Comodo has changed their name to Sectigo (see: Comodo CA is now Sectigo). What do we need to do in Venafi to make our certs work?
To answer this question, it's a little important to know how a chain is built in Venafi.
- First, we check what is configured in the Venafi CA to which the Cert is associated.
- Second, if the CA doesn't have the right information, we go to the Roots tree in Venafi (in this particular situation - this is a high-risk point of cross-chaining)
- Finally, if neither the roots tree or CA is configured with what we need, we'll check the local CAPI store on the TPP box which is checking.
Due to the nature of this change therefore, we recommend configuring two CA's in Venafi: one for the old Certs using the old Comodo chain, and a new one for the new certs using the new Sectigo chain.
The new root/intermediate should probably be added to the Root tree as well, but it COULD cause cross-chaining issues, so be cautious.
And finally, importing the new Root/Intermediate directly into the local CAPI store would be a nice backup of the backup.
- Check the Comodo CA you currently have. Ensure the old root/intermediate is configured in it for all existing Certs. We do not want to continue to lean on the Root tree, even if it worked in the past, so whatever you have there, add to the existing CA.
- Configure a new CA for Sectigo (use the Comodo CA type) and be sure the new root/intermediate is configured on the certificate tab. This is what you use for the new certs.
- (Optional) Add the new root and intermediate CA into the Venafi Root Tree (WebAdmin | Roots). Related resources can be found here:
- Manually adding root and intermediate root certificates (from the 18.4 documentation - must be logged in)
- How to install a Root and Intermediate (from Sectigo)
- Where to find your new Intermediate Certs (from Sectigo) (Alternatively, you can contact them and ask for more information.)
- (Optional) Import the new Root and Intermediate directly into the Windows CAPI store as a backup.
The following documentation is still useful, even though the name has changed:
Troubleshooting a certificate that has chained incorrectly is essentially the same as following the three (3) bullets above. So:
- Go to the CA to which the cert is attached in the TPP Platform. Look at the Certificate tab and ensure that ONLY the chain you want this cert is present.
- (Potentially) Remove the wrong root/intermediate from the Roots tree in the console to prevent the cert from finding the incorrect root.