Add
New-VenafiSession -TimeoutSec
, the default is 0 for no timeout. If using SecretManagement, store this with the other metadata. - Add support for
Invoke-VcCertificateAction -Renew -AdditionalParameters
. The use case was renewing many certificates with a different issuer. - Update
Set-VdcPermission
to accept just permission switches and not require a permission object. This assists in setting a permission for the first time for a specific id. - Fix
Get-VdcAttribute
andSet-VdcAttribute
recognizing custom field guids, but not labels
- Fix
Invoke-VcCertificateAction -Renew
flagging multiple applications incorrectly
- Add support for managing TLSPC Connectors via
Get-VcConnector
,New-VcConnector
,Set-VcConnector
, andRemove-VcConnector
. The old Connector functions, Get, New, and Remove, which were for managing Webhooks, have been renamed to more appropriately reflect their usage. They are nowGet-VcWebhook
,New-VcWebhook
, andRemove-VcWebhook
. - Add support for TLSPC EU region with
New-VenafiSession -VcRegion
. The default is 'us' and accepts 'eu' as well. This detail will be stored in the resulting session and vault if utilized. - Update
Invoke-VcCertificateAction -Renew
to retrieve all existing CSR details, #260, #264. Also update this function to return any missing/incorrect details when renewing. - Add
Invoke-VcCertificateAction -Renew -Force
to override the default behavior of stopping when more than 1 common name is encountered. Use of-Force
will use the first common name found in the array. - Update readme to remove deprecated -VaultMetadata parameter, #256
- Fix duplicate parameter error with
Get-VdcAttribute -All
, #259 - Update default value of
New-VcCertificate -ValidUntil
from 1 year to 90 days
- Fix property not found error with
New-VenafiSession -AccessToken
, #252 - Update
Invoke-VenafiRestMethod
to ensure parameter verbose output does not convert the body to json twice
- Add parallel functionality to
Remove-VdcObject
. PS Core for now, Windows PowerShell coming soon. - Fix invalid function reference with
New-VdcCapiApplication
, #247 - Fix wilcard certificate not accepted with
New-VdcCapiApplication
, #248
- Add custom field value lookup to
Find-VdcObject
. Utilizing existing-Attribute
and-Pattern
parameters, find objects where Attribute is a custom field name or guid and Pattern is the value you are looking for. - Add parallel functionality to
Remove-VdcCertificate
for bulk cleanup
- Fix byte encoding bug with
Import-VdcCertificate
- Add
Get-VcData
private function to centralize retrieving VC data for non search objects - Better messaging when VSats aren't available, #242
- Add messaging when PSSodium cannot be loaded, #239
- Add workaround for TLSPDC API failure when importing PKCS12
- Fix incorrect path for Sodium in
Export-VcCertificate
, #234
- Fix path error when running in parallel on PS Core, #235
-
Add framework for dynamic tab completion.
-
TLSPDC: currently, the Path variable is enabled. For any Vdc functions with a Path parameter, you can now use tab completion to provide the path. Tabbing without a value will default to '\ved\policy'. Future versions will be aware of the type of item you are looking for and filter appropriately.
-
TLSPC: Application, MachineType, VSatellite, and Certificate have all been enabled. Tab completion will provide a list of names which are much easier to remember than a uuid. All functions with these parameters have been updated to accept an id or name.
-
To see a bash style listing where you can see a full list and select with arrow keys, you can either set your tab key action via
Set-PSReadlineKeyHandler -Key Tab -Function MenuComplete
or use Alt + =.
-
- Fix
New-VenafiSession -VcKey
not storing key as credential and causing Invoke-VenafiRestMethod to fail
- Add search properties Status, ExpireBefore, ExpireAfter, Version, and SanDns to
Find-VcCertificate
- Add
Remove-VdcCertificateAssociation
- Update
Export-VdcCertificate
to return just certificate if private key isn't available for supporting formats - Add support for PKCS #8 in
Import-VcCertificate -Data
, by file will come in a future release
This is a major release. Although every attempt has been made to be backwards compatible, existing scripts will likely require some updates. Please read the full release notes.
- TPP is now TLS Protect Datacenter (TLSPDC) and VaaS is now TLS Protect Cloud (TLSPC). All functions have been renamed to prefix with
-Vdc
(Venafi Datacenter) or-Vc
(Venafi Cloud). Combined platform functions, those prefixed with-Venafi
, have all been updated to dedicated platform functions. The desire to add additional functionality for each platform and reduce parameter set complexity drove this decision. The only exception to this rule are the functions related to the session. Aliases have been added where applicable. - VenafiPS is now signed.
