Applies to:
All versions of Venafi
Symptoms:
You've imported a number of certificates to the Trust Protection Platform from Digicert. At renewal, to ensure no down time, you renew before the cert has actually expired.
Expected Behavior:
The new certificate issued from Digicert should append the remaining time from the original certificate to the new term.
Actual Behavior:
The new certificate has only a single term length - the remaining time is lost.
Cause:
The cause, essentially, is that Digicert doesn't recognize this as a renewal - they see it as a request for a new Certificate. Why? Because Venafi doesn't have the original Digicert ORDER_ID for the cert, and therefore doesn't recognize it when sent for renewal from Venafi. Instead, they simply send out a new one.
Resolution:
There are two possible scenarios:
1) Renew with Venafi and loose the remaining term - the first time only. After that, the now "new" certificate comes from Digicert with the Order_ID, and Venafi knows about it and tracks it for the next renewals moving forward.
2) Check Digicert for the Order_ID and add it to the Certificate in Venafi via a support tab edit. In the case of having several, Digicert may even send you a list of certificates and Order_ID's, but we can not confirm that at this time. For sure though, you can go to digicert, check the certificate, and claim the Order_ID from them.
**Additional Note** the Venafi support tab entry for the digicert order id is: Digicert CA:Request ID
Comments
For Option 2, would creating a custom field in Venafi with the Order_ID suffice? Can you go more in depth when you say "Check Digicert for the Order_ID and add it to the Certificate in Venafi".
Thank You,
SE