Skip to content

Renew SSL Certificates Internally

mutsuoara edited this page Mar 22, 2023 · 7 revisions

Interim Manual Solution

Gain access to Venafi

Check expiration of certificate and set calendar reminders

  • Click on the certificate and locate the expiration date
    • Labeled Not after
  • Create an event in outlook and tag the appropriate team for 30 days prior to expiration
    • i.e. If the date Not after is 10/01/2025, then create the reminder for 09/01/2025

Login to Venafi

  • Connect to the VA Network using your zero token/Account: *GFE go to citrixaccess.vpn.va.gov and select your zero account to login *CAG go to citrixaccess.vpn.va.gov and select your zero account to login (need to test and confirm)
  • Go to the Venafi portal and confirm your certificates are valid or require updating (instructions on gaining access to Venafi)
  • Venafi link can be found here https://prod.adfs.federation.va.gov/adfs/ls/idpinitiatedsignon.aspx (must be on the VA network) select the Venafi option from the dropdown.

Venafi Dashboard

  • Navigate to the All Certificates Dashboard
  • Click on the number designated under My Certificates
  • For the certificate that requires updating, go to the far right drop-down menu and select renew now
  • Once renewed right-click on certificate and open in new tab
  • Confirm the expiration has been extended and the new date is 13 months from today
  • Go back to the All Managed Certificates
  • Select/Choose the following options
    • PEM (openssl)
    • Check the Extract PEM content into separate files
    • Click download
    • Find the downloads and transfer to your standard user accounts desktop (or specified location)

Uploading New Certificate to ACM

  • Navigate to AWS Dashboard -> Certificate Manager -> select the certificate that needs to be updated -> Reimport
    • Note: You must have the private key in order to proceed
  • Update the content of Certificate Body, Certificate private key, and Certificate chain then select next
    • Be sure to remove extra spacing when copying and pasting
  • Once completed the new expiration date should appear in the certificate that was reimported.

Updating Load Balancer for Applications

  • Navigate to AWS Dashboard -> EC2 -> Instance (running) -> Scroll down to Load Balancers -> Choose the instance -> Select the Listeners tab -> Click Change on the right side of the SSL Certificate.
  • Select Choose a certificate from ACM
  • In the drop-down, select the appropriate certificate and save

Confirm New Certificates are installed

  • Navigate to dev, staging, or prod in the browser
  • Click on the lock next to url and click Connection is secure
  • Click on Certificate is valid
  • Confirm the issued on and expires on dates to match the new certificate

IF THE SSL HAS EXPIRED

Example Ticket

  • Open a ticket with YourIT
  • Find the ticket request for SSL Certificates - New/Renew/Move/Delete
    • If you cannot find it, search for it using the magnifying glass
  • Fill out the information and select the appropriate field for Action needed for certificate request
  • Locate the ticket in the ESD Ticket Dashboard and change the assigned to to IO.SS.PKI.OPERATIONS
  • If this is urgent you will need to contact someone on that team and expedite the request

Create a Certificate Signing Request (.csr) from Linux

  • Load up any Linux instance, or terminal instance and run the following command
    • openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
  • Follow the prompt as follows:
Country name (2 letter code): US
State or Province Name (full name): District of Columbia
Locality Name (eg, city): Washington
Organization Name (eg, company): Department of Veterans Affairs
Organizational Unit (eg, section): VHA
Common Name (eg, your name or your server's hostname): Marketplace.va.gov
Email Address: [email protected]
  • Use this to submit a Create a New SSL Certificate request from If SSL has expired

Be sure to save the private key in a secure location that you will be able to find later

Gain Access to Venafi

  • Request ePAS access to view/update SSL certificates for Diffusion Marketplace project.
  • Specific group can be found be by making a request to [email protected] or following the instructions in ePAS
  • Once access has been granted and work ticket completed:

image

Clone this wiki locally