How to: Replace the Venafi VOC with immediate effect

Applies to:

Venafi Trust Protection Platform 14 and above


On some occasions, the Venafi Operational certificate needs to be replaced before the renewal window.

If the Venafi Operational Certificate is still valid, replacing the certificate within the WebAdmin interface will be insufficient.

This knowledge base article will describe how to replace the Venafi Operational Certificate



NOTE: Before proceeding, the below is required

  • Logged on user must have local administrative permissions
  • You must have access to the new certificate and associated private key if using an existing certificate
  • Make sure the certificate currently being used is only used by the Venafi site


  1. Log in to your TPP server using an admin account. 
  2. Log in WebAdmin and go to the policy tree.

  3. Locate the certificate object used as the Venafi Operational Certificate

    1. If you are unfamiliar with where the VOC is see our KB on how to identify the Venafi Operational Certificate

  4. Select the VOC and click Renew Now

    1. If you have created a VOC independently, you can import that certificate now.
  5. Once the renewal has finished processing, scroll down to the Miscellaneous box

  6. Open a Notepad on the Server

  7. Copy and paste the VOC serial number from the Miscellaneous box to the Notepad.

  8. Click on the Settings tab

  9. Locate the FQDN of the certificate and paste this into your Notepad as well.

  10. Next, you will need to open the CAPI store on your TPP server. You can do this by taking the following steps.

    1. Run mmc on your server

    2. Once open, go to File > Add/Remove Snap-in...

    3. In the new window that opens, add Certificates using the Computer account and click OK

  11. Go to the Personal folder and select Certificates 

  12. Look for a certificate that matches the FQDN of the VOC you saved in Notepad.

  13. Double-click on the certificate and select the Details tab.

  14. Compare the serial number of the VOC saved in your notepad and the serial number of the VOC stored in the CAPI

    1. If it matches, your VOC is stored in the CAPI and you do not need to proceed further. Simply restart IIS for immediate effect.

    2. If it does not match, proceed to step 15.

  15. You will need to back up the current VOC. Click the button that says Copy to File... and follow the steps it provides.

  16. If possible, export the private key as well as the certificate

  17. Once you’ve backed up the certificate, delete it from the CAPI store.

  18. Restart all Venafi services in the Services window.

  19. Perform an IIS reset.

  20. Close and reopen your browser.

  21. Log in to the WebAdmin and go to Policy Tree

  22. To confirm the process, open IIS and navigate to the Site Binding, view the certificate bound to your Venafi site and compare the serial number to the VOC certificate in the Policy Tree

If the serial number does not match, please contact Support.

Related Articles

How to Identify which certificate is used as the Venafi Operational Certificate

How to Open the Local Machine CAPI Store


Was this article helpful?
0 out of 0 found this helpful