Applies to:
All versions of TPP and Entrust issued certificates.
Summary:
This article will help you identify Entrust issued certificates and perform the steps to reissue them with another CA.
If you aren't sure what Google distrusting Entrust means to your organization, learn more on our blog post.
More Info:
You may be required to identify your Entrust issued certificates and reissue them with another CA.
NOTE: In response to Google's announcement regarding distrusting certificates issued by Entrust, certificates issued by Entrust before October 31st 2024 are still valid to their natural expiration date. What this means is that a large migration of certificates is not needed but a relationship with a new CA should be established to issue certificates after October 31st 2024. Certificate authorities that have work well with TLS Protect Datacenter are HydrantID, SwissSign, and Globalsign.
Option 1:
Create a Custom report to identify those certificates in your inventory issued by Entrust.
1. Go to Reports -> Custom Reports and click on Add Report.
2. Choose Certificates data type.
3. For filters, choose Issuer under the Certificate Properties, then search for Entrust or AffirmTrust and select all of them one at a time and then click Next:
4. Configure your Delivery method and then click Next.
5. Configure your Schedule and then click Next.
6. Provide a Name and Report Header Title for your report and then click Save & Finish.
7. Select your newly created report and go to the Data tab.
8. Click Edit Columns, add DN and Issuer and click Apply, and then click Save.
9. Download the report or view in the Web Console UI, and review the DN for the location of your Entrust certificates.
Option 2:
Another method for seeing your Entrust issued certificates is to go to your main certificates folder in the Policy tree, go to the View tab, select "Include Sub-Containers". Then go to the Issuer DN column and select Filter, then enter "CA=Entrust" on the Starts with... entry.
Results:
Reissuing Entrust Certificates with another CA:
1. Set up your new CA template(s) and verify they are working as expected.
2. For each identified policy folder from the previously created report:
a. On the Policy tree, go to the identified policy folder, go to the Settings / Certificates tab, set the new CA Template in the Other Information panel and click Save.
Note: This is assuming all certificates in the policy folder are going to be re-issued with the same new CA Template. Please review your requirements and adjust to your use case.
b. Go to the View tab of the policy folder and select Include Sub-Containers if applicable.
c. Select those certificates you wish to renew and click Renew.
Note: In order to use the Renew feature on the View tab, the user will need to be a Master Admin.
Reminder: In order for TPP to provision the new certificates, they need to be configured for the Provisioning Management type and be associated with an application.
Comments