Test-ModuleHash
has been deprecated. - VenafiSession is stored for nested operations each time a function is called directly. This has 2 main benefits:
- Performance enhancement bypassing
Test-VenafiSession
in nested functions - No longer need to pass VenafiSession to each function when sending function output down the pipeline
- Performance enhancement bypassing
- Parallel functionality added for many functions, notably export and import certificates. Ensure you are using PowerShell v7!
- Add Certificate, Key, and Chain PEM to
Export-VdcCertificate
andExport-VcCertificate
Base64 output - For PSCredential objects which only required a password and not username, add the ability to provide either a password String, SecureString, or PSCredential.
Find-VaasObject
has been replaced with dedicated functionsFind-VcCertificateRequest
,Find-VcLog
,Find-VcMachine
, andFind-VcMachineIdentity
. These functions have property filters specific to their types making it super easy to search.- Environment variable names updated:
- TPP_SERVER -> VDC_SERVER
- TPP_TOKEN -> VDC_TOKEN
- VAAS_KEY -> VC_KEY
- Add keystore/private key import to
Import-VcCertificate
- Update
Invoke-VenafiParallel
to be version aware. Parallel on PowerShell v7+, synchronous otherwise - Add option to save .crt/.key with
Export-VdcCertificate
, #226 - Update TLSPC searching to make -Order case insensitive
- Fix
Get-TppAttribute -Disabled
not working, #221 - Fix exporting JKS to a file, #225
- Add option to save exported certificate and key to separate files, #226
Revoke-TppCertificate
deprecated, useInvoke-VdcCertificateAction -Revoke
- Dedicated removal functions created for TLSPC
- Add filters
-IsSelfSigned
and-IsWildcard
toFind-VdcCertificate
- CodeSign Protect functions have been deprecated
- Remove deprecated application server types from
New-VaasCertificate
- Add
Find-VaasMachine
to find machines by type or status. The list of attributes to search by will increase over time.Find-VaasObject -Type Machine
can always be used as well. - Add
Get-VaasMachine
to get machines by uuid, name, or get all. - Update
Invoke-VaasWorkflow
output to include workflow id (wsClientId) - Add machine creation functions
New-VaasMachine
,New-VaasMachineIis
, andNew-VaasMachineCommonKeystore
. These require PowerShell v7+ and have parallel processing.New-VaasMachine
is for basic machines with hostname, credential, and optional port, eg. Citrix and F5. - Add machine types to $VenafiSession.MachineTypes when using
New-VenafiSession
for VaaS - Add
Invoke-VenafiParallel
private function to easily execute operations in parallel. Requires PowerShell v7+. - Add argument completer to
New-VaasMachine -MachineType
andFind-VaasMachine -MachineType
for dynamic tab-ahead list of machine types - Add PSSodium as a nested module, required for machine creation functions
- Add
Find-VenafiCertificate -SavedSearchName
to find VaaS certificate details via an existing saved search filter - Add
Get-VaasSatellite
to retrieve vsatellite details optionally including encryption key and algorithm - Add
Set-VaasCertificateAssignment
to add or replace applications associated to certificates - Add User property to
$VenafiSession
when connecting to VaaS. All kinds of helpful info here including company ID. - Fix credentials not being written to the vault with
New-VenafiSession -VaultVaasKeyName
- Add specific error messages when a TPP token scope/privilege is not sufficient for the current function. The message will include both the current and missing scope/privilege, #175.
- Add
Set-VaasTeam
to update existing VaaS teams. You can update the name, role, and/or user matching rules. User matching rules can be overwritten or appended to. - Add
Remove-VaasObject
to remove a VaaS team, application, machine, machine identity, tag, or connector. - Remove
TppObject
class. This was causing issues for some who aren't familiar with the Using keyword and differences between it and import-module when it comes to classes. - Add
Invoke-VaasWorkflow
to trigger either a Test, Provision, or Discover machine/machine identity workflow. As one example, this is super helpful when looking to automate renewal and provisioning of certificates that may expire soon.
- Fix error with
Get-TppPermission
when an identity which had been permissioned has had its account deleted. Explicit permissions will be returned, but the identity path and name will be null as we can no longer look it up from the provider. Get-TppPermission -Attribute
has been deprecated. Identity path and name are included in the return object. For other attributes, useGet-TppIdentityAttribute
.
