Applies To:
All versions of Venafi Trust Protection Platform
Problem:
At times, CA providers find they need to move their servers to new locations and therefore get new IP ranges for them. For instance, Digicert is doing this in the spring of 2019. Here is a clip from the following article:
"On April 6th of 2019, DigiCert will be moving the Data Center for the store fronts in Managed PKI for SSL (MSSL), Complete Website Security (CWS) and Secure App Service (SAS) to new Data Centers.... IP addresses for our services will be updated. If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to our services. A list of new IP addresses ..."
Other CA's may have the same issue at other times.
The question is: What is the impact on these changes for Venafi users?
Resolution:
Generally, CA's make this as painless as possible, so you should have to do very little.
- Venafi does not use IP addresses in our built-in CA configurations. For instance, for Digicert, we have the following:
https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/
This is coded directly into the CA. As long as DigiCert has done things properly (reduced the TTL on the DNS records sufficiently ahead of time) DigiCert should be able to change the DNS records, and all Venafi TPP servers will automatically switch over to the new MPKI servers. - If you have an adaptable driver to use Digicert, and if you are NOT using an FQDN, you may need to modify your code.
- You MAY need to modify firewall rules, as indicated in the above article from Digicert.
NOTE: IF for whatever reason the company changes their FQDN information as well as IP, then there may be an issue Venafi would also have to address. But note, the impact to their customer base would be tremendous, potentially catastrophic, so this is highly unlikely.
Comments