About placement of duplicate certificates

When discovery finds a new version of an existing certificate on another device, TLS Protect combines the certificates, placing the older certificate in the certificate history of the newer certificate.

EXAMPLE  Suppose you have a certificate created on 01/01/2021, and the certificate was installed on device A and placed in a policy folder called SouthAmerica. Suppose that certificate was renewed on 01/01/2022, and the renewed certificate was subsequently discovered on device B (but the older version was still on device A).

In this case, TLS Protect will combine the certificates in the SouthAmerica folder, with the version from device A (the 2021 version of the certificate) in the history of the version from device B (the 2022 version of the certificate).

At the end of the discovery process, there will be a single certificate stored in the SouthAmerica folder.

When validation is attempted for device B, validation is successful, since device B has the newer version of the certificate. When validation is attempted for device A, validation fails, because device A has the older version of the certificate, which is now a historical certificate. Simply deploy the new certificate to device A, and the issue is resolved.

How does TLS Protect determine if a certificate is a duplicate?

TLS Protect uses the following criteria to reconcile certificates that are already under management:

  • The subject, key usage, and enhanced key usages are all identical.
  • The SAN information is similar enough for a match, which means:
    • 4 SAN DNS entries must match.
    • If there are 1 to 4 SAN DNS entries on the certificate, all must match.
    • If more than 4 SAN DNS entries are found, then 50% or more of them must match (e.g. if 5 SAN entries are found, 3 must match).

Any certificates that match all of the criteria are deemed related.

For choosing historical placement of related certificates, Trust Protection Platform looks at the Valid To or Not After certificate properties to determine which of the certificates is newer.