- Add
Set-TppAttribute -NoOverwrite
to allow additions to an attribute list. #189 - Add
Get-TppAttribute -NoLookup
for the remote cases where a built-in attribute and custom field have the same name. The default will be to look for a custom field. Use-NoLookup
to override. #192 - Add ability to export the chain on VaaS with
Export-VenafiCertificate
- Add ability to export a certificate to a file on VaaS with
Export-VenafiCertificate
- Fix certain characters in friendly name causing
Test-TppIdentityFormat
to fail, #205 - Add ability to set specific permission with
Set-TppPermission
and not just an entire permissions object, #197 - Enhance pipeline support for
Set-TppPermission
- Fix failure removing a custom field value with
Set-TppAttribute
, #199 - Fix
ConvertTo-TppFullPath
appending '\ved\policy' incorrectly on non-Windows environments
- Add support for JWT token authentication in
New-VenafiSession
andNew-TppToken
- Add 'all' token scope with 2 values, 'core' and 'admin'. 'Core' is all scopes except for admin and 'admin' includes admin. Use as
New-VenafiSession -Scope @{'all'='core'}
. Not suggested for production environments - Add
-SkipCertificateCheck
toNew-VenafiSession
andNew-TppToken
to bypass certificate checking, useful in pre-production environments, connecting via IP, etc. If you aren't creating a new session, but providing a token directly to a function, the same functionality can be found by setting an environment variable$env:VENAFIPS_SKIP_CERT_CHECK=1
. If vaulting your token, this value will also be vaulted in the metadata making it very easy to useNew-VenafiSession -VaultRefreshAccessToken $name
and connect to pre-prod environments with no certificate checking New-VenafiSession -VaultMetadata
is now deprecated and metadata will be vaulted by default- Token scope is now vaulted in metadata and added to $VenafiSession when using
-VaultAccessTokenName
or-VaultRefreshTokenName
ofNew-VenafiSession
- Update
Write-VerboseWithSecret
to support secrets in delimited json - Fix TppObject ParentPath error when it contains certain characters, #186
- Fix object does not exist error with
Move-TppObject
in a try/catch, #185
- Fix
Get-TppClassAttribute -All
error when providing VenafiSession directly, #182
- Add
Remove-TppObject
to remove any object. Multiple people have asked for this so it's been added, but be careful using it as it can be very destructive. Recommend using -WhatIf to validate. - Fix
Invoke-VenafiCertificateAction
always running as verbose, #173 - Fix
Set-TppAttribute
error when providing a null value, #176 - Fix
Set-TppPermission
error when providing VenafiSession directly, #174
- Add specific event webhook subscription, not just types, and criticality option to
New-VaasConnector
- Fix
Get-TppObject
returning invalid parent path, #166 - Fix
Get-VenafiCertificate -All
not paging through all results, #164 - Update
Remove-TppCertificate
andRemove-TppCertificateAssociation
to align with latestGet-TppAttribute
changes, #168
- Fix
Set-TppAttribute
not setting integer values, #145 - Fix
New-VenafiSession
sending null header for windows integrated authentication, #162
- Add
Find-VaasObject
to search for ActivityLog, Machine, MachineIdentity, CertificateRequest, and CertificateInstance - Add
-IssueDateBefore
andIssueDateAfter
toFind-VenafiCertificate
for TPP - Add
New-TppObject -Force
to create missing parent policy folders - Supercharge New-TppPolicy
- Add
-Name
to provide a list of policy folders to create - Add
-Attribute
and-PolicyAttribute
to set both kinds of attributes at policy creation time - Add
-Force
to create missing parent policy folders
- Add
- Update messaging for
Export-VenafiCertificate
when using parameters for the wrong platform, #149 - Update
New-VaasApplication -Owner
to accept a name in addition to guid - Update VaaS searching to be aware of fields/values case sensitivity and adjust where needed. Eg., certificatestatus as opposed to certificateStatus.
- Fix
Find-TppObject
parameter sets to disallow -Recursive when -Path not provided, #153 - Fix
Find-VenafiCertificate -Issuer
not working due to missing quotes, #146 - Fix
Invoke-VenafiRestMethod -FullResponse
consuming certain errors instead of throwing them, #152 - Fix
Get-VaasIssuingTemplate -All
not executing under certain circumstances
- Minor bugfix
- Add
Add-TppAdaptableHash
to automate the updating of an adaptable script hash. Thanks [@wilddev65]! - Add
New-VaasCertificate
to create new certificates with VaaS - Add
Revoke-TppGrant
to revoke all grants for a specific user - Update
Import-VaasCertificate
to accept a name for the application (wildcards supported) - Add
Get-VenafiCertificate -All
for VaaS - Update
Get-VenafiCertificate
to persist -ExcludeExpired and -ExcludeRevoked when using -All - Fix parameter error with
Get-VaasIssuingTemplate
when piping multiple values
- Rewrite Get-TppAttribute
- Greatly simplified with far less parameters needed
- Attributes, which have values, available as properties at the root level in the response. This is useful for direct value access.
- A property named
Attribute
has been added with all attribute names, values, and configuration. This is useful for looping over the attributes, determining where a policy attribute is set, and more.
- Add TPP engine management functions
Add-TppEngineFolder
,Find-TppEngine
,Get-TppEngineFolder
, andRemove-TppEngineFolder
. Thanks @ccamacho1966! - Add VaaS connector management functions
Get-VaasConnector
,New-VaasConnector
, andRmove-VaasConnector
. Currently limited to webhooks with event type scope. - Add VaaS and TPP certificate deletion to
Invoke-VenafiCertificateAction
- Add
-IncludeVaasOwner
toFind-VenafiCertificate
andGet-VenafiCertificate
to include user/team owner detailed info on VaaS - Add 'application' property to
Find-VenafiCertificate
andGet-VenafiCertificate
with application details on VaaS - Add
-All
toGet-VenafiCertificate
to retrieve all certificates. This replaces the default behavior of getting all with no parameters. - Add prepending '\ved\policy' when a root path isn't provided to many functions
- Fix
Invoke-VenafiCertificateAction
not triggering some actions on VaaS - Fix
Get-VenafiCertificate
returning TppObject instead of detailed certificate info when getting all - Note: please test your code when using the above functions as there are breaking changes in this release
- Add paging support to
Find-VenafiCertificate
for VaaS - Update
Get-VaasApplication -ID
andGet-VenafiTeam -ID
for VaaS to accept a name in addition to guid
- Fix
Set-TppAttribute
failing to set a custom field value on a policy, #131
- Add validation and error handling in
Get-VenafiTeam
for invalid IDs, #126 - Add messaging and error handling in
Get-VenafiTeam
for local groups, #127 - Add support for PrefixedName identity format in
Test-TppIdentity
andGet-VenafiIdentity
, #128 - Fix Split-Path failing in TppObject class, and other functions where applicable, when PowerShell reserved characters are used in the object name, #129
- Add
Import-VaasCertificate
. Export from TPP right into VaaS (and vice versa). Import-TppCertificate
updates- Add pipelining with either
-CertificatePath
orCertificateData
. You can provide FileInfo objects or just an array of paths. - If using PS v6+, import will now use parallel processing. Control the number of certificates imported at once with the new parameter
-ThrottleLimit
. This is definitely the recommended approach for bulk importing. - Add prepending '\ved\policy' to
-PolicyPath
if not provided
- Add pipelining with either
Get-TppAttribute
updates-Attribute
can now accept custom field labels/names to retrieve the value, #74- Return Locked and Overridden values where applicable
- Notify user when attribute name provided to
-Attribute
is not valid
- Fix SecretManagement module existence check not always being triggered in
New-VenafiSession
, #123 - Add 'certificate' field to
Write-VerboseWithSecret
to hide certificate data being passed to VaaS - Allow any attribute names for
Get-TppIdentityAttribute -Attribute
, #125
- Add docker image with each new build and publish to dockerhub. Add the below environment variables recognition for use with docker image, but could be used outside of it as well. This is great for ci/cd scenarios and more.
- TPP_SERVER - TPP server url
- TPP_TOKEN - TPP oauth token
- VAAS_KEY - VaaS key
- Fix
Set-TppAttribute
not clearing a value. You can now pass $null to clear an object's attribute value, #119
- Add
New-VaasApplication
to create a new application on VaaS - Add
Get-VaasIssuingTemplate
to retrieve 1 or all certificate issuing templates on VaaS - Add
-All
parameter toGet-VaasApplication
to retrieve all applications - Deprecate
Get-VaasOrgUnit
as it's being deprecated by VaaS
- Add new output format for
Get-TppAttribute
using the parameter-New
. Attributes will now be provided as object properties as opposed to individual objects for each property, which made it difficult to retrieve the value itself. This new format is available for all ways of using the function including attribute, effective attribute, and policy retrieval. This new format will become the default in the future. - Add
Get-TppAttribute -PolicyClass -All
to retrieve all policy attributes at once - Add
New-TppCertificate -WorkToDoTimeout
to override the global setting for a CA to issue/renew certificate - Add support for api limitation of 5k clients at a time when calling
Remove-TppClient
- Add support for VaaS user matching rules with
New-VenafiTeam
- Add setting common name, if not provided, as the object name in
New-TppCertificate
, #110 - Fix syntax error when using
New-TppCertificate -Csr
, #111 -Guid
has been deprecated fromGet-TppAttribute
- Add
Search-TppHistory
to find historical items by attribute value and their associated current item - Fix
Move-TppObject
not appending object name when moving multiple objects to a new folder and passed via pipeline - Update
Find-TppObject
to allow passing of empty string for-Pattern
to find objects which don't have a value set
- Fix certain aliases not being exported
- Add authentication options, VaaS key or TPP token, in addition to VenafiSession to be provided directly to any function that supports that platform. This better enables devops scenarios so 1 call can be made for a function as opposed to executing New-VenafiSession first. Note, if using this with TPP, an environment variable named TppServer with the url of the server must be set.
