Follow

Issue: Changing CA template before renewing results in failed renewal

Applies to:

Certificate renewals

Changing Certificate Authorities

16.x, 17.x, 18.x

 

Symptom

When changing the certificate CA template to a new Certificate Authority for an already enrolled certificate, the renewal can fail. This only occurs for certain CA's, for example renewing a certificate previously enrolled against Thawte with GlobalSign results in the GlobalSign API rejecting the renewal with the error:

 

Invalid original_transaction_id. (0x6000)

 

This means there is no way to renew the certificate leaving you the only option to create a new certificate.

 

Cause

When a certificate is enrolled with a CA it creates a Transaction ID which is stored with this certificate object.  The Transaction ID allows the CA to identify this certificate enrolled with them for future renewals as the ID gets presented during the renewal.

If you change the CA the certificate will be renewed against by changing its CA Template object, for example Thawte to GlobalSign, then a renewal will try to present a Transaction ID to a the new CA (GlobalSign) who does not know that ID, as a result it will fail the renewal attempt.

 

Some of the CA drivers are updated to correct this issue by falling back to performing an Enroll New after a renewal attempt fails, such as Symantec MPKI, Entrust.net and DigiCert, however until the remaining CA drivers are updated we need to correct the issue using a workaround.

 

Resolution

In order to workaround this issue we can remove the Transaction ID from the certificate object.  This effectively forces a renewal of that certificate to be treated as an enroll new.

 

There are two methods we can use to fix this issue, remove the Transaction ID using the Webadmin Support Tab, or use the WebSDK API to issue a call to remove the ID.

 

Support Tab Method:

You will need to log a ticket with Customer Support who will provide you with an authorization code to modify the attributes available on your certificate objects Support Tab.  One you have exchanged the code and gained access to editing the Support Tab, find the Transaction ID and remove it.

 

SuportTabTransactionID.JPG

 

WebSDK API call method:

Using the API to remove the Transaction ID attribute might be the best approach if you have to process a bulk of certificates when you are changing CA's.  Below is an example of the ClearAttribute call required:

 

POST /vedsdk/config/ClearAttribute HTTP/1.1
Host: 192.168.86.173
Content-Type: application/json
X-Venafi-Api-Key: 654381de-5cf5-bef2-dfae-d6c9b07bb0c5
Cache-Control: no-cache
Postman-Token: 46668cf0-cbf1-1957-4fb6-90709a0d48d9

{
"ObjectDN": "\VED\Policy\Internal\Certificates\mycert",
"AttributeName": "Transaction ID"
}

Result:

{
"Result": 1

 

After this the certificate should renew with the new CA.

 

To process a bulk of certificates in this way you would need to create a Powershell script that extracts each of the certificates in your policy folder and work through each object performing the ClearAttribute call.

You can extract the required certificate DN used in the ClearAttribute call using the Config/enumerate call, for example (here I've used the optional pattern match of *.sample2.local):

 

POST /vedsdk/Config/enumerate HTTP/1.1
Host: 192.168.86.173
Content-Type: application/json
X-Venafi-Api-Key: a6990a6c-c738-49ab-3cf1-988e1e83649b
Cache-Control: no-cache
Postman-Token: 82fd7706-b91a-60f7-cf9a-a0f783d5cdeb

{"ObjectDN": "\\VED\\Policy\\Internal\\Certificates\\",
"Pattern": "*.sample2.local",
"Recursive": false
}

Result:

{
"Objects": [
{
"AbsoluteGUID": "{2ac8ebdc-b2f2-4003-a687-4815a2567c50}{1456cdae-1260-462f-a6d0-0a99d7a60069}{4b02f88d-faf3-4896-9c15-f20ab2f44ee3}{3dbdc358-a3c3-4017-94ec-2c5553297b62}{0f7c7be5-8beb-48d5-933e-68af3dfcb775}",
"DN": "\\VED\\Policy\\Internal\\Certificates\\apache.sample2.local",
"GUID": "{0f7c7be5-8beb-48d5-933e-68af3dfcb775}",
"Id": 597,
"Name": "apache.sample2.local",
"Parent": "\\VED\\Policy\\Internal\\Certificates",
"Revision": 636523019951258142,
"TypeName": "X509 Server Certificate"
},
{
"AbsoluteGUID": "{2ac8ebdc-b2f2-4003-a687-4815a2567c50}{1456cdae-1260-462f-a6d0-0a99d7a60069}{4b02f88d-faf3-4896-9c15-f20ab2f44ee3}{3dbdc358-a3c3-4017-94ec-2c5553297b62}{def7ca11-a364-4721-89cd-2afd78492a49}",
"DN": "\\VED\\Policy\\Internal\\Certificates\\rs-win2k8-04.sample2.local",
"GUID": "{def7ca11-a364-4721-89cd-2afd78492a49}",
"Id": 591,
"Name": "rs-win2k8-04.sample2.local",
"Parent": "\\VED\\Policy\\Internal\\Certificates",
"Revision": 636522978104522165,
"TypeName": "X509 Server Certificate"
}
],
"Result": 1
}

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments