Follow

Info: Migrate Certificates to New Certificate Authority

Applies to:

TLS Protect Cloud

 

Summary:

When a Certificate Authority is compromised or no longer trusted (for example: here) you will need to be able to quickly update TLS Protect Cloud to use a new certificate authority, and minimize any impact to your systems and users.  This article covers the necessary steps to accomplish this within Venafi TLS Protect Cloud.

If you aren't sure what Google distrusting Entrust means to your organization, learn more on our blog post.

 

More Information:

The easiest way to make this change is by updating the issuing template that is using the old certificate authority and change it to the new authority that will be used. Once that is completed, certificates associated to those issuing templates will use the new CA the next time they are renewed using TLS Protect Cloud.  

NOTE: In specific response to Google's announcement regarding distrusting certificates issued by Entrust, certificates issued on or before October 31, 2024 will remain valid to their natural expiration date. What this means is that a mass renewal of certificates is not needed. However, it is imperative that a relationship with a new CA be established and in place to issue and renew certificates sometime before October 31, 2024. Certificate authorities that work well with TLS Protect Cloud at this time are GlobalSign, HID Global/IdenTrust and SwissSign via the ACME connector

Updating the Issuing Template

Before updating the issuing template, a replacement certificate authority will need to be configured, Please see the following documentation on that process: Adding a Certificate Authority

To update an issuing template:

  1. In TLS Protect Cloud, click PoliciesIssuing Templates
  2. Click on the template that needs to be modified
  3. Enter the new information for the replacement certificate authority.

For more information on this process, please see our documentation: Certificate Issuing Templates

 

Issuing or Renewing Certificates

Once the certificate issuing templates have been updated, all renewals (either manual or auto-renewed) will use the new CA configured on the issuing template. No further action should be required unless there has been a full compromise of the CA in question.

If you encounter an incident requiring a full re-issuance of all the existing certificates, regardless of their expiration, you can utilize the Certificate Lifecycle Auto Renew feature to update all certificates to the new authority at once.

However, this action should be planned carefully to ensure there is either an automated machine provisioning process to update the certificate on the endpoint, or there is a plan to notify certificate owners about taking manual action to update their certificates.  In this case, we would recommend discussing an appropriate plan of action with Venafi experts to ensure this endeavor does not create additional undue impact.

If additional assistance is needed always feel free to reach out to Venafi Customer Support or your account manager.

Was this article helpful?
0 out of 0 found this helpful

Comments