When using a version of Venafi Encryption Director that uses the VICE 2 VeriSign Driver, Extended Validation (EV) Certificates cannot be enrolled.
Director 8.0.1, 8.0.2, 8.0.3; Director 11; Director 14.1
Between February 2014 and April 2014
Symantec has a bug in their VICE 2 API and erroneously reports in the API's that a customer's organization is not EV Enabled when in the Symantec system they really are. Symantec's internal reference number to this bug is artf124259.
Customer has all of the symptoms:
- In the Symantec Control Center on the Certificate Management Page, account has orders for EV Certificate
- In the Symantec Control Center under Configuration => Enrollment, EV certificates are checked to be Included
- When you validate your VeriSign Certificate Authority Template in Directory, EV Certificates are missing from the list of available templates on your EV approved Organization
Having the symptoms doesn't mean the Symantec bug is effecting you. One additional test needs to be done to confirm that the Symantec API bug is effecting your ability to enroll EV certificates through Director.
- You need to get ahold of the VICE 2 Admin certificate that Director is using to authenticate to VeriSign. This can be accomplished by either exporting the certificate from director a file or exporting it from the Local Machine CAPI store on the Director server. Depending on your environment, the certificate may not be exportable from Director and the certificate may not exist in the Director local machine Windows CAPI store, but that is your best bet. If those two plans fail, speak with the person in you organization who manages the Symantec account and ask for a copy of the VICE 2 Admin certificate (Also known as the Symantec Admin Certificate with Web Services role)
- After you have a copy of the admin certificate, double click on it to have the certificate and private key installed in the Current User Windows CAPI store.
- After you have successfully installed the certificate into the Current User CAPI store, load this URL into Google Chrome or Internet Explorer (both browsers use the Windows CAPI store for certificates - Firefox uses it's own built in key store)
- Visit https://certmanager-webservices.verisign.com/vswebservices/rest/services/getVettedOrgsAndDomains
Note: Visiting this URL performs a VICE 2 Admin call that returns a list of vetted organizations and domains with Symantec
- You should be prompted by your browser to present a certificate to Symantec. Select the VICE 2 Admin certificate that you just imported.
- The page should load with XML data regarding your organizations and domains vetted with Symantec
<Organization name="Venafi, Inc." EV_Enabled="No">
- Look at the output, does it show domains that state "EV_Enabled="Yes" but for the organization that the domains belong to state EV_Enabled="No" ? If so, you are effected by this bug.
Reach out to Symantec
First step is to reach out to your Symantec Account Representative and let them know that you are effected by this bug. It is important that Symantec track how many customers are impacted. Currently Symantec states that this bug should be patched in their API production code on April 9, 2014.
Apply Work-Around to Director
- Log into WinAdmin if on Director 8.0.1, 8.0.2, 8.0.3 or Director 11. Log into Web Admin if on Director 14.1
- Go to your VeriSign CA Template object that is not showing the EV Certificate
- Click on the Support Tab of that object
- Locate the Attribute "Organization"
- The Value of that Attribute should be in the format of either:
- The first number after the first pipe is what designates to Director if the organization is EV enabled. A "0" means that it is NOT EV enabled. A "1" means that it is EV enabled
- Get a support tab license or Authorization code from Venafi Customer Support, update the value of the organization attribute to read either:
Depending upon the format your organization attribute value is in.
Note: Do not change the organization to read "Venafi, Inc." please leave this organization name as it is. The Venafi, Inc. above is listed just as an example.
- Save your changes to the support tab
- Click off of VeriSign CA template object by clicking on another object in the Policy Tree
- Go back to the VeriSign CA template object - the EV templates should now be an option in the drop-down menu
- Until Symantec fixes the bug in their VICE 2 API, do not click "Validate" on the CA template object. Doing so will over-write the changes made to the Organization attribute and remove EV templates as an option.