All versions of Venafi Trust Protection Platform that Entrust is being used as a Certificate Authority.
Entrust updated the Certificate Request API in March of 2017. Customers with existing CA templates, and Certificates generated from those templates, will find that renewals are no longer working as expected. Customers will receive an error that is similar to the error below:
Post CSR failed with error: Web Service Error - (ID:673293) Unable to update the database. Please contact Entrust Certificate Services for support. (Error ID: GEN006)
Explanation of Error
Entrust allows for Additional fields to be set on certificates. The update to the API changed the field names from dynamically generated names like “field_592376398” to standard names for all fields like text1,text2 and so on. These fields can be seen through the support tab of the CA template and the Certificates.
CA Template (Recently Validated):
Certificate (Names from before API update):
NOTE: The above scenario will only happen if the CA template has been validated since the API update.
As you can see above the CA Template is using the new field values and the Certificate is using the old field naming method. This will cause a mismatch in the values in the database and the system will not be able to do the renewal.
Entrust no longer supports the old field names created before the API update and has not provided a way to convert old certificates to use the latest field naming scheme.
NOTE: If your CA Template is new and is Validated and a new Certificate is created from that new CA Template it should work without an issue.
How to adapt existing CA templates and Certificates to the new API
In order to modify the Additional Field Values as well as preserving the data within those fields, Engineering has created a script to find the field in the database with the old field name and convert it to the new field name. Steps explaining how we will do this are below.
- Open a new ticket with Support by sending an email to firstname.lastname@example.org or open a new case through the support portal
- Support will require this information from the customer:
- Text file of the support tab from all effected Entrust CA templates or Certificates created by all the effected CA templates
- Text file of the support tab from a newly created CA template
- Support will then take the old field names from the original CA templates, and the new field names from new CA templates and generate a script to be run against the Venafi database for every field that is in the CA template.
- Once Support has generated the needed SQL scripts. A meeting will need to be scheduled with the Venafi Administrator and the Venafi DBA. The DBA will then run the support provided scripts against the database.
- We can then validate the changes through the support tab.
- Renew a certificate to test the fix.
Validating the existing CA templates that have fields using the old naming method will change the field names to the new Entrust field names. Support will need to find this information through Certificates created by that CA template. This will cause a delay in the time to get the scripts created.