This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

FAQ: Next-Gen Trust Security

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Blogs
2 min read

FAQ: Next-Gen Trust Security

JayGolf
Community Team Member
‎03-09-2026 07:13 AM

FAQ: Next-Gen Trust Security

 
  • How does internal discovery work?
    • Internal Discovery in NGTS uses Enhanced Discovery (scheduled scans and
      validation via VSatellite) to find certificates inside your private network. After
      discovery, all found certificates are added to Inventory for ongoing daily validation.
    • Refer to these topics in the NGTS documentation:
      • See “Overview: Discovery Services”
      • See “Create an Enhanced Discovery service”
      • See “Overview: VSatellites”

 

  • What ACME clients can I use?
    • Use ACME clients that support External Account Binding (EAB), such as Lego and
      cert-manager to connect to an ACMEv2 server and submit certificate signing
      requests (CSRs).
    • See "ACME server overview” in the user documentation.

 

  • Where can I find logged information about certificate installations?
    • Go to the Event log page of Next-Gen Trust Security and use the Filtering
      functionality.
    • Refer to these topics in the documentation:
      • “Overview: event logging”
      • “Finding logged data through filtering”

 

  • How do I install a VSatellite?
    • Follow these steps:
      • Download vsatctl to the target Linux host.
      • Run sudo ./vsatctl preflight to verify prerequisites.
      • Run sudo ./vsatctl install to deploy VSatellite, then complete the wizard in
        Certificate Manager – SaaS (Configurations > VSatellites > New).
    • Refer to these topics in the documentation:
      • “Deploying VSatellites”
      • “Using HSM-protected DEK with VSatellites”

 

  • How many VSatellites should I install?
    • Install at least two VSatellites and group them in a High Availability (HA) VSatellite
      group for reliability. An HA group lets operations start on any healthy VSatellite if the
      primary becomes unavailable. You can deploy up to 10 replicas per primary in a
      group.
      • Start with 1 primary + 1–2 replicas for Enhanced Discovery, CA Connectors,
        and Machines.
      • Ensure all VSatellites in the group can reach the same resources (discovery
        targets, machine identity endpoints, certificate authorities).
    • See “High availability VSatellite” in the NGTS documentation.

 

  • How do I view my license entitlement and usage of my Secure Certificate Instances
    (SCI)?
    • In Next-Gen-Trust Security, go to System Settings > Licensing. The Licensing
      page shows your total certificates in inventory, entitled secured certificate
      instances, and current secured certificate instance usage. Usage is recalculated
      once daily at a fixed time. There is no manual refresh.
      • Only certificates that meet SCI criteria count toward usage; inventory total
        does not affect licensing.
Labels:
0 Likes Likes
  • 1766 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Contributors
Popular Blogs
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks