Director 11 and the Trust Protection Platform
When doing a CA Import decision have to be made on what to do with what was discovered on your MSCA.
We follow some set logic to place those found certificates.
- Identical certificates already in the Policy Tree are ignored and not placed. These are shown under “Already managed”
- Certificates where an exact Subject DN and key usage is found already in the Policy Tree are updated with the imported object. These are shown in “Updated certificates”
- If imported certificate is older than the currently managed certificate, imported certificate is added to the History tab
- If imported certificate is newer than the currently managed certificate, currently managed certificate is moved to History tab.
Certificates placed with new Subject DN follow placement rules created on CA Import job.More Info:
In some scenarios it may be important for you to bypass all of the reconciliation logic and simply import the entirety of what was discovered in the CA Import object.
In the recent versions of 14.3 and greater you should be able to contact Support@venafi.com and request access to enter an attribute on the Support tab of your object to bypass the placement logic.
Currently the entry is:
'Bypass Reconciliation’ and set it to a 1.
Warning: This will create a new certificate object every time the Certificate is renewed instead of updating the existing certificate in the Policy Tree.