Director 8.0.1 introduced the updated VeriSign CA driver which utilizes VeriSign VICE2 API. This article covers the features that were previously manageable through the CA template as well as new features.
Director 11 and up
Manual Approval - Customers should configure their Symantec Managed PKI for SSL Control Center to automatically approve requests submitted through VICE2 when they don’t want Manual Approval. Customer accounts that disable "automatic certificate approval for Web Services", Director will poll for up to 3 days to see if the certificate has manually been approved before going into an error state. If the certificate is rejected the certificate in Director will also go into an error state.
IMPORTANT NOTE: Symantec does not allow the automatic approval of Extended Validation (EV) Certificates. Each EV Certificate renewal must be manually approved in the Symantec Customer Portal.
SAN Enabled State - Symantec VICE 2.0 doesn’t allow detection of whether enrollment of CSRs containing SANs is allowed or disallowed. Customers need to be aware of their Managed PKI configuration and configure their CA template(s) in Director to match.
Enrollment Behavior - For an existing certificate, the old driver attempted renewal for time extension and if that fails the request is treated as a new enrollment. With VICE2 the new options are:
- Attempt renewal
Director will attempt to renew certificate. If that fails, Director will enroll as new certificate
- Attempt renewal only
This option will error our during renewal of certificate if fails.
- Enroll as new request only
This option will NOT attempt renewal of certificate
- Attempt replacement (re-issue)
This option will automatically deactivate the existing certificate at the same time as renewal
For steps to enable VICE 2.0 on your VeriSign/Symantec Account see the following KB article: