-
Notifications
You must be signed in to change notification settings - Fork 9
Renew SSL Certificates Internally
mutsuoara edited this page Mar 22, 2023
·
7 revisions
- Login to Venafi
- Check certificates in Venafi
- Update certificates in Venafi
- Update Certificates in ACM
- Update certificates in AWS load balancer
- Confirm application has new certificates
- SSL certificates exceeded expiration date
- Click on the certificate and locate the expiration date
- Labeled
Not after
- Labeled
- Create an event in outlook and tag the appropriate team for 30 days prior to expiration
- i.e. If the date
Not after
is 10/01/2025, then create the reminder for 09/01/2025
- i.e. If the date
- Connect to the VA Network using your zero token/Account: *GFE go to citrixaccess.vpn.va.gov and select your zero account to login *CAG go to citrixaccess.vpn.va.gov and select your zero account to login (need to test and confirm)
- Go to the Venafi portal and confirm your certificates are valid or require updating (instructions on gaining access to Venafi)
- Venafi link can be found here https://prod.adfs.federation.va.gov/adfs/ls/idpinitiatedsignon.aspx (must be on the VA network) select the Venafi option from the dropdown.
- Navigate to the All Certificates Dashboard
- Click on the number designated under
My Certificates
- For the certificate that requires updating, go to the far right drop-down menu and select
renew now
- Once renewed right-click on certificate and open in new tab
- Confirm the expiration has been extended and the new date is 13 months from today
- Go back to the
All Managed Certificates
- Select/Choose the following options
- PEM (openssl)
- Check the Extract PEM content into separate files
- Click download
- Find the downloads and transfer to your standard user accounts desktop (or specified location)
- Navigate to AWS Dashboard -> Certificate Manager -> select the certificate that needs to be updated -> Reimport
- Note: You must have the private key in order to proceed
- Update the content of
Certificate Body
,Certificate private key
, andCertificate chain
then select next- Be sure to remove extra spacing when copying and pasting
- Once completed the new expiration date should appear in the certificate that was reimported.
- Navigate to AWS Dashboard -> EC2 -> Instance (running) -> Scroll down to Load Balancers -> Choose the instance -> Select the
Listeners
tab -> ClickChange
on the right side of the SSL Certificate. - Select
Choose a certificate from ACM
- In the drop-down, select the appropriate certificate and save
- Navigate to dev, staging, or prod in the browser
- Click on the lock next to url and click
Connection is secure
- Click on
Certificate is valid
- Confirm the issued on and expires on dates to match the new certificate
- Open a ticket with
YourIT
- Find the ticket request for
SSL Certificates - New/Renew/Move/Delete
- If you cannot find it, search for it using the magnifying glass
- Fill out the information and select the appropriate field for
Action needed for certificate request
- Locate the ticket in the ESD Ticket Dashboard and change the
assigned to
toIO.SS.PKI.OPERATIONS
- If this is urgent you will need to contact someone on that team and expedite the request
- Load up any Linux instance, or terminal instance and run the following command
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
- Follow the prompt as follows:
Country name (2 letter code): US
State or Province Name (full name): District of Columbia
Locality Name (eg, city): Washington
Organization Name (eg, company): Department of Veterans Affairs
Organizational Unit (eg, section): VHA
Common Name (eg, your name or your server's hostname): Marketplace.va.gov
Email Address: [email protected]
- Use this to submit a
Create a New SSL Certificate
request fromIf SSL has expired
Be sure to save the private key in a secure location that you will be able to find later
- Request ePAS access to view/update SSL certificates for Diffusion Marketplace project.
- Specific group can be found be by making a request to [email protected] or following the instructions in ePAS
- Once access has been granted and work ticket completed:
- Request URL from [email protected] for access Venafi via CAG.