Applies to:
Venafi Trust Protection Platform 14 and above
Subject:
On some occasions, the Venafi Operational certificate needs to be replaced before the renewal window.
If the Venafi Operational Certificate is still valid, replacing the certificate within the WebAdmin interface will be insufficient.
This knowledge base article will describe how to replace the Venafi Operational Certificate
Instructions:
NOTE: Before proceeding, the below is required
- Logged on user must have local administrative permissions
- You must have access to the new certificate and associated private key if using an existing certificate
- Make sure the certificate currently being used is only used by the Venafi site
- Log in to your TPP server using an admin account.
-
Log in WebAdmin and go to the policy tree.
-
Locate the certificate object used as the Venafi Operational Certificate
-
If you are unfamiliar with where the VOC is see our KB on how to identify the Venafi Operational Certificate
-
-
Select the VOC and scroll down to the Miscellaneous box
-
Open a Notepad on the Server
-
Copy and paste the VOC serial number from the Miscellaneous box to the Notepad.
-
Click on the Settings tab
-
Locate the FQDN of the certificate and paste this into your Notepad as well.
-
Once you have the serial number saved, click Renew Now on the VOC
-
If you have created a VOC independently, you can import that certificate now.
-
-
Next, you will need to open the CAPI store on your TPP server. You can do this by taking the following steps.
-
Run mmc on your server
-
Once open, go to File > Add/Remove Snap-in...
-
In the new window that opens, add Certificates using the Computer account and click OK
-
- Go to the Personal folder and select Certificates
-
Look for a certificate that matches the FQDN of the VOC you saved in Notepad.
-
Double-click on the certificate and select the Details tab.
-
Compare the serial number of the VOC saved in your notepad and the serial number of the VOC stored in the CAPI
-
If it matches, your VOC is already stored in the CAPI and you do not need to proceed further.
-
If it does not match, proceed to step 15.
-
-
You will need to back up the current VOC. Click the button that says Copy to File... and follow the steps it provides.
-
If possible, export the private key as well as the certificate
-
Once you’ve backed up the certificate, delete it from the CAPI store.
-
Restart all Venafi services in the Services window.
-
Perform an IIS reset.
-
Close and reopen your browser.
-
Log in to the WebAdmin and go to Policy Tree
-
To confirm the process, open IIS and navigate to the Site Binding, view the certificate bound to your Venafi site and compare the serial number to the VOC certificate in the Policy Tree
If the serial number does not match, please contact Support.
Related Articles
How to Identify which certificate is used as the Venafi Operational Certificate
How to Open the Local Machine CAPI Store
Comments