About placement of duplicate certificates

When discovery finds a new version of an existing certificate on another device, Certificate Manager - Self-Hosted combines the certificates, placing the older certificate in the certificate history of the newer certificate.

EXAMPLE  Suppose you have a certificate created on 01/01/2021, and the certificate was installed on device A and placed in a policy folder called SouthAmerica. Suppose that certificate was renewed on 01/01/2022, and the renewed certificate was subsequently discovered on device B (but the older version was still on device A).

In this case, Certificate Manager - Self-Hosted will combine the certificates in the SouthAmerica folder, with the version from device A (the 2021 version of the certificate) in the history of the version from device B (the 2022 version of the certificate).

At the end of the discovery process, there will be a single certificate stored in the SouthAmerica folder.

When validation is attempted for device B, validation is successful, since device B has the newer version of the certificate. When validation is attempted for device A, validation fails, because device A has the older version of the certificate, which is now a historical certificate. Simply deploy the new certificate to device A, and the issue is resolved.

How does Certificate Manager - Self-Hosted determine if a certificate is a duplicate?

Certificate Manager - Self-Hosted uses the following criteria to reconcile certificates that are already under management:

  • The subject, key usage, and enhanced key usages are all identical.
  • The SAN information is similar enough for a match, which means:
    • 4 SAN DNS entries must match.
    • If there are 1 to 4 SAN DNS entries on the certificate, all must match.
    • If more than 4 SAN DNS entries are found, then 50% or more of them must match (e.g. if 5 SAN entries are found, 3 must match).

Any certificates that match all of the criteria are deemed related.

For choosing historical placement of related certificates, Trust Protection Foundation looks at the Valid To or Not After certificate properties to determine which of the certificates is newer.

Subject Alternative Name (SAN) updates during reconciliation

When Certificate Manager - Self-Hosted reconciles certificates during Network Discovery, it does more than just combine certificate versions. If the discovered certificate is newer than the existing certificate and has different Subject Alternative Name (SAN) DNS entries, Certificate Manager - Self-Hosted automatically updates the SAN DNS renewal settings to match the discovered certificate.

This automatic SAN update ensures that when the certificate is renewed in Trust Protection Foundation, the renewed certificate will include all of the current SANs from the actual deployed certificate, even if those SANs were added outside of Trust Protection Foundation.

EXAMPLE  Suppose you have a certificate in Certificate Manager - Self-Hosted with SANs for www.example.com and mail.example.com. The certificate is renewed outside of Trust Protection Foundation with an additional SAN for app.example.com added. When Network Discovery rediscovers the certificate, Certificate Manager - Self-Hosted recognizes it as a newer version of the existing certificate, combines them, and automatically updates the SAN renewal settings to include all three SANs: www.example.com, mail.example.com, and app.example.com. The next time the certificate is renewed in Trust Protection Foundation, all three SANs will be included.

Bypassing automatic reconciliation

In some scenarios, automatic certificate reconciliation may not be desirable. For example, if you are using DigiCert Duplicate Certificates or if your PKI architecture intentionally uses multiple certificates with identical subjects and SANs, you may want each certificate to remain in a separate certificate object.

You can bypass certificate reconciliation for all Network Discovery jobs by enabling the Bypass Certificate Reconciliation setting on the Discovery root node in the Policy tree. When this setting is enabled, each discovered certificate creates a new certificate object, and SANs are not automatically updated during rediscovery. For more information, see Discovery root node settings.

For a comprehensive explanation of how certificate reconciliation works and when to use it, see About certificate reconciliation during discovery.