Venafi TPP 16.1 and greater
There are many reasons why you may want to revoke or rotate certificates and keys. We can help you do this on a targeted set, a small or a large scale.
Here are some of the reasons:
- Certificate Hold A temporary revocation that indicates a CA will not vouch for a certificate at a specific point in time. Once a certificate is revoked with a CertificateHold reason code, the certificate can then be revoked with another Reason Code, or un-revoked and returned to use.
- Key Compromise The token or disk location where the private key associated with the certificate has been compromised and is in the possession of an unauthorized individual. This can include the case where a laptop is stolen or a smart card is lost.
- CA Compromise The token or disk location where the CA’s private key is stored has been compromised and is in the possession of an unauthorized individual. When a CA’s private key is revoked, you should consider all certificates issued by that CA and signed using the private key associated with the revoked certificate, as revoked.
- Change of Affiliation The user’s relationship with the organization has been terminated, indicated in the DN attribute of the certificate. This revocation code is most often used when an individual is terminated or has resigned from an organization. You do not have to revoke a certificate when a user changes departments, unless your security policy requires a different certificate be issued by a departmental CA.
- Superseded A replacement certificate has been issued to a user, and the reason does not fall under the previous reasons. This revocation reason is most often used when a smart card fails, the password for a token is forgotten by a user, or the user’s legal name has changed.
- Cease of Operation If a CA is decommissioned—no longer to be used—the CA’s certificate should be revoked with this reason code. Do not revoke the CA’s certificate if the CA no longer issues new certificates, yet still publishes CRLs for the currently issued certificates.
There are a couple of good ways to rotate/revoke a targeted set of certificates:
A. If you are not sure where your target certificates are:
1. Create a Policy folder and set by policy what CA you would like to renew your certificates through.
2. In Aperture, you can filter your certificates to your target set. For example, you can filter on issuer and get your entire list of certificates issued by a specific entity.
3. Once your filter displays the target you can select all and move to the specific Policy location you previously configured.
4. In Web Admin go to the configured Policy folder and click on Certificate/View
5. Select all your certificates and click Renew
B. If you already know where you have organized your target certificates
- In Web Admin go to the configured Policy folder and click on Certificate/View
- Filter for the certificates you want to renew
- Select your certificates and click Renew