Replacing the Venafi Operational Certificate (VOC) with your own CA-signed certificate

You should replace the Venafi Operational Certificate (VOC) that secures web services and the Trust Protection Platform log server with your own CA-signed certificate. However, replacing a VOC is slightly different than replacing other certificates. The Venafi IIS web site and the Trust Protection Platform Log server place certificates differently. Therefore, device and application objects are not required in order to place certificates. To ensure that you keep both the web services and the log server secure, refer to the following procedure.

To replace the VOC

  1. From the Platform menu bar, click Policy Tree.
  2. On the Policy tree, expand the Venafi Operational Certificate folder and select the VOC certificate.
  3. On the Settings tab, clear the Processing Disabled check box.
  4. In the Management Type field, select Enrollment.
  5. If necessary, update the Common Name with the Fully Qualified Domain Name (FQDN) of the Trust Protection Platform server.
  6. Select an existing CA Template. If none apply, create a new Certificate Authority (CA) template. For more information, see CA integration setup.
  7. Update any other fields as necessary, and then click Save.
  8. In the Platforms tree, select your Trust Protection Platform engine.
  9. On the Settings tab, assign the VOC Certificate, and then click Save.
  10. (Optional) If you want the VOC to apply to more than one Trust Protection Platform server, repeat these steps for assigning the VOC to each server.
  11. When the VOC certificate enrollment completes, navigate back to the Policy tree, expand the Venafi Operational Certificate folder, and then select the VOC certificate.
  12. Click Renew Now.

  13. After processing for the certificate completes, perform an IIS Reset on each server to enable the certificate to take effect immediately, or alternatively, the system will automatically provision the certificate at midnight (server time).

    NOTE  To ensure any Server Agents have the opportunity to download the new trust bundle, any valid CA issue certificate will not be replaced by the system until two days prior to expiration.

Supporting new Server Agent installation after replacing your VOC

If the Server Agent will be installed in your Trust Protection Platform environment after the VOC has been replaced, copy the complete chain of the trusted certificate in the Roots tree. Then, update the Agents should trust these additional issuers when reporting home field with the new chain.

IMPORTANT  Certificates must be formatted using PEM (Base64 OpenSSL).

Related Topics Link IconRelated Topics