- Add
Test-VenafiSession
private function to add support for the new authentication methods as VenafiSession.Validate isn't used.Invoke-VenafiRestMethod
has been updated to accept these new authentication methods as well. - Add option to export from VaaS in JKS format
- Migrate docs site to Material theme
- Update
Find-TppCertificate
toFind-VenafiCertificate
and add VaaS certificate search functionality - Add
-Policy
toNew-VenafiTeam
so a team can be associated with one or more policies - Fix
PolicyPath
property ofTppObject
not returning the proper value due to special characters
- Add
New-VaasSearchQuery
(private function) as the framework for VaaS searching including filtering, ordering, and paging. This will be used by certificate search, log search, and probably more in the future. - Add
Read-VenafiLog
utilizing the new search framework for VaaS. Merge existingRead-TppLog
into 1 function to support both VaaS and TPP. - Add
Get-VenafiTeam
to retrieve all or specific team info, VaaS and TPP - Add
New-VenafiTeam
to create a new team, VaaS and TPP - Add
Remove-VenafiTeam
to remove a team, VaaS and TPP - Add
Add-VenafiTeamMember
to add a team member, VaaS and TPP - Add
Add-VenafiTeamOwner
to add a team owner, VaaS and TPP - Add
Remove-VenafiTeamMember
to remove a team member, VaaS and TPP - Add
Remove-VenafiTeamOwner
to remove a team owner, VaaS and TPP - Add
ConvertTo-TppIdentity
to standardize TPP identity objects - Add
Get-VenafiIdentity
to retrieve a specific identity, the current user, or all, VaaS and TPP. This replacesGet-TppIdentity
. The ability to retrieve associated identities and group members has been extended to-All
. - Change
Invoke-TppRestMethod
toInvoke-VenafiRestMethod
in remaining internal module calls - Move key/token refresh messaging to TPP only in
VenafiSession
as no refresh for VaaS - Default
-UriRoot
inInvoke-VenafiRestMethod
to v1 for VaaS
- Fix
VenafiSession
reporting incorrect session platform on PS v5 - Fix
Export-VenafiCertificate
for VaaS failing with ConvertTo-Json error
- Add support for double slash paths used by the adaptable framework, #75
- Add
AsValue
parameter toGet-TppAttribute
making it easy to retrieve just the value when 1 attribute is requested - Update return type when using
Find-TppCertificate -CountOnly
from string to int
- Add
-IncludeMembers
parameter toGet-TppIdentity
to include members if the identity is a group, #83 - Update
Get-TppIdentity
to returnIsGroup
for all objects, not just ones where IsGroup is true - Update
Get-TppIdentity -IncludeAssociated
to return the propertyAssociated
for all objects, not just ones where there was a value - Add
-VaultAccessTokenName
toTest-TppToken
to validate a token stored in a vault, #81
- Add
-Csr
parameter toNew-TppCertificate
andInvoke-TppCertificateRenewal
, #76 - Add
-Device
and-Application
parameters toNew-TppCertificate
to allow creation of devices and apps - Add
NoWorkToDo
parameter toNew-TppCertificate
to turn off processing for that update - Fix revision part of version being -1 when running
Get-TppVersion
, #80 - Fix Invoke-VenafiRestMethod alias not working in PS v5 in VenafiSession, #85
- Fix duplicate parameter error using
-IncludeAssociated
inGet-TppIdentity
, #82 - Update vault usage in readme, #78
- #71, add group and event id validation to
Write-TppLog
as well as help updates - Add the ability to access classes and enums outside the module
- Add paging to
Find-TppCertificate
, deprecation messaging for-Limit
and-Offset
in favor of PS standard-First
and-Skip
- Update
Get-VenafiCertificate
to ensure empty values for some date properties don't cause an exception
- #69, add
-CustomField
property toNew-TppCertificate
, required when working with mandatory custom fields. - Update
New-TppCertificate
to ensure-CertificateType
property is honored - Update with new Venafi logo
- BREAKING CHANGE: Fix #4, Remove-TppCertificate deletes associated objects by default, add
-KeepAssociatedApps
and remove-Force
- Add pipeline support to
-SourcePath
inMove-TppObject
. Use this to move multiple objects to the same target path. - Add
New-TppCustomField
- Add
-PassThru
option toConvert-TppObject
. This is helpful in piping to Set-TppAttribute to update the driver and any other attributes needed. - Update
Find-TppObject
class search to default to searching all policies recursively if no path provided - Add Platform and AuthType properties to VenafiSession class. This helps better define and validate tpp vs vaas and key vs token.
