Applies To:
All versions of Venafi.
Summary:
There is often confusion over Reissuance and Renewal, including at least the following:
- "Your Certificate can't be Replaced because Reissuance is disabled..." messages when renewing a certificate object.
- Not getting the overlapping period added to a renewal of a cert
- Getting a new / additional cert instead of a renewal / extension of a cert and using an additional license from the CA
- Getting a new or renewed cert when a Reissue is desired.
This article attempts to explain the different ways to renew a cert and how this works in Venafi, as well as how it may affect you.
More Information:
NOTE: Each CA has it's own rules about how this works, and for more information, you'll have to contact your specific CA to verify any information presented here. This is meant to be very "general" or "generic" and not specific to your contract / provider.
Each certificate has a timeline, generally 1 or 2 years, and this timeline has differing components, something like this:
-
Reissuance Period - During this time, most CA's will allow you to make minor changes to the certificate and have it be reissued, without impact to your license count at the CA. This is a moderately short time at the beginning of a certificate's lifespan where the CA understands you may have made a spelling error, or forgot to add a SAN, or something. How long is this period? That depends on your CA.
Impact in Veanfi: If you try to "Renew" this certificate, it may (likely) be denied by the console, because by default, the option for a Reissuance" is NOT selected in the CA Template object, as shown in a Symantec MPKI example below:
-
Renewal Period - During this time, most CA's will allow you to renew your cert to extend it's life prior to expiration. Most will even tack on the remaining days of the existing period to your renewal period! For instance, if you renew a 2 yr cert 1.5 months before it expires, it will expire 2 yrs after the ORIGINAL expiration, or 2 yrs and 1.5 months from your renewal date. This is generally 90 days prior to the end of your certificate's life.
Caveat: The CA has to know what cert it is! There are times this is not tracked appropriately (see KB ????????????)
Impact in Venafi: This is the normal Renewal "thing" we recommend for Venafi users, and is largely transparent.
-
Warning Period - During the rest of the lifespan of a cert, which is, again, totally up to the CA provider, one should not attempt to renew the certificate. Normally, a renewal request will result in an additional certificate being issued, not a reissue or a renewal. This is the main reason why the option for "Reissuance" is generally NOT selected on the CA - to prevent this. That way, the only way you can renew a cert is to hit the known renewal period, and a MUCH less likely chance of errors.
Impact in Venafi: This will be essentially transparent, the certificate will say "OK" but the new cert will not pick up the remaining time of the old, and both certs will be valid.
Impact at the CA: A new license will be used.
Summary
Be very aware of the lifespan of your certificate for proper maintenance and license management at the CA! And if you DO enable the Reissuance option, be sure to turn it off as soon as you are done with it.
Comments