- Cleanup all docs.venafi.com links to reference 'current' instead of a specific version
- Fix #63, New-VenafiSession vault params fail if SecretManagement module not loaded in current session
- Better document token/key secret usage in readme
- Help updates, #56
- Moved to Venafi GitHub org, rebranded
- License is now Apache 2.0
- Add
Find-TppClient
to get information about registered Server Agents or Agentless clients - Add
Find-TppVaultId
to find vault IDs in the secret store - Add
Get-TppCredential
to get different credential types, password, username/password, certificate - Add parameter
-IncludeAssociated
toGet-TppIdentity
to retrieve associated groups and folders - Add
Remove-TppClient
to remove registered client agents - Add
Set-TppCredential
to update credential values
- Convert dates from ISO 8601 to datetime objects in
Get-VenafiCertificate
- Older versions of TPP failing to update attributes, #50
- Fix pipeline for
-Path
parameter withSet-TppAttribute
- BREAKING CHANGE: change parameter
-NewName
to-NewPath
inRename-TppObject
to allow moving an object in addition to renaming - Add
Convert-TppObject
to change the class/type of an existing object - Fix typos in examples for
Add-TppCertificateAssociation
andRemove-TppCertificateAssociation
- Set the default for
-Path
inFind-TppObject
to \ved\policy. RunningFind-TppObject
without a path will now recursively search from \ved\policy. - Add additional pipeline options to
Get-TppAttribute
- Add help and examples to
Invoke-VenafiRestMethod
, #48 - Set VenafiSession default value in
Invoke-VenafiRestMethod
, #47
- Add
-All
option toGet-TppAttribute
to get ALL effective attribute values for an object. This will provide the values as well as the path where the policy was applied - Add getting policies (policy attributes) with
Get-TppAttribute
- Add setting policies (policy attributes) with
Set-TppAttribute
- Add
Invoke-VenafiCertificateAction
. This is your one stop shop for certificate actions on TPP or VaaS. You can Retire, Reset, Renew, Push, Validate, or Revoke. - Cleanup output and verbose logging with
Remove-TppCertificate
- Fix parameter set issue in
New-VenafiSession
, ensure version and custom field info retrieval doesn't occur when creating a VaaS session
- Remove validation/limitation from
Get-TppCustomField
to only retrieve classes of type X509 Certificate and Device - Retrieve Application Base custom fields during
New-VenafiSession
- Fix parameter sets in
Import-TppCertificate
requiring PrivateKey be provided with PKCS#12 certificate, #37 - Add
-CertificateAuthorityAttribute
toNew-TppCertificate
to submit values to the CA during enrollment
- Add support for local token/key storage with PowerShell SecretManagement. Store your access or refresh token securely and have VenafiPS use it to create a new session.
- Add
Get-TppClassAttribute
to list all attributes for a specific class. Helpful for attribute validation and getting values for all attributes.
- Add support for token refresh to
New-VenafiSession
andNew-TppToken
. Auto-refresh $VenafiSession when token expires and we have a refresh token. #33 - Fix invalid grant details in
Test-TppToken
, #32 - Update Version in VenafiSession object, from
Get-TppVersion
, to be of type Version. Drop Revision from version so now only 3 octets. This assists in performing version validation. - Update
New-TppToken
to account for a bug in pre 21.3 which expected the client_id to be lowercase - Update
Test-TppToken
to validate the tpp version is supported
- Fix/finalize certificate-based oauth token support, #29
- Thanks to @harrisonmeister for this contribution!
- Add support to
Export-VenafiCertificate
for-IncludeChain
and-IncludePrivateKey
when using JKS format, #24 and #26 - Add 'CertificateData' to the list of values hidden with
Write-VerboseWithSecret
, #25 - Help updates
- Thanks to @wilddev65 for this contribution!
- Add
Test-TppToken
function to test if a TPP token is valid.- Tests an AccessToken, TppToken, or VenafiSession
-GrantDetail
parameter returns detailed info about token from TPP server response
- Update
New-TppToken
to capture the refresh token expiry if part of the response. - Update
Find-TppCertificate
to add-CertificateType
as a parameter to filter results by type of certificate. Can use CodeSigning, Device, Server, and/or User. - Update
Get-VenafiCertificate
to get historical certificate versions with-IncludePreviousVersions
.-ExcludeExpired
and-ExcludeRevoked
filters the results.
- Fix #19,
Revoke-TppToken -AccessToken
not decrypting password - Update
Set-TppAttribute
- Change from name and value parameters to hashtable
- API calls were sending deprecated payloads, fix this
- Add custom field validation and
-BypassValidation
switch. The validation is field type aware and will validate string, date, list, and identity.
- Add
-Force
parameter toRevoke-TppToken
andRevoke-TppCertificate
to bypass confirmation prompt
- Add
-EventId
parameter toRead-TppLog
to filter by a specific event id. - Add EventId to
Read-TppLog
output. The value matches the hex value seen in Event Definitions in TPP.
- Add -UseBasicParsing to
Invoke-WebRequest
to avoid IE profile error
- Add
-CountOnly
toFind-TppCertificate
to return the number of certificates found based on the filters provided, #12 - Move from
Invoke-RestMethod
toInvoke-WebRequest
inInvoke-VenafiRestMethod
so we get response headers, to be used with-CountOnly
above.Invoke-VenafiRestMethod
has a new parameter,-FullResponse
, to retrieve the complete response, not just content value. - Add
New-HttpQueryString
private function to support HEAD api calls which require a query string and not body. - Fix
Test-TppIdentityFormat
which was failing when the identity guid was surrounded with curly braces - Replace
-Limit
parameter and standardize on-First
- Fix #10, Get-VenafiCertificate not recognizing session.
- Add
Test-ModuleHash
to validate the script files in the module. The release pipeline has been updated to create a GitHub release with a file which stores the file hashes with SHA256. This function will validate the current module against these hashes and provide true/false for success or failure.
- Fix #6, truncation on json conversion.
- Rebrand from VenafiTppPS to VenafiPS as the module will now support Venafi products other than TPP. Functions with -Tpp in the name will now be TPP only, -Vaas will be for Venafi as a Service only, and -Venafi will be both
- Rename
New-TppSession
toNew-VenafiSession
and add support for Venafi as a Service. Use the parameter-VaasKey
- Rename
Get-TppCertificate
toExport-VenafiCertificate
and now supports Venafi as a Service. Alias added so existing scripts don't break. - Rename
Get-TppCertificateDetail
toGet-VenafiCertificate
and now supports Venafi as a Service. Alias added so existing scripts don't break. - Add
Get-VaasOrgUnit
for OutagePREDICT - Add
Get-VaasApplication
for OutagePREDICT - Rename
Invoke-TppRestMethod
toInvoke-VenafiRestMethod
- All tokens and keys have been changed from plaintext to PSCredential for added security
- Add
-KeystorePassword
option toGet-TppCertificate
. #147. Thanks @Curtmcgirt!
- Fix #145,
Revoke-TppToken
doesn't show target. Thanks @wilddev65!
- Rename 'Provision' to 'Push', aliases added for existing code
- Add
Invoke-TppCertificatePush
- Fix #130,
Get-TppDevice
only accepting IP address for host, not hostname. Thanks @Curtmcgirt! - Fix #131, add examples to
New-TppCapiApplication
. Thanks @Curtmcgirt! - Fix #132, 500 error setting BindingIpAddress running
New-TppCapiApplication
. Thanks @Curtmcgirt! - Fix #134, server url is blank when running
Get-TppObject
with secondary token. This was an issue forGet-TppPermission
as well. Thanks @stevekeever! - Add missing parameters comment-based help for
New-TppCapiApplication
- Fix certificate push not working in
New-TppCapiApplication
- Update links to reference
main
branch instead ofmaster
- Identity format validation fix, #126. Thanks @DadsVacayShorts!
- Add
Get-TppIdentity
to retrieve Identity info given an id - Add
Remove-TppPermission
, accepts output fromGet-TppPermission
- Add Path param to
Set-TppPermission
in addition to guid Get-TppPermission
now accepts TppObject, eg. fromFind-TppObject
Set-TppPermission
now accepts output fromGet-TppPermission
for the object and IdentityId so you only need to specify Permission. No need to get guid and identity manually to pass in.Find-TppIdentity
output standardized so you can now pipe to permission functionsGet-TppPermission
returns additional object and identity info- Centralize format validation for identities
- Update help links referring to versions no longer available
Find-TppIdentity -Me
to be deprecated forGet-TppIdentity -Me
- Add option to
Get-TppObject
for guid - Standardized on Id/IdentityId for the identity across all identity and permission functions
- Force missing slash retry to status codes of only 307 and 401
- Better error handling and messaging through the permission functions
Get-TppPermission
fix when retrieving multiple permissions, #124. Thanks @DadsVacayShorts!
- Update
Get-TppCertificateDetail
help to ensure output lists the correct properties, #119. Thanks @doyle043! - Hide secret info, eg. passwords, tokens, etc, when verbose logging. #120. Thanks @bwright86!
- Add search, get, and remove code sign project and environment functions
- Fix, provide the correct error message when making rest call and testing to see if a trailing slash is needed or not
- Update
New-TppSession
to ensure $TppSession is created even if subsequent custom field calls fail - Update TppSession object Validate method to check if token auth is required. Needed for code sign.
- Add missing filters CreateDate, CreatedBefore, and CreatedAfter to
Find-TppCertificate
, #117. Thanks @doyle043!
- Fix header getting stripped causing
Write-TppLog
to fail, #114. Thanks @stevekeever! - Update
Invoke-TppRestMethod
to retry with trailing slash for all methods, not just Get
- Add Origin property when creating a new certificate
- Add icon to project, #37
- Process to convert a secure password to plain text was failing on Linux, #108. Thanks @macflurry7!
- Add Import-TppCertificate, #88. Thanks @smokey7722!
- Make Invoke-TppRestMethod accessible, #106. Thanks @wilddev65!
- Fix verbose being turned on incorrectly in New-TppSession when getting by token
- Add token-based authentication support, Integrated, OAuth, and Certificate. Tokens can be used in or out of this module. #94. Thanks @BeardedPrincess!
- Add CertificateType option to New-TppCertificate
- Add support for GET api calls which require a trailing slash
- Fixes in multiple functions where .Add on a hashtable was called in the process block
- Fix issue #102, Base64 with private key not an available option
- Update formats which support IncludeChain
- Add offset parameter to Find-TppCertificate, #92
- Allow inclusion of private key for format Base64 (PKCS #8) in Get-TppCertificate. Earlier versions of Venafi documentation listed this incorrectly, but has been resolved. #95
- Get-TppCertificate failing when pipilining due to adding a key to a hashtable that already exists, #96
- Linux style paths which use / instead of \ were failing path check due to invalid regex, #97
- PSSA fix for Read-TppLog
- ProvisionCertificate not triggering a push, #89
- Add Linux support
- Add New-TppDevice
- New-TppCapiApplication
- Add ProvisionCertificate parameter to provision a certificate when the application is created
- Removed UpdateIis switch as unnecessary, simply use WebSiteName
- Add ApplicationName parameter to support pipelining of path
- Add SkipExistenceCheck parameter to bypass some validation which some users might not have access to
- New-TppCertificate
- Certificate authority is no longer required
- Fix failure when SAN parameter not provided
- Fix Management Type not applying
- Add ability to provide root level path, \ved, in some
Find-
functions - Add pipelining and ShouldProcess functionality to multiple functions
- Update New-TppObject to make Attribute not mandatory
- Remove ability to write to the log with built-in event groups. This is no longer supported by Venafi. Custom event groups are still supported.
- Add aliases for Find-TppObject (fto), Find-TppCertificate (ftc), and Invoke-TppCertificateRenewal (itcr)
- Simplified class and enum loading
- fix session state not being preserved across internal function calls, thanks Kory B!
- add Pipeline and ShouldProcess support to New-TppPolicy
- add ShouldProcess support to New-TppObject
- add many search options to Read-TppLog
- ensure the Recursive parameter of Find-TppCertificate can only be applied when providing a path
- ensure InputObject property of Find-TppCertificate only accepts type Policy so we get a path
- add TppManagementType enum
- add private function to convert a date to UTC ISO 8601 format
- cleanup help in Find-TppCertificate
- add Subject Alternate Name parameter to New-TppCertificate
- add Add-TppCertificateAssociation to associate a certificate to one or more application objects
- update New-TppObject to use Add-TppCertificateAssociation when a certificate is provided
- update New-TppCapiApplication to use the updated New-TppObject
- update Get-TppIdentityAttribute to use Test-TppIdentity for validation
- additional fixes in identity functions
- fix validation in identity functions
- Add Integrated Authentication, a credential is no longer required
- Add Write-TppLog with support for default and custom event groups
- Add PassThru option for all 'New-' functions, returning TppObject
- Standardize all enums with Tpp prefix
- Make enums/classes available outside of the module scope, access these directly at the command line. For example, [TppObject]::new('\ved\policy\object').
- Fix finding by Stage, StageGreaterThan, and StageLessThan in Find-TppCertificate
- Add error handling for Get-TppSystemStatus
- Add Get-TppVersion
- Rename Restore-TppCertificate to Invoke-TppCertificateRenewal
- Lots of help/documentation updates
- Breaking change: Update New-TppObject to simplify the attributes provided, now just pass a hashtable of object key/value pairs.
- Better parameter support for New-TppCertificate with Name and CommonName
- Rename Get-TppLog to Read-